Newnode VPN is a means of bypassing web censorship that is implemented in some countries in order to block access to content which the local government does not like. In order to do that, Newnode VPN routes http and https requests to the origin server via a peer-to-peer ad hoc network. This network uses the uTP protocol which is layered over UDP. For a node in this network to be able to function, it therefore needs to be able to open up UDP connections to arbitrary peers on arbitrary ports and also accept UDP connections to arbitrary peers on arbitrary ports. Newnode VPN nodes also need to be able to make DHT queries and updates (also via UDP), and to make http and https requests to arbitrary server addresses, though only at the usual ports 80 and 443, respectively.
Newnode-helper is an implementation of a Newnode VPN node. Most installations of newnode VPN are on iOS or Android phones, and on those devices Newnode VPN serves as both a node in the newnode VPN p2p network, and also as a local web proxy that intercepts outgoing HTTP and HTTPS requests and attempts to route such requests to evade web censorship. Newnode-helper is different in that it doesn’t try to intercept locally originated HTTP and HTTPS requests, but still acts as a node in the Newnode vpn P2P network.
The reason I’m asking for this change is that I’m not clear whether the network access needed by newnode-helper is compatible with strict confinement. We’d rather use strict confinement if newnode-helper can work that way, but I really can’t tell from the documentation whether this works ok.