Tunnelblick and Fast User Switching

[jkbull...gmail.com]

I recently had an email conversation with a user who wishes to remain anonymous. What follows is an edited transcript and a proposal to change Tunnelblick's behavior when Fast User Switching is used.

User:

I'm installing Tunnelblick on four new Macs :) When I'm changing the account via the fast user switching and I'm connected via Tunnelblick, is the other user then also connected via Tunnelblick or not on the VPN connection? I'm pretty sure that the connection only applies to the user initiating it, but I'm not sure.

Me:

The tunnel remains active. If there is a "--redirect-gateway def1" in the configuration or pushed from the server, all traffic (from both users) continues to go through the VPN. Otherwise only some traffic goes through the VPN, independent of fast user switching.

The second user won't see the Tunnelblick icon, but Tunnelblick will still be running in the first user's background. There could be a problem, though, if the first user's Tunnelblick needed to get the user's attention. It might hang. But I think OpenVPN would continue to work and the tunnel continue to send/receive traffic.

Of course, not seeing the Tunnelblick icon means that the second user can't be sure that the tunnel is open.

Running Tunnelblick as the second user (while the first user is still running it) would cause problems -- I don't know exactly what would happen: Tunnelblick might not be able to connect to the running OpenVPN, or it might connect but cause the first user's Tunnelblick to lose it's connection to the running OpenVPN. And if Tunnelblick did manage to connect to OpenVPN, when you quit the second user's Tunnelblick (or logged out), it would disconnect the tunnel.

 

User:

It could be a security problem also: log in as user one, start a vpn connection, track all traffic on the vpn server site, switch users and

no one will ever notice on the user pc, that he is tracked or using a connection he doesn't know about

Me: 

The real security is that setting up a VPN requires an administrator password. So only an administrator could set up to connect to a VPN server that tracked access.

User: 

You may want the connection to stay alive, for example if you are accessing a network resource only available via vpn and downloading something from there, switch to another user to let him check his mail in the meantime :)

In my use case (installing Tunnelblick on colleagues laptops) it would be preferable if Tunnelblick cuts the VPN connection upon user switching. I'm going to set those laptops up with multiple accounts, one private, one business. And you don't want to have your private downloads running over a company vpn connection, just because you forgot to close the connection before user switching.

========================================

Proposal for Tunnelblick actions on fast user switching:

When a user switches OUT (and Tunnelblick is running):

For each configuration that is connected to a VPN:

If     the "XXX-disconnectOnUserSwitchOut" preference is set (XXX is the configuration name)

       and the configuration is not set to connect "when computer starts"

Then disconnect the configuration and remember that we have done so

Else stop communicating with OpenVPN for that configuration and remember that we've done so

When a user switches IN (and Tunnelblick is running):

For each configuration that was disconnected for the switch OUT, try to reconnect the VPN

For each configuration for which we stopped communicating with OpenVPN for the switch OUT, try to reestablish communications with OpenVPN

When a user logs out (and Tunnelblick is running):

For each configuration that is connected to a VPN that is not a "connect when computer starts" configuration:

If no other copies of Tunnelblick are running, disconnect the configuration

Consequences (I think):

• The currently active user's Tunnelblick would show the status of the connection.
  
• This would allow multiple copies of Tunnelblick to be running, one per user.
  
• This would allow users to control whether tunnels stay connected for all users or are disconnected when switching users.
  
• If a tunnel was disconnected to switch to another user, it would be reconnected when a switch back to the original user occurs.
  

Comments?

[MaSch]

On 2/6/11 7:06 PM, jkbull...gmail.com wrote:
> ========================================
> Proposal for Tunnelblick actions on fast user switching:
>
> When a user switches OUT (and Tunnelblick is running):
>

> ...
>
> Consequences (I think):
>
> - The currently active user's Tunnelblick would show the status of the
> connection.
> - This would allow multiple copies of Tunnelblick to be running, one per
> user.
> - This would allow users to control whether tunnels stay connected for

> all users or are disconnected when switching users.

> - If a tunnel was disconnected to switch to another user, it would be

> reconnected when a switch back to the original user occurs.
>
> Comments?
>

Even though I only have the opposite use-case - Staying connected while
user-switching - which will still be the default ?.
This all sounds reasonable to me - but not simple (I have no better
ideas ;-) - it will probably take some time to implement ?

Regards Marco

[jkbull...gmail.com]

Generally, when making changes to Tunnelblick, I try to keep the old behavior as the default. Since the old behavior is to stay connected when a fast user switch occurs, that is what I proposed. But I am open to changing that if somebody gives me a good reason.

Currently, things go very wrong if you have Tunnelblick running with any tunnels open and do a fast user switch and start Tunnelblick in the second user's session, so the stopping/starting of communications with OpenVPN  has to be done in any case.

I don't think it will be too difficult to do -- I think I could probably release a beta with it in the next week or so.

[jkbull...gmail.com]

I discovered some complications when I thought this through. We can't keep private configurations connected when switching to another user because they would be invisible to that other user, which I think is a bad idea.

So there won't be any new preferences, just new behavior when switching users. Here's how it will work:

• When a user is switched out or logs out, all connections that are not "connect when computer starts" configurations will be disconnected.
  
• When a user is switched in, all configurations previously disconnected because the user switched out will be reconnected.
  

To have fast user switching disconnect and restore a connected configuration, do nothing. This is the default behavior (except for "connect when computer starts" configurations).

To have fast user switching keep a configuration connected, make it a "connect when computer starts" configuration. (It must be a Tunnelblick VPN Configuration -- a .tblk -- and be Shared or Deployed).

Note: I tried to think of a way to have non-"connect when computer starts" configurations be able to stay connected for other users but there's a problem with that: If there is a preference to allow a regular configuration to stay connected, it would need to also be used when logging out (otherwise a logout by user #2 would disconnect it, defeating the purpose of staying connected). That means that it would be possible for a connection to become "orphaned" -- open and active but with nobody knowing it is there. That's still possible but only if the administrator wishes to allow it (by using a Deployed version of Tunnelblick and not including a forced "useSharedConfigurationsWithDeployedOnes" preference) but can't be done by a user who is not an administrator.

The purpose of all this is so that

• Any user may launch Tunnelblick or quit Tunnelblick without the program losing track of connections (which is what can happen currently when using fast user switching)
• The Tunnelblick icon will reflect the status of whether or not a VPN is active. The user will see all Shared and Deployed configurations and the user's own private configurations, but not the private configurations of any other users, which will have been disconnected before the current user became active. Note: in a "Deployed" configuration, the user will only see non-deployed configurations if the "usePrivateConfigurationsWithDeployedOnes" and/or "useSharedConfigurationsWithDeployedOnes" preferences are forced (see Deploying Tunnelblick).

Comments? Yea or nay?

[jkbull...gmail.com]

Fixes for Fast User Switching are included in 3.2beta04:

• When a user is switched out or logs out, all connections that are not "connect when computer starts" configurations will be disconnected.
  

• When a user is switched in, all configurations that were connected the user switched out will be reconnected.

You can override these with the per-configuration "-doNotDisconnectOnFastUserSwitch" and "-doNotReconnectOnFastUserSwitch" preferences.