Request classic confinement for newnode-helper program

Newnode VPN is a means of bypassing web censorship that is implemented in some countries in order to block access to content which the local government does not like. In order to do that, Newnode VPN routes http and https requests to the origin server via a peer-to-peer ad hoc network. This network uses the uTP protocol which is layered over UDP. For a node in this network to be able to function, it therefore needs to be able to open up UDP connections to arbitrary peers on arbitrary ports and also accept UDP connections to arbitrary peers on arbitrary ports. Newnode VPN nodes also need to be able to make DHT queries and updates (also via UDP), and to make http and https requests to arbitrary server addresses, though only at the usual ports 80 and 443, respectively.

Newnode-helper is an implementation of a Newnode VPN node. Most installations of newnode VPN are on iOS or Android phones, and on those devices Newnode VPN serves as both a node in the newnode VPN p2p network, and also as a local web proxy that intercepts outgoing HTTP and HTTPS requests and attempts to route such requests to evade web censorship. Newnode-helper is different in that it doesn’t try to intercept locally originated HTTP and HTTPS requests, but still acts as a node in the Newnode vpn P2P network.

The reason I’m asking for this change is that I’m not clear whether the network access needed by newnode-helper is compatible with strict confinement. We’d rather use strict confinement if newnode-helper can work that way, but I really can’t tell from the documentation whether this works ok.

There are plenty of other VPN clients in the store already that utilize strict confinement, there are firewall tools and surely enough others that use and open http/s ports, you should really try strict first… there is also no supported category at Process for reviewing classic confinement snaps that would fit your use case which is a hard requirement for getting classic granted.

Some combination of network-bind, network-control, perhaps firewall-control and network-manager (if you integrate with that) should suffice to gain enough access to kernel and the OS network features for your app

1 Like

hey @kmoore,

Did you explore @ogra 's suggestions?


I realized that classic confinement was not needed for this application.


Thanks @kmoore , we are then removing this request from our review queue.

Feel free to write here again if you have any further question.