Bug 781355 - [privacy] [security] Allow enforcing SSH tunnels/proxies (and/or VPNs) on network connections
[privacy] [security] Allow enforcing SSH tunnels/proxies (and/or VPNs) on net...
Status: NEEDINFO
Product: gnome-control-center
Classification: Core
Component: Network
3.20.x
Other Linux
: Normal enhancement
: ---
Assigned To: Control-Center Maintainers
Control-Center Maintainers
safety
:
Depends on: 769692
Blocks:
  Show dependency tree
 
Reported: 2017-04-15 22:19 UTC by Jean-François Fortin Tam
Modified: 2017-04-18 11:11 UTC (History)
3 users (show)

See Also:
GNOME target: ---
GNOME version: ---


Attachments

Description Jean-François Fortin Tam 2017-04-15 22:19:24 UTC
I’ve been using SSH tunnels for years but that’s a very involved client-side process (needing to whip up a terminal to establish the tunnel, then to whip up gnome-control-center's Network settings, go to the proxy pane, switch to "Manual" proxy mode, and then undo/redo all that when bringing down/up the connection)

For my usecase (network security while travelling) SSH tunnels are the way to go, they require pretty much zero set-up and SSH is ubiquitous on servers, so anyone can set this infrastructure up much much more easily than a VPN.

I dug a bit in bugzilla regarding SSH support in NM, and I found bug #706314 which led me to https://github.com/danfruehauf/NetworkManager-ssh which kinda disguises SSH as a "VPN" connection (the issue I then faced is that it made no sense to me as a user: https://github.com/danfruehauf/NetworkManager-ssh/issues/66)

So whether it is done as a "SOCKS proxy" or as a "VPN", one fact remains: gnome-control-center does not expose a UI for the user to set a security policy on this front. Essentially I'd like to be able to tell GNOME/NM to "enforce" my SSH tunnel (unless I manually temporarily turn off the tunnel from the top-right corner menu for example) before letting apps (other than captive portal handling like bug #769692) -- such as Evolution, the browser, Telepathy/xchat/etc. -- establish connections. So I'd like the ability to set it to be used either:
- "for specific known networks"
- "all networks except X, Y, Z" (ex: "everything is untrusted except at home and the office".
Comment 1 Bastien Nocera 2017-04-18 09:06:42 UTC
Do you prefer this to be a duplicate of bug 656215 (VPN) or bug 640475 (per-connection proxy)?

Note You need to log in before you can comment on or make changes to this bug.