| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
The printing of lockdown mode by `mullvad status` does not reflect the
current setting unless the tunnel state has also been updated.
|
|
Add `locked_down` field to disconnected tunnel state.
|
|
Validate SOCKS credentials by checking that both `username` and
`password` both have a length between 1 and 255 bytes.
Link to RFC detailing SOCKS5 username/password authentication:
https://datatracker.ietf.org/doc/html/rfc1929
|
|
|
|
|
|
in the CLI
|
|
|
|
|
|
Add a new `InternalDaemonEvent` for announcing when the current API
access method changes.
|
|
|
|
|
|
This PR has a couple of different purposes
- Allow users to use socks5 local proxies with the CLI without
having to be root nor use split-tunneling. This only works for
OpenVPN.
- Unify the types used by different proxy parts of the codebase,
such as the Access Methods as well as some already existing
OpenVPN proxy code.
This PR changes the firewall on all desktop platforms as well as changes
the routing table slightly on MacOS and Windows.
On Linux the firewall code is modified to apply the appropriate firewall
marks to all packages that go to a remote endpoint corresponding to the
remote part of a local socks5 proxy. The firewall marks will allow the
routing to be done without having to modify the routing table.
On MacOS and Windows the routing table is modified to allow packages to
go to that same endpoint to pass outside the VPN tunnel, it will
additionally punch a hole in the firewall.
The PR also migrates the settings file from version 7 to version 8 in order
to properly and neatly unify Proxy related types.
Finally it provides some slight extensions to the gRPC interface in
order to allow for control over the custom proxy settings.
|
|
|
|
Add `geoip::GeoIpHandler`, which sends an
`InternalDaemonEvent::LocationEvent` when the location arrives. It also
handles aborting in-flight requests and retries.
|
|
Make the daemon send two tunnel state updates, one with out IP being
empty, and another with it being filled when am.i.mullvad.net responds.
Update CLI for this change. Other front ends are left out.
|
|
Perform testing of access methods asynchronously in a separate `tokio`
task as to not block the daemon from handling other daemon events during
the testing window
|
|
Move access method testing logic to `mullvad-daemon`, which means that
the implementation details of how the test works is opaque to whatever
frontend which wants to issue a test of some (configured) access method.
|
|
|
|
|
|
The command
`relay set tunnel wireguard entry-location` is replaced with
`relay set tunnel wireguard entry location` and
`relay set tunnel wireguard custom-list` is replaced with
`relay set tunnel wireguard entry custom-list`.
This is intended to communicate that the `custom-list` also affects
the entry relay and are mutually exclusive.
|
|
|
|
The fn exists and returns error on hostname having wrong server type.
Allow any host in custom-lists, only the currently configured tunnel
protocol for `relay set location`, only bridges for the `bridge`
subcommand and only wireguard servers in for the `wireguard` entry
command.
Reduce repeated init of rpc client
Refactor inconsistent filtering on hostname
|
|
|
|
Refactor: Unwrap result return type
Refactor: for loop to iter map
|
|
|
|
|
|
|
|
|
|
In particular, `access_methods::Socks5Local`,
`access_methods::Socks5Remote` & `access_methods::Shadowsocks` have got
new constructors which are all infallible.
|
|
|
|
|
|
SOCKS5 optionally supports username+password authentication, which has
been implemented previously. This commit addresses a bug in the argument
parsing, which made username+password required arguments when adding a
remote SOCKS5 api access method using `mullvad api-access add socks5
remote`.
Apparently, this is a known pitfall with `clap`: https://github.com/clap-rs/clap/issues/5092
|
|
i.e. the user has to explicitly pass the `--cipher` flag to `mullvad
api-access add shadowsocks ..` subcommand to configure a non-default cipher.
|
|
This allow us to move the `remote_port` argument next to the `remote_ip` argument.
|
|
|
|
- Re-phrase help texts for a lot of `mullvad api-access` commands
- Add to help texts for some `mullvad api-access` commands
- Compact the output of `mullvad api-access test`
- `mullvad api-access status` is changed to `mullvad api-access get` to
align with other `mullvad` commands.
- `mullvad api-access get` does not print the enabled/disabled status of
the shown access method
- Rotate access method if the currently active one is updated or removed
- Fix reset access method after `mullvad api-access test`
After running `mullvad api-access test`, the previously used access
method should be used, which was not the case previously.
- Fix `mullvad api-access use` API connectivity check
- `mullvad api-access use` now runs a test-routine to check that the
new access method will function before comitting to it. If this check
fails, the previously used access method will be used instead
- guarantee that `set_api_access_method` has finished upon returning.
Make `mullvad_api::rest::next_api_endpoint` `async` and send a message
upon completion. This is propagated to the caller of
`next_api_endpoint` which can `await` the result
|
|
Add the option to authenticate against remote SOCKS5 proxies with a
username+password combination. It was an oversight that this was not
added from the start.
|
|
- Get rid of extraneous calls to `clone`
- Address nit: combine similar match arms into a single match arm
- Fix `clippy` lint "unused `async` for function with no await statements"
- Fix protobuf field numbers should start from 1
- This was not the case for `Socks5Local` & `Shadowsocks`
- Refactor code for opening proxy connections
- Cut down on duplicated code for setting up a proxied connection in
`mullvad-api`. The difference between different connection modes is
how they wrap the underlying `TCP` stream.
- Remove `enable_access_method` & `disable_access_method` from RPC-client
|
|
- Add a new RPC message: `GetCurrentApiAccessMethod`.
This message may be used to retrieve the access method which is
currently in use by the daemon for connecting to the Mullvad API.
- Add `mullvad api-access status` for showing the API access method in use
|
|
Adds the `-d | --disabled` flag to `mullvad api-access add
<access-method>` command. If the `-d | --disable` is set, the access
method is *not* enabled from the start.
Note that it may still be tested using the `mullvad api-access test`
command, even if it is principally marked as `disabled`.
|
|
Split up `mullvad api-access add` command for SOCKS5-proxy into "local"
and "remote".
|
|
- Rename `mullvad_types::api_access.rs` -> `mullvad_types::access_method.rs`
- Rename `ApiAccessMethodId` to simply `Id`
Prefer to prefix with module name `access_method` to disambiguate use
of `Id` instead, like `access_method::Id`
- Remove dead code
- Remove `AccessMethodSettingsUpdate`
- Remove the `retry_attempt` struct field from
`ApiConnectionModeProvider`, as it is no longer used for anything.
- Fix typos
- `GetApiAddressess` is now correctly spelled `GetApiAddresses` (a
single trailing "s")
- Deprecate the name `ApiAccessMethod` in favor of `AccessMethodSetting`
- To decrease the confusion between `AccessMethod` &
`ApiAccessMethod`. `AccessMethodSetting` adds some app-specific
settings details on top of an `AccessMethod`, which is not too far
fetched with the new naming convention.
- Refactor proto file
- Rename protobuf message `AccessMethodSettingAdd` to `NewAccessMethodSetting`
- `AccessMethod` is now its own message
- `AccessMethods` is removed
- Add `ApiAccessMethodAdd` protobuf message
- The `ApiAccessMethodAdd` returns a `UUID` for the . One important
change is that new `AccessMethodSetting`s are created in the daemon,
rather than in the CLI/other clients. This means that the daemon now
has full control over generating new `AccessMethodSetting`s from
`AccessMethod`s.
- Clean up conversion code to/from `AccessMethod` protobuf types
- Simplify `UpdateApiAccessMethod` RPC
- Remove the extranous `ApiAccessMethodUpdate` data type
- get rid of `ApiAccessMethodUpdate` protobuf message. Use `UUID` of
`ApiAccessMethod` to identify which struct to edit.
- get rid of `ApiAccessMethodUpdate` struct
|
|
`ApiAccessMethod` was just an app-centric wrapper around `AccessMethod`.
|
|
- Refactor `RemoveApiAccessMethod` to be based on UUID
- Remove debug-prints in `mullvad api-access list` et al
- Get rid of `GetApiAccessMethods` RPC
- Use the more generic RPC `GetSettings` to get hold of all API access
methods instead
- Rename `mullvad_types::access_method` to `mullvad_types::api_access`
- Remove (unjustified) `#[inline(always)]` attributes
|
|
Do not use the word "proxy" in the context of API access methods, but
only in the context where we are actually refering to a proxy (such as
`SOCKS5` or `Shadowsocks` proxies).
|
|
- Replace rpcs `ReplaceApiAccessMethod` and `ToggleApiAccessMethod` in
favor of a commmon `UpdateApiAccessMethod` (which resembles
`ReplaceApiAccessMethod` in a lot of ways).
- `UpdateApiAccessMethod` works with unique identifiers instead of array
indices to pinpoint which API access method to update.
- Toggling an API access method to be enabled/disabled now happens via `UpdateApiAccessMethod`
- Add the useful `UUID` protobuf type definition, which
conveys more information that a raw string.
- Refactor `SetApiAccessMethod` to use API access method ID
- Update `ApiAcessMethod` messages to use `UUID` type for uuid values
- Use unique id for removing custom `ApiAccessMethods`
|
|
- General code cleanup
- Fix some typos
- Add some doc comments
- Address several `TODO` comments
- Fix `clippy` warnings
- Removed unused dependency `mullvad-api` from `mullvad-cli`
- Removed unused dependency `rand` from `mullvad-daemon`
- Rename `mullvad proxy` to `mullvad api-access`
- Rename `mullvad_types::api_access_method` -> `mullvad_types::access_method`
- Remove unused `mullvad api-access edit` arguments
- Fix `Display` for `ProxyConfig` printing arguments in the wrong order
- Re-phrase `mullvad api-access test`
- If the API call failed, point out which tested access method that
did not work.
- Fix missing `socket_bypass_tx` value for Android
- Refactor `ApiAccessMethod` proto definition
- Simplify protobuf definitions of `SOCKS5` api access methods
- Remove the `Socks5` enum in favor of implementing `Socks5Local` and
`Socks5Remote` directly.
- Move `enabled` and `name` out of the individual messages and put them
next to the `oneof access_method` in `ApiAccessMethod` proto definition
- Use derived `PartialEq` and `Hash` from `AccessMethod`
- Instead of hand-rolling `Hash` and implementing an ad-hoc version of
half of `PartialEq`, these can now be derived and used as one would
imaging due to the refactoring wherer `name` and `enabled` was moved
out of `AccessMethod` into `ApiAccessMethod`.
|
|
For quickly assessing whether an api access method can reach the API or not.
|
