VPN-6626: Install socks proxy as a service #9952
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oskirby
changed the title
oskirby
force-pushed
the
naomi-proxy-win-service
branch
from
b5c7c24 to
f4b7a3a
Compare
oskirby
force-pushed
the
naomi-proxy-win-service
branch
from
3b00e48 to
ef650c0
Compare
oskirby
changed the title
strseb
approved these changes
Nov 12, 2024
| constexpr const QUuid LOCALPROXY_FW_GUID(0x0555706c, 0x4468, 0x4ec6, 0xb4, 47, | ||
| 0x20, 0xe7, 0x4a, 0x10, 0x06, 0xe7); | ||
|
|
||
| WinFwPolicy::WinFwPolicy(QObject* parent) : QObject(parent) { |
There was a problem hiding this comment.
Totally nitpicking here. Maybe a factory function, given the constructor can fail.
strseb
pushed a commit
to mozilla-extensions/mozilla-vpn-extension
that referenced
this pull request
Nov 22, 2024
This is a companion PR to mozilla-mobile/mozilla-vpn-client#9952 that implements Linux support by connecting to the SOCKS proxy as a systemd service. Basically all we do here is check if the platform is `linux` and set the bypass proxy to `{type: "socks", host: "file:/var/run/mozillavpn.proxy", port: 1234}` The port number here isn't used, but it seems to be required in order to be parsed as a valid proxy. Update! Now it supports connecting to the Windows proxy service too. Similar logic, we just check the platform and generate a fixed proxy config.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Time for some more wild experiments in the VPN extension's proxy. This time we try to make it autonomous as a windows service. For now, this just starts the service using a fixed port number (8123) but eventually we will probably want to make this dynamic (or use named pipes).
In this PR:
WinSvcThreadclass to handle the Windows service glue.This also adds a firewall policy to restrict the connecting clients to just web browsers. We do this by enumerating the browsers found in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternetand building firewall rules to block everything which doesn't originate from one of the browser binaries.Regarding named pipes, I think ultimately that would be the best way to run this service, since it allows us to perform verification of the client application. And in theory Firefox supports connecting to them as a SOCKS proxy. However, I cannot get it to work locally. I suspect that Firefox has some kind of sandboxing permissions around named pipe access which is preventing the extension from connecting to them. This is probably worthy of some future research into how we want to setup the security around the VPN extension.
Reference
JIRA issue: VPN-6626
Checklist