New features in Tunnelblick 3.6beta09

[Molina-Bulla Harold]

Hi Jonathan,

First of all, thanks for all your work.

About the latest beta release, I have several suggestions:

• I think the "full IPv4 routing" and "disabling IPv6 through the VPN" must be set disabled by default. The VPN providers must be whom define the kind of routing and if IPv6 will be provided using the config files. Now, if the User wants to override that configuration, can select and activate those options.
• The second suggestion: the latest vpn active must be the highest version without the txp patch. Because several VPN providers do not patch the Openvpn source code. Again, if the final user wants to use these non standard feature, must be he who selects the patched version.

Thanks in advance.

H. Molina-Bulla

-----------------------------------------------------------------
- "¿Existe el Gran Hermano?" - Winston
- "Claro que existe. El Partido existe. El Gran Hermano es la 
  encarnación del partido." - O'Brien
- "¿Existe en el mismo sentido en que yo existo?" - Winston
- "Tú no existes." - O'Brien 

George Orwell (1984)
-----------------------------------------------------------------
Recuerda: PRISM te está vigilando!!! X)
Y tu no existes!!!
-----------------------------------------------------------------
Harold Molina-Bulla Ph.D.
h.mo...@gmail.org
Public GnuPG Key: 9D781176

[jkbull...gmail.com]

Hi, Harold! Good to hear from you. Thanks for your thoughtful comments. I'd love to have more feedback, particularly on the defaults change.

Defaulting to the latest non-txp version of OpenVPN is a good idea, so thanks for suggesting it. I will look into doing that as soon as I can. It seems obvious now that I think about it (as do many good ideas!).

The reason I changed/set the defaults is because although most Tunnelblick users are interested in privacy and security, many VPN service providers that they use are not serving them well. The new defaults to route all IPv4 traffic and disable IPv6 are what I think most people want to do to protect themselves.

IPv4: Often people have the problem that "Tunnelblick connects, but the IP address doesn't change". That's because their setup doesn't route all the traffic, just traffic directed to the VPN. This is a common configuration error made by people setting up their own VPNs. The default corrects this problem automatically. From what I can see, most VPN service providers include this, and so do most "corporate" VPNs (for security reasons: they don't want their corporate network to be exposed to another network via any kind of "bridge" provided by someone who connects to their VPN). So most people won't be affected. For those that are, they can just un-check the checkbox – and they can do that once for all their configurations by selecting all of their configurations before un-checking.

IPv6:

1. Without dealing properly with IPv6 or disabling it, information leakage can occur. And most VPN service providers do not handle IPv6 properly – see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (Tunnelblick can't do anything about the DNS hijacking, but it can prevent the IPv6 leakage. I may issue a warning if the DNS setting isn't for the same IP address as the VPN server itself, but I haven't really looked into that in detail.)
   
   
2. OpenVPN itself doesn't do much with IPv6. For example, "--redirect-gateway" redirects only IPv4 traffic. (I hadn't thought about this until a couple of years ago, when I changed the Tunnelblick checkbox from "Route all traffic through the VPN" to "Route all IPv4 traffic through the VPN".) A set of patches recently proposed for OpenVPN (some have been accepted) adds much more IPv6 capability to OpenVPN, but (A) they won't be available until OpenVPN 2.4, and (B) the "--redirect gateway ipv6" option redirects only some, not all, IPv6 traffic I think most Tunnelblick users would want all IPv6 traffic to be redirected.
   
   
3. This setting, too, can be changed for all configurations with one click.

Realizing that these default settings may not be what some people want, I tried to make it as easy as possible to change them, by putting them directly on the "Settings" tab of the "VPN Details" window. (The "Route all IPv4 traffic" checkbox had been on the "When Connected" tab of the "Advanced" window, more clicks away from the "VPN Details" window.)

I welcome any comments on this (or anything else about the new beta).

Thanks again, Harold, for starting this discussion! I hope more people will participate, too.

[Molina-Bulla Harold]

Hi Jonathan,

Thanks for your answers. Yes, I understand you have to think in the worst cases about the IPvX configurations.

There is any way to set these new configuration options in the .tblk configuration files? I will have to distribute a new set of configurations to our co-workers to avoid the new default options in Tunnelblick (we use IPv6 and partial routing VPNs, so all the new default options will break all our VPNs).

Thanks in advance for your help.

H.

-- 
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at http://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

-----------------------------------------------------------------
- "¿Existe el Gran Hermano?" - Winston
- "Claro que existe. El Partido existe. El Gran Hermano es la 
  encarnación del partido." - O'Brien
- "¿Existe en el mismo sentido en que yo existo?" - Winston
- "Tú no existes." - O'Brien 

George Orwell (1984)
-----------------------------------------------------------------
Recuerda: PRISM te está vigilando!!! X)
Y tu no existes!!!
-----------------------------------------------------------------
Harold Molina-Bulla Ph.D.
h.mo...@gmail.org

GnuPG Public Key: 9D781176

[jkbull...gmail.com]

Yes, you can override the defaults by including an "Info.plist" file in the .tblk. Details are in the Info.plist section of the .tblk Details page and the "Preferences" section that follows it. (I just looked at that page and see that it doesn't render properly because of the move to the new website. I will fix it up shortly.)

The Info.plist can do a lot of things, but to change these defaults back, create a plain text file named "Info.plist" with the following contents:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>TBPackageVersion</key>

<string>1</string>

<key>TBPreference-routeAllTrafficThroughVpn</key>

<false/>

<key>TBPreference-doNotDisableIpv6onTun</key>

<true/>

</dict>

</plist>

and include the file inside the .tblk. This will set the preferences as you wish when the .tblk is installed. To have the preferences set that way each time the user clicks "Connect", use "TBAlwaysSetPreference-routeAllTrafficThroughVpn" and "TBAlwaysSetPreference-doNotDisableIpv6onTun" instead of "TBPreference-routeAllTrafficThroughVpn" and "TBPreference-doNotDisableIpv6onTun". That will protect against a user accidentally changing the settings.

On Sunday, September 20, 2015 at 5:22:17 PM UTC-4, hmolina wrote:

Hi Jonathan,

Thanks for your answers. Yes, I understand you have to think in the worst cases about the IPvX configurations.

There is any way to set these new configuration options in the .tblk configuration files? I will have to distribute a new set of configurations to our co-workers to avoid the new default options in Tunnelblick (we use IPv6 and partial routing VPNs, so all the new default options will break all our VPNs).

Thanks in advance for your help.

H.

On 19 Sep 2015, at 23:28, jkbull...gmail.com wrote:

Hi, Harold! Good to hear from you. Thanks for your thoughtful comments. I'd love to have more feedback, particularly on the defaults change.

Defaulting to the latest non-txp version of OpenVPN is a good idea, so thanks for suggesting it. I will look into doing that as soon as I can. It seems obvious now that I think about it (as do many good ideas!).

The reason I changed/set the defaults is because although most Tunnelblick users are interested in privacy and security, many VPN service providers that they use are not serving them well. The new defaults to route all IPv4 traffic and disable IPv6 are what I think most people want to do to protect themselves.

IPv4: Often people have the problem that "Tunnelblick connects, but the IP address doesn't change". That's because their setup doesn't route all the traffic, just traffic directed to the VPN. This is a common configuration error made by people setting up their own VPNs. The default corrects this problem automatically. From what I can see, most VPN service providers include this, and so do most "corporate" VPNs (for security reasons: they don't want their corporate network to be exposed to another network via any kind of "bridge" provided by someone who connects to their VPN). So most people won't be affected. For those that are, they can just un-check the checkbox – and they can do that once for all their configurations by selecting all of their configurations before un-checking.

IPv6:

1. Without dealing properly with IPv6 or disabling it, information leakage can occur. And most VPN service providers do not handle IPv6 properly – see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (Tunnelblick can't do anything about the DNS hijacking, but it can prevent the IPv6 leakage. I may issue a warning if the DNS setting isn't for the same IP address as the VPN server itself, but I haven't really looked into that in detail.)
   
   
2. OpenVPN itself doesn't do much with IPv6. For example, "--redirect-gateway" redirects only IPv4 traffic. (I hadn't thought about this until a couple of years ago, when I changed the Tunnelblick checkbox from "Route all traffic through the VPN" to "Route all IPv4 traffic through the VPN".) A set of patches recently proposed for OpenVPN (some have been accepted) adds much more IPv6 capability to OpenVPN, but (A) they won't be available until OpenVPN 2.4, and (B) the "--redirect gateway ipv6" option redirects only some, not all, IPv6 traffic I think most Tunnelblick users would want all IPv6 traffic to be redirected.
   
   
3. This setting, too, can be changed for all configurations with one click.

Realizing that these default settings may not be what some people want, I tried to make it as easy as possible to change them, by putting them directly on the "Settings" tab of the "VPN Details" window. (The "Route all IPv4 traffic" checkbox had been on the "When Connected" tab of the "Advanced" window, more clicks away from the "VPN Details" window.)

I welcome any comments on this (or anything else about the new beta).

Thanks again, Harold, for starting this discussion! I hope more people will participate, too.

On Saturday, September 19, 2015 at 3:44:15 PM UTC-4, hmolina wrote:

Hi Jonathan,

First of all, thanks for all your work.

About the latest beta release, I have several suggestions:

• I think the "full IPv4 routing" and "disabling IPv6 through the VPN" must be set disabled by default. The VPN providers must be whom define the kind of routing and if IPv6 will be provided using the config files. Now, if the User wants to override that configuration, can select and activate those options.
• The second suggestion: the latest vpn active must be the highest version without the txp patch. Because several VPN providers do not patch the Openvpn source code. Again, if the final user wants to use these non standard feature, must be he who selects the patched version.

Thanks in advance.

H. Molina-Bulla

-- 
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

Visit this group at http://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

-----------------------------------------------------------------
- "¿Existe el Gran Hermano?" - Winston
- "Claro que existe. El Partido existe. El Gran Hermano es la 
  encarnación del partido." - O'Brien
- "¿Existe en el mismo sentido en que yo existo?" - Winston
- "Tú no existes." - O'Brien 

George Orwell (1984)
-----------------------------------------------------------------
Recuerda: PRISM te está vigilando!!! X)
Y tu no existes!!!
-----------------------------------------------------------------
Harold Molina-Bulla Ph.D.

GnuPG Public Key: 9D781176

[n9yty]

Just adding a voice that changing defaults, especially for previously established configurations, is, in my opinion, a bad decision. I am only concerned, myself, about the IPv4 default rrouting chagne. For the IPv6, I do not have enough information about the changes this may bring so I can't comment.

I had to enable beta builds for a few users a while back and now they will pull this down and alter their configurations.

Having it a default for NEW configurations may be very sensible, but changing behavior on pre-existing configurations seems bad.

Just my opinion, but you often are looking for feedback so there you go. :)

 -Steve

[jkbull...gmail.com]

@n9yty - Thanks for your comments.

I'm still thinking about this and welcome more input.

There may be less reason to make the "route all IPv4…" change than the "disable IPv6" change.

(As an aside, note that beta users can "downgrade" to the latest stable version by un-checking the "Check for updates to beta versions" on the "Preferences" panel and then checking for updates. They will be offered a downgrade to 3.5.4. Of course if they need something that is available only in the beta versions this won't help.)

[sh...@zerostack.com]

First - thanks for all the hard work on Tunnelblick - it definitely is a "well used" piece of software in our environment. 

BUT - the changes to the default routing behavior is a "breaking change" IMHO - suddenly forcing ALL traffic through a VPN when it was NOT that way in the past causes major problems - especially if the remote VPN site has limited bandwidth - as is the case in our use.  This has caused massive latency and delay on our circuits as we figured out that all users were pushing all traffic through the VPN - which did NOT operate that previously. 

We have uninstalled the beta09 version and rolled everyone back to beta08.  Please - consider returning the default behavior back to the way it should be ... 

This is a POLICY based decision an administrator should make, and a single client piece SHOULD not arbitrarily be setting traffic routing policy decisions ... 

Thank  you for listening, and please keep up the excellent work! 

~~shane 

[jkbull...gmail.com]

Thanks to everyone who provided input on this.

I am going to reverse the change to "Route all IPv4 traffic through the VPN" by default, but not reverse the decision to disable IPv6 by default.

I will commit the change (it is trivial) and create a 3.6beta10 release tomorrow, and will start responding to update requests with the new version soon thereafter.

Here is my reasoning:

• The IPv4 change breaks working configurations with little benefit.
  
• Anyone who is using 3.6beta09 and un-checked the box will still have the box un-checked in 3.6beta10, so the only people affected will be those who, using only 3.6beta09, are assuming it is checked by default. I will try to highlight this in the update notice.
• The IPv4 change mostly benefits me: I don't have to support the people who don't check the box : ).
  
• The checkbox is now much more prominent, so fewer people will overlook it (I hope).
  
  
• The IPv6 change affects fewer configurations (apparently split tunnels are much more common than IPv6).
  
• The IPv6 change is more of a security problem because the information will leak invisibly, whereas IPv4 leaks are more readily apparent (using whatismyipaddress.com, Tunnelblick's "check if the IP address changes" feature, etc.)
  

Before I do this, though, any further thoughts?

[Steve Palm]

For what it is worth, I agree with your reasoning and think this is a great direction to go. It is nice to have that option to redirect all IPv4 traffic, it makes it easier and more visible for people to do it and not have to determine how to do it through the configuration files. I also don't doubt that it makes your life easier. I just didn't like it when it changed existing configurations.

Making it a default for a new configuration is something I could go either way on, just like the "set name server" and other options. If someone doesn't want that, along with any other options, they should review them when they initially set up the configuration.

Thanks for soliciting input and feedback, and for making such flexible and capable software.

-Steve

[jkbull...gmail.com]

To minimize disruption, I have reverted Tunnelblick's update mechanism so nobody will be offered the 3.6beta09 update. Tomorrow I will turn on updating to 3.6beta10 when it is available.

[jkbull...gmail.com]

I have released Tunnelblick 3.6beta10 (build 4400), which reverts the default setting for "Route all IPv4 traffic through the VPN" to the pre-3.6beta09 default (that is, it now defaults to NO).

Again, thanks to everyone for their feedback.