Jump to content
Not connected, Your IP: 3.128.171.192
rickjames

Eddie Client Wishlist

Recommended Posts

I understand many of these features fall well beyond the scope of simply providing vpn connectivity and would most likely require substantial coding but here's my wishlist.

 

 

-A simple way to download the config files for your Operating system then add them to the client.

This could possibly remove the login requirement - and if the resolve hosts in files option was used it might also remove the need for dns lookups before entering the tunnel.

 

-Linux only - the use of conntrack via check box, drop down ect.

Possibly check if conntrack is installed then give the option to use it for eth0 tun0 connections with NEW, ESTABLISHED / RELATED and INVALID ect.

 

-Tighter firewall rules after connection is made.

Only allow out on eth0 to the single server + port/protocol from the current machines ip.

Drop everything else on eth0 in / reject on out.

 

-Option to allow a minimal and/or possibly customizable rule set for tun0.

Allow out on tun0 from locally/internally assigned ip on port 80 tcp -> any

Allow out on tun0 from locally/internally assigned ip on port 53 udp/tcp -> air dns server

Allow out on tun0 from locally/internally assigned ip on port 443 tcp -> any

Allow custom port option ?

Drop everything else on tun0 in / reject on out.

 

-Linux only - Option to choose user and group connectivity on tun0

--uid-owner your_user --gid-owner your_group

This can cause issues with system updates if run as root. Just tossing it out there.

 

-Linux only - Temporally add sysctl.conf tweaks.

-the short list

rp_filter 1

accept_redirects 0

accept_source_route 0

disable_ipv6 1

tcp_timestamps 0

log_martians 1

Possibly a icmp_echo_ignore 1 option.

Realistic conntrack timeout options if conntrack is used.

 

-Linux and friends with tcp wrappers

Temporarily add tcp wrapper rules Deny all / Allow openvpn.

 

 

Again I don't expect any of these options to be added as its really not up to a vpn provider to provide such features. That, and many of these options are very situational. But since the Eddie client already has features I never thought I'd see in a vpn client, I figured it couldn't hurt to toss these out there.

 

Even if this thread only sparks ideas in others I'll consider it a win.

 

 

 

 

Share this post


Link to post

it won't require any substantial coding - and they are actually "already available".

How about adding them all to one single shell script, and then asking Eddie calling a specific script after connection?

The setup you posted above seem to consist from some iptables,sysctl and setuid parameters.

 

Seems much easier to accomplish your task this way, instead of hard-coding it for everyone, isn't it? Just 2 cents.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

it won't require any substantial coding - and they are actually "already available".

How about adding them all to one single shell script, and then asking Eddie calling a specific script after connection?

The setup you posted above seem to consist from some iptables,sysctl and setuid parameters.

 

Seems much easier to accomplish your task this way, instead of hard-coding it for everyone, isn't it? Just 2 cents.

Indeed, having a script to apply the changes would be easy. Rolling the settings back after disconnect using system specific/original settings would a bit trickier but not impossible.

 

The Eddie client dev/s already have a nice bit of code for rewrite/replace in linux. I just figured why reinvent the wheel.

 

A thread for hardening would probably be more appropriate. But my feeling is - if something was built into the client, tested by the staff/dev's users might be more likely to trust it. Rather than it coming from me aka ./'a random person on the interwebs lol'.

Share this post


Link to post

As explained by zhang888, if a feature can be a benefit for all users, it can be implemented in Eddie.

Otherwise, supporting an enormous list of features that only a little percent of users will use (or understand) is not a recommended approach: it requires UI, docs, testing the support in any OS & versions, and is the road to bloatware.

 

But if someone have a necessity, it MUST be possibile to do it.

 

So, I think that the best approach is allowing this kind of feature requests by adding specific events linked to external script, or maybe think about a plugin-system in Eddie to allow people to implement feature extensions.

When a community-script or extension reaches stability and people like it, it can be moved inside the official Eddie.

I think this is the best way. But it requires collaboration.

Share this post


Link to post

-A simple way to download the config files for your Operating system then add them to the client.

This could possibly remove the login requirement - and if the resolve hosts in files option was used it might also remove the need for dns lookups before entering the tunnel.

DNS lookups are currently not used in Eddie.

Eddie downloads a manifest file with the list of servers, and contacts them directly with the entry-IP address in it.

I don't understand why you need to download config files: Eddie already builds them internally, and the list is updated in realtime.

What you mean with 'login requirement' ? Storing login & password with the remember option is (security) the same as having .ovpn files with the user keys inside.

Linux only - the use of conntrack via check box, drop down ect.

and

Tighter firewall rules after connection is made.

and

Option to allow a minimal and/or possibly customizable rule set for tun0

Thinking about that. Maybe it's useful, but it's difficult to create an UI for settings options like that.

Eddie removes the current iptables rules and creates new rules when Network Lock is activated under Linux.

Otherwise, by default, people connects to VPN and Eddie doesn't touch the original iptables.

If this kind of options is inside the Network Lock feature, it can be implemented, otherwise it's difficult to understand priority (insert or append in current iptables rules).

Linux only - Temporally add sysctl.conf tweaks.

Can be advanced options.

 

But you use the work "Temporally"... for example, if I set disable_ipv6 to 1 and then I restore it to 0, there are a lot of issues, like route loss.

For this reason, ONLY in Eddie under Linux, if IPv6 is enabled, Eddie doesn't turn it off automatically, but asks the user to do it.

It's possibile to implement any kind of tweaking, but it MUST be reversible (applied only during the connection or life of the app, restored at end).

Share this post


Link to post

So, I think that the best approach is allowing this kind of feature requests by adding specific events linked to external script, or maybe think about a plugin-system in Eddie to allow people to implement feature extensions.

When a community-script or extension reaches stability and people like it, it can be moved inside the official Eddie.

I think this is the best way. But it requires collaboration.

 

As mentioned I really don't expect any of these features to be added to the client. Maintaining compatibility across systems would be a nightmare with a few of these options. But a plugin-system would be very interesting and there's several very knowledgeable users here that would probably contribute.

 

 

DNS lookups are currently not used in Eddie.

Eddie downloads a manifest file with the list of servers, and contacts them directly with the entry-IP address in it.

 

I don't understand why you need to download config files: Eddie already builds them internally, and the list is updated in realtime.

I was under the impression dns lookups were required. Thank you for that information

Out of curiosity does the client create a tunnel before downloading the manifest/config files? If not could it?

 

What you mean with 'login requirement' ? Storing login & password with the remember option is (security) the same as having .ovpn files with the user keys inside.

I was only thinking of users that may want to store the config files in a sudo jail system or a restrictive container of some sort.

 

 

 

Linux only - the use of conntrack via check box, drop down ect.

and

Tighter firewall rules after connection is made.

and

Option to allow a minimal and/or possibly customizable rule set for tun0

 

Thinking about that. Maybe it's useful, but it's difficult to create an UI for settings options like that.

Eddie removes the current iptables rules and creates new rules when Network Lock is activated under Linux.

I agree. Difficult and very situational. Tbh I have no idea how to achieve tight tun0 rules across such a wide user base without causing issues for possibly hundreds of users.

 

zhang888's idea for a script system or a plugin-system are both promising. Maybe some sort of security 'slider' option? Tbh I got nuttin lol. -just brainstorming

 

 

 

Linux only - Temporally add sysctl.conf tweaks.

Can be advanced options.

 

But you use the work "Temporally"... for example, if I set disable_ipv6 to 1 and then I restore it to 0, there are a lot of issues, like route loss.

For this reason, ONLY in Eddie under Linux, if IPv6 is enabled, Eddie doesn't turn it off automatically, but asks the user to do it.

It's possibile to implement any kind of tweaking, but it MUST be reversible (applied only during the connection or life of the app, restored at end).

Agreed, making it reversible without a reboot is the hitch. And offhand I don't recall if ifdown/ifup restores it either. That and the current network lock already works well for killing ip6 traffic.

 

Out of all of this the sysctl settings would probably be the easiest to implement for the systems the eddie client supports. Given the particular settings are easily reversible.

 

I'm not intentionally leaving out windows and mac. I've just been out of the windows loop for so long / I wouldn't even know where to start. And I was never really in the loop for mac.

 

Making a 'hardening' thread would probably be easier. But it seems like only a small percentage of users browse the forums. And many newer linux users aren't terminal savvy or become overwhelmed when looking at pages of settings.

 

If this ends up going the direction of a thread I'll contribute what I can

Share this post


Link to post

I wish the developers would work on getting 2.10 to work on El Capitan, OS X users are stuck with 2.9 version when the update comes out.

Share this post


Link to post

Very simple console GUI (like ncurses, new and exciting v6.0 was released just recently!    ) with just the most important functions like status, on-off, network lock, server selection drop-down, logs etc.

 

User could use the currently-less-flaky but relatively bloated (sorry Eddie!) mono GUI for initial setup before killing mono and just having the ncurses GUI around for managing the connection.

Share this post


Link to post

It has been mentioned elsewhere, I'll stick it in here again anyway (I'm not really nagging... ): The ability to enlarge the fonts (or maginify the entire Eddie interface) would be much appreciated my those of us who use 1080p res' (& other high res' displays too).

 

Not being able to see as well as one once could (if you were once blessed with good vision) is not a problem until it is. Fortunately or unfortunately, as the case may be, that is when most of us find out about this one... That is, when our vision deteriorates with age.

 

Many of us won't use OS/X machines due to the lack of font sizing available in that system. Windows is better, & changing the dpi will get around such problems fairly easily (though that solution is inconvenient at times).

 

Linux gives a great deal more control, though sometimes we just can't adjust the fonts of some apps. Eddie is one of those programs (as wonderful at it is) that I at least, can't find a way to enlarge the fonts of.

Share this post


Link to post

Linux gives a great deal more control, though sometimes we just can't adjust the fonts of some apps. Eddie is one of those programs (as wonderful at it is) that I at least, can't find a way to enlarge the fonts of.

 

Hello!

 

We're glad to inform you that Eddie developer has put this issue as a priority for the next Eddie release.

 

Kind regards

Share this post


Link to post

There are 2 things that would be great to add for eddie client in my opinion:

 

1. If it was a service (systemd service file, whatever mac calls a service, windows service, init.d etc...)

2.  Ability to connect to a certain server at startup. I mean one I can specify as opposed to last server used or best server. On that note if best server option is picked then option to completely disconnect and then pick the best server by latency.  

 

Also, I agree with this:   "Tighter firewall rules after connection is made"

I am not 100% sure but I think traffic is going around the vpn sometimes as I see no traffic going through eddie. When I close it and then open it and then close and open my internet applications it works. 

Share this post


Link to post

 

Linux gives a great deal more control, though sometimes we just can't adjust the fonts of some apps. Eddie is one of those programs (as wonderful at it is) that I at least, can't find a way to enlarge the fonts of.

 

Hello!

 

We're glad to inform you that Eddie developer has put this issue as a priority for the next Eddie release.

 

Kind regards

 

That is great news!

 

All of us who are somewhat sight impaired, truly give our sincere thanks to the one above.

Share this post


Link to post

After thinking about it and using the eddie (gnu/linux) client I have a new feature request (if there is already a way to do this please let me know):

 

An additional tab for "my servers" or "preferred servers" or similar. My reasoning is that when I open eddie and I want to connect to another server I have a usual few that I pick from / like. My guess is that I am not alone in this behavior. So, it would be nice to be able to save which servers I like so that I can pick between them without going through the whole list. Okay, thanks for reading.

Share this post


Link to post

After thinking about it and using the eddie (gnu/linux) client I have a new feature request (if there is already a way to do this please let me know):

 

An additional tab for "my servers" or "preferred servers" or similar. My reasoning is that when I open eddie and I want to connect to another server I have a usual few that I pick from / like. My guess is that I am not alone in this behavior. So, it would be nice to be able to save which servers I like so that I can pick between them without going through the whole list. Okay, thanks for reading.

 

Hello,

 

isn't the white list a good solution for your purpose?

 

Kind regards

Share this post


Link to post

After thinking about it and using the eddie (gnu/linux) client I have a new feature request (if there is already a way to do this please let me know):

 

An additional tab for "my servers" or "preferred servers" or similar. My reasoning is that when I open eddie and I want to connect to another server I have a usual few that I pick from / like. My guess is that I am not alone in this behavior. So, it would be nice to be able to save which servers I like so that I can pick between them without going through the whole list. Okay, thanks for reading.

 

As Staff mentionned whitelist your preferred servers then untick "Show all" below. That's how I set up my favourites servers list.

 

@Staff: It would be nice to have the same "Show All" filter for the "Countries" tab in next Eddie version.

Share this post


Link to post

 

@Staff: It would be nice to have the same "Show All" filter for the "Countries" tab in next Eddie version.

 

yes, me too.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...