Hi, Harold! Good to hear from you. Thanks for your thoughtful comments.
I'd love to have more feedback, particularly on the defaults change.
Defaulting to the latest non-txp version of OpenVPN is a good idea, so thanks for suggesting it. I will look into doing that as soon as I can. It seems obvious now that I think about it (as do many good ideas!).
The reason I changed/set the defaults is because although most Tunnelblick users are interested in privacy and security, many VPN service providers that they use are not serving them well. The new defaults to route all IPv4 traffic and disable IPv6 are what I think most people want to do to protect themselves.
IPv4: Often people have the problem that "Tunnelblick connects, but the IP address doesn't change". That's because their setup doesn't route all the traffic, just traffic directed to the VPN. This is a common configuration error made by people setting up their own VPNs. The default corrects this problem automatically. From what I can see, most VPN service providers include this, and so do most "corporate" VPNs (for security reasons: they don't want their corporate network to be exposed to another network via any kind of "bridge" provided by someone who connects to their VPN). So most people won't be affected. For those that are, they can just un-check the checkbox – and they can do that once for all their configurations by selecting all of their configurations before un-checking.
IPv6:
- Without dealing properly with IPv6 or disabling it, information leakage can occur. And most VPN service providers do not handle IPv6 properly – see A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (Tunnelblick can't do anything about the DNS hijacking, but it can prevent the IPv6 leakage. I may issue a warning if the DNS setting isn't for the same IP address as the VPN server itself, but I haven't really looked into that in detail.)
- OpenVPN itself doesn't do much with IPv6. For example, "--redirect-gateway" redirects only IPv4 traffic. (I hadn't thought about this until a couple of years ago, when I changed the Tunnelblick checkbox from "Route all traffic through the VPN" to "Route all IPv4 traffic through the VPN".) A set of patches recently proposed for OpenVPN (some have been accepted) adds much more IPv6 capability to OpenVPN, but (A) they won't be available until OpenVPN 2.4, and (B) the "--redirect gateway ipv6" option redirects only some, not all, IPv6 traffic I think most Tunnelblick users would want all IPv6 traffic to be redirected.
- This setting, too, can be changed for all configurations with one click.
Realizing that these default settings may not be what some people want, I tried to make it as easy as possible to change them, by putting them directly on the "Settings" tab of the "VPN Details" window. (The "Route all IPv4 traffic" checkbox had been on the "When Connected" tab of the "Advanced" window, more clicks away from the "VPN Details" window.)
I welcome any comments on this (or anything else about the new beta).
Thanks again, Harold, for starting this discussion! I hope more people will participate, too.
On Saturday, September 19, 2015 at 3:44:15 PM UTC-4, hmolina wrote:
Hi Jonathan,
First of all, thanks for all your work.
About the latest beta release, I have several suggestions:
- I think the "full IPv4 routing" and "disabling IPv6 through the VPN" must be set disabled by default. The VPN providers must be whom define the kind of routing and if IPv6 will be provided using the config files. Now, if the User wants to override that configuration, can select and activate those options.
- The second suggestion: the latest vpn active must be the highest version without the txp patch. Because several VPN providers do not patch the Openvpn source code. Again, if the final user wants to use these non standard feature, must be he who selects the patched version.
Thanks in advance.
H. Molina-Bulla