I would like to request for classic confinement for snap ‘nodevpn’. NodeVPN is a flutter based GUI application which depends on openconnect C library (shipped in Ubuntu repository).
During the development in strict confinement (with network-setup-control, firewall-control and hardware-observe connected manually), it fails to setup tun with the following error output:
progress_vfn: Failed to bind local tun device (TUNSETIFF): Operation not permitted
This is interesting given we have a bunch of other VPN clients in the store already and all can use strict confinement just fine.
If the tun module does not get automatically loaded when the device is accessed this sounds rather like a serious kernel bug, all modern kernels should normally auto-load it on request so that you do not need to be root or to even run modprobe …
this is not snap related, routes can not be changed by non-admin users, you need to be root for this or use some proxying mechanism (i.e. a frontend/backend and dbus communication between them like network-manager does)
I see. For now, the software does not have such a frontend/backend mechanism in place.
Right now, the software is a single binary depending on openconnect shared library. We’ll be planning to work on the proxying mechanism in future releases. Would be great if we could ship the snap in classic mode and later switch to strict mode when we are done.
Well, you will have to wait for an actual reviewer to chime in, but i think the chances are low given all other software of the same functionality that exists in the store gets along with strict confinement … also, for classic your app needs to fit into the supported category on:
Hi @nodevpn
Did you try the methods mentioned here: https://www.infradead.org/openconnect/nonroot.html which allows OpenConnect to run without admin privileges? especially the SOCKS proxy one which doesn’t require creating a virtual network interface.
Regarding the classic confinement, I know this VPN service may differ from other already strict confined vpn snaps, but it doesn’t fit into any available categories
The SOCK5 proxy method will require additional proxy configuration and setup in the application for the VPN connection. The motive of NodeVPN is to provide hassle-free system wide connection without much additional configuration for the user end. So, a tun is required for our use-case, hence request for classic confinement for now.
I see that there is no specific category mentioned but might go for an exception…?
Hi @ogra, both of them are CLI based agent (need users to execute the snap with sudo) , our software is GUI (flutter), so can’t implement sudo/pkexec in snap through .desktop either.
Since granting classic confinement allows device ownership to the snap, unfortunately we cannot just give exceptions.
I would say nodevpn end users would value the possibility of running the application in a stable and secure runtime environment rather than complaining for having to perform extra configuration steps.
Since it’s been almost one month since you created this request, how far are you from working on the proxying mechanism that iiuc will allow nodevpn to properly run under strict confinement?
Hey @nodevpn - ping, it’s been a while since the last activity on this post and just wanted to ask how far has the snap progressed to be run with a strict confinement? Thanks
Hey @nodevpn , since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks.