I=E2=80=99d like to make a contribution= to the Android app, but would like to know if this is something that would= actually get merged before I go through all the effort. What I=E2=80=99d l= ike to do is add an exceptions list (apps that will not be routed through t= he Wireguard interface). The rationale for this being that some apps simply= don=E2=80=99t work with Wireguard. For example, the use of a Wireguard VPN= with custom DNS breaks WearOS watches due to Google hardcoding the use of = the 8.8.8.8 DNS server. Another example is that Netflix doesn=E2=80=99t wor= k when routed through my VPN server since they know it=E2=80=99s a DigitalO= cean instance, but works fine without the VPN enabled. Another example is t= hat there=E2=80=99s often no reason to route data-heavy video apps through = your VPN server. Rather than turning the VPN on my phone off to use my wear= able or to watch something on my phone, I=E2=80=99d like to be able to opt = those apps out of using the VPN at all. I=E2=80=99m sure there are many mor= e examples of apps that simply don=E2=80=99t need to go through a VPN, as n= o confidential information is passed through them.

My proposal is = to add another Fragment that=E2=80=99s just a list of all apps installed on= the phone with check boxes next to them. If the checkbox is checked, that = app will be routed through Wireguard. If not, it will be free to bypass the= VPN. Naturally, all apps will be default to being checked. This is an easy= change to make for the GoBackend implementation using=C2=A0VpnService.Buil= der.addDisallowedApplication(<packageName>), but would likely be pret= ty complicated to add to WgQuickBackend. Perhaps this is something that wou= ld only be possible for GoBackend users.

Any thoughts on this? I ha= ve everything working locally by simply adding these two hardcoded lines to= GoBackend.java:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 builder.addDisallowedApplication("com.netflix.mediaclient");<= /font>

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 builder.addDisallowedApplication("com.google.android.wearab= le.app=E2=80=9D);

but I would like to make this more configur= able and available to the rest of Wireguard users if you=E2=80=99re agreeab= le to it. Thanks.

--000000000000ee97f105700a24da-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: samuel@sholland.org Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e0036911 for ; Mon, 2 Jul 2018 21:37:46 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 819543ba for ; Mon, 2 Jul 2018 21:37:46 +0000 (UTC) Subject: Re: Android app whitelist/blacklist feature To: Eric Kuck , wireguard@lists.zx2c4.com References: From: Samuel Holland Message-ID: Date: Mon, 2 Jul 2018 16:43:49 -0500 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hello Eric, On 07/02/18 15:35, Eric Kuck wrote: > I’d like to make a contribution to the Android app, but would like to know if > this is something that would actually get merged before I go through all the > effort. What I’d like to do is add an exceptions list (apps that will not be > routed through the Wireguard interface). The rationale for this being that > some apps simply don’t work with Wireguard. For example, the use of a > Wireguard VPN with custom DNS breaks WearOS watches due to Google hardcoding > the use of the 8.8.8.8 DNS server. Another example is that Netflix doesn’t > work when routed through my VPN server since they know it’s a DigitalOcean > instance, but works fine without the VPN enabled. Another example is that > there’s often no reason to route data-heavy video apps through your VPN > server. Rather than turning the VPN on my phone off to use my wearable or to > watch something on my phone, I’d like to be able to opt those apps out of > using the VPN at all. I’m sure there are many more examples of apps that > simply don’t need to go through a VPN, as no confidential information is > passed through them. This sounds like a generally useful feature. > My proposal is to add another Fragment that’s just a list of all apps > installed on the phone with check boxes next to them. If the checkbox is > checked, that app will be routed through Wireguard. If not, it will be free > to bypass the VPN. Naturally, all apps will be default to being checked. If you base the UI on DialogPreference or MultiSelectListPreference, Android will take care of persisting the setting for you, and it would be easy to add to the settings page. > This is an easy change to make for the GoBackend implementation using > VpnService.Builder.addDisallowedApplication(), but would likely > be pretty complicated to add to WgQuickBackend. Perhaps this is something > that would only be possible for GoBackend users. For WgQuickBackend, we'd need to modify the set_users function[1] in the wg-quick "script" to take a dynamic list of user IDs instead of hard coding it. PackageManager should provide us the UIDs of other applications. I'm not sure the best way to communicate the ID list from the app to the script. Jason, thoughts? > Any thoughts on this? I have everything working locally by simply adding > these two hardcoded lines to GoBackend.java: > > builder.addDisallowedApplication("com.netflix.mediaclient"); > builder.addDisallowedApplication("com.google.android.wearable.app”); > > but I would like to make this more configurable and available to the rest of > Wireguard users if you’re agreeable to it. Thanks. Thank you, Samuel [1]: https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=dfd9827d5b08c506522bb3762cd3b0dbac640bbc#n291 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: eric@bluelinelabs.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 67a636eb for ; Tue, 3 Jul 2018 00:16:21 +0000 (UTC) Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id cba2718a for ; Tue, 3 Jul 2018 00:16:20 +0000 (UTC) Received: by mail-qk0-x231.google.com with SMTP id u21-v6so110386qku.2 for ; Mon, 02 Jul 2018 17:22:43 -0700 (PDT) From: Eric Kuck In-Reply-To: References:

MIME-Version: 1.0 Date: Mon, 2 Jul 2018 20:22:41 -0400 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: Samuel Holland , wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="000000000000fd9ed005700d4f1b" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000fd9ed005700d4f1b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Excellent. I unfortunately haven=E2=80=99t done any C programming for almos= t a decade and have never done any kind of kernel development, so I=E2=80=99m n= ot going to be any help adding this functionality to the wg-quick implementation. If I were to do the work I initially proposed (new fragment + GoBackend implementation), would this be enough to get merged? If so, would it be better if I simply disabled the new fragment for custom kernel users or if I left a placeholder assuming someone else can add the missing implementation? On July 2, 2018 at 4:43:53 PM, Samuel Holland (samuel@sholland.org) wrote: Hello Eric, On 07/02/18 15:35, Eric Kuck wrote: > I=E2=80=99d like to make a contribution to the Android app, but would lik= e to know if > this is something that would actually get merged before I go through all the > effort. What I=E2=80=99d like to do is add an exceptions list (apps that = will not be > routed through the Wireguard interface). The rationale for this being that > some apps simply don=E2=80=99t work with Wireguard. For example, the use = of a > Wireguard VPN with custom DNS breaks WearOS watches due to Google hardcoding > the use of the 8.8.8.8 DNS server. Another example is that Netflix doesn=E2=80=99t > work when routed through my VPN server since they know it=E2=80=99s a DigitalOcean > instance, but works fine without the VPN enabled. Another example is that > there=E2=80=99s often no reason to route data-heavy video apps through yo= ur VPN > server. Rather than turning the VPN on my phone off to use my wearable or to > watch something on my phone, I=E2=80=99d like to be able to opt those app= s out of > using the VPN at all. I=E2=80=99m sure there are many more examples of ap= ps that > simply don=E2=80=99t need to go through a VPN, as no confidential informa= tion is > passed through them. This sounds like a generally useful feature. > My proposal is to add another Fragment that=E2=80=99s just a list of all = apps > installed on the phone with check boxes next to them. If the checkbox is > checked, that app will be routed through Wireguard. If not, it will be free > to bypass the VPN. Naturally, all apps will be default to being checked. If you base the UI on DialogPreference or MultiSelectListPreference, Android will take care of persisting the setting for you, and it would be easy to add to the settings page. > This is an easy change to make for the GoBackend implementation using > VpnService.Builder.addDisallowedApplication(), but would likely > be pretty complicated to add to WgQuickBackend. Perhaps this is something > that would only be possible for GoBackend users. For WgQuickBackend, we'd need to modify the set_users function[1] in the wg-quick "script" to take a dynamic list of user IDs instead of hard coding it. PackageManager should provide us the UIDs of other applications. I'm not sure the best way to communicate the ID list from the app to the script. Jason, thoughts? > Any thoughts on this? I have everything working locally by simply adding > these two hardcoded lines to GoBackend.java: > > builder.addDisallowedApplication("com.netflix.mediaclient"); > builder.addDisallowedApplication("com.google.android.wearable.app=E2=80= =9D); > > but I would like to make this more configurable and available to the rest of > Wireguard users if you=E2=80=99re agreeable to it. Thanks. Thank you, Samuel [1]: https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=3Ddfd9= 827d5b08c506522bb3762cd3b0dbac640bbc#n291 --000000000000fd9ed005700d4f1b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =

Excellent. I unfortunately haven=E2=80=99t done a= ny C programming for almost a decade and have never done any kind of kernel= development, so I=E2=80=99m not going to be any help adding this functiona= lity to the wg-quick implementation. If I were to do the work I initially p= roposed (new fragment + GoBackend implementation), would this be enough to = get merged? If so, would it be better if I simply disabled the new fragment= for custom kernel users or if I left a placeholder assuming someone else c= an add the missing implementation?

On Ju= ly 2, 2018 at 4:43:53 PM, Samuel Holland (samuel@sholland.org) wrote:

Hello Eric,

On 07/02/18 15:35, Eric Kuck wrote:
> I=E2=80=99d like to make a contribution to the Android app, but wo= uld like to know if
> this is something that would actually get merged before I go throu= gh all the
> effort. What I=E2=80=99d like to do is add an exceptions list (app= s that will not be
> routed through the Wireguard interface). The rationale for this be= ing that =20
> some apps simply don=E2=80=99t work with Wireguard. For example, t= he use of a =20
> Wireguard VPN with custom DNS breaks WearOS watches due to Google = hardcoding =20
> the use of the 8.8.8.8 DNS server. Another example is that Netflix= doesn=E2=80=99t =20
> work when routed through my VPN server since they know it=E2=80=99= s a DigitalOcean =20
> instance, but works fine without the VPN enabled. Another example = is that =20
> there=E2=80=99s often no reason to route data-heavy video apps thr= ough your VPN =20
> server. Rather than turning the VPN on my phone off to use my wear= able or to =20
> watch something on my phone, I=E2=80=99d like to be able to opt th= ose apps out of =20
> using the VPN at all. I=E2=80=99m sure there are many more example= s of apps that =20
> simply don=E2=80=99t need to go through a VPN, as no confidential = information is =20
> passed through them.

This sounds like a generally useful feature.

> My proposal is to add another Fragment that=E2=80=99s just a list = of all apps =20
> installed on the phone with check boxes next to them. If the check= box is =20
> checked, that app will be routed through Wireguard. If not, it wil= l be free =20
> to bypass the VPN. Naturally, all apps will be default to being ch= ecked.

If you base the UI on DialogPreference or MultiSelectListPreference, An= droid
will take care of persisting the setting for you, and it would be easy = to add to
the settings page.

> This is an easy change to make for the GoBackend implementation us= ing =20
> VpnService.Builder.addDisallowedApplication(<packageName>), = but would likely =20
> be pretty complicated to add to WgQuickBackend. Perhaps this is so= mething =20
> that would only be possible for GoBackend users.

For WgQuickBackend, we'd need to modify the set_users function[1] i= n the
wg-quick "script" to take a dynamic list of user IDs instead = of hard coding it.
PackageManager should provide us the UIDs of other applications. I'= m not sure
the best way to communicate the ID list from the app to the script. Jas= on, thoughts?

> Any thoughts on this? I have everything working locally by simply = adding =20
> these two hardcoded lines to GoBackend.java:
> =20
> builder.addDisallowedApplication("com.netflix.mediaclient&quo= t;); =20
> builder.addDisallowedApplication("com.google.android.wearable= .app=E2=80=9D);
> =20
> but I would like to make this more configurable and available to t= he rest of
> Wireguard users if you=E2=80=99re agreeable to it. Thanks.

Thank you,
Samuel

[1]:
https://git.zx2c4= .com/WireGuard/tree/src/tools/wg-quick/android.c?id=3Ddfd9827d5b08c506522bb= 3762cd3b0dbac640bbc#n291

--000000000000fd9ed005700d4f1b-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id df864ea2 for ; Tue, 3 Jul 2018 02:14:58 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 86f748ac for ; Tue, 3 Jul 2018 02:14:58 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e8e79b37 for ; Tue, 3 Jul 2018 02:13:44 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 6466391e (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Tue, 3 Jul 2018 02:13:43 +0000 (UTC) Received: by mail-oi0-f52.google.com with SMTP id y207-v6so731057oie.13 for ; Mon, 02 Jul 2018 19:21:20 -0700 (PDT) MIME-Version: 1.0 References:

In-Reply-To: From: "Jason A. Donenfeld" Date: Tue, 3 Jul 2018 04:21:08 +0200 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: eric@bluelinelabs.com Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hey Eric, Sorry for not responding earlier when you sent this to me directly. I'm glad you sent it here and Samuel caught it, so your nice idea won't go to waste. On Tue, Jul 3, 2018 at 2:22 AM Eric Kuck wrote: > If I were to do the work I initially proposed (new fragment + GoBackend i= mplementation), would this be enough to get merged? No, but I can write the C part and just provide you with some sane interface for passing off the relevant information to wg-quick. Send me offlist an SSH key, and I'll give you commit access to branches that begin with `ek/`. > My proposal is to add another Fragment that=E2=80=99s just a list of all = apps installed on the phone with check boxes next to them. How would one get to the Fragment? From the overflow menu, or from the settings? I suspect the settings would be a more natural place for it. Or were you thinking that this would actually be part of each individual tunnel profile, stored within the configuration for the tunnel somehow? Regards, Jason From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: eric@bluelinelabs.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 251a030a for ; Tue, 3 Jul 2018 02:20:40 +0000 (UTC) Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9acae179 for ; Tue, 3 Jul 2018 02:20:40 +0000 (UTC) Received: by mail-qt0-x235.google.com with SMTP id y31-v6so342740qty.9 for ; Mon, 02 Jul 2018 19:27:03 -0700 (PDT) From: Eric Kuck In-Reply-To: References:

MIME-Version: 1.0 Date: Mon, 2 Jul 2018 22:27:02 -0400 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: "Jason A. Donenfeld" Content-Type: multipart/alternative; boundary="000000000000a6b21905700f0cc2" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000a6b21905700f0cc2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I was originally thinking the new fragment would be a per-tunnel thing (set when you create the tunnel or edit it), but you=E2=80=99re right - making i= t a general setting likely makes a whole lot more sense. I can=E2=80=99t think = of any use-cases for different tunnels handling different apps. On July 2, 2018 at 9:21:23 PM, Jason A. Donenfeld (jason@zx2c4.com) wrote: Hey Eric, Sorry for not responding earlier when you sent this to me directly. I'm glad you sent it here and Samuel caught it, so your nice idea won't go to waste. On Tue, Jul 3, 2018 at 2:22 AM Eric Kuck wrote: > If I were to do the work I initially proposed (new fragment + GoBackend implementation), would this be enough to get merged? No, but I can write the C part and just provide you with some sane interface for passing off the relevant information to wg-quick. Send me offlist an SSH key, and I'll give you commit access to branches that begin with `ek/`. > My proposal is to add another Fragment that=E2=80=99s just a list of all = apps installed on the phone with check boxes next to them. How would one get to the Fragment? From the overflow menu, or from the settings? I suspect the settings would be a more natural place for it. Or were you thinking that this would actually be part of each individual tunnel profile, stored within the configuration for the tunnel somehow? Regards, Jason --000000000000a6b21905700f0cc2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =

I was originally thinking the new fragment would = be a per-tunnel thing (set when you create the tunnel or edit it), but you= =E2=80=99re right - making it a general setting likely makes a whole lot mo= re sense. I can=E2=80=99t think of any use-cases for different tunnels hand= ling different apps.

On July 2, 2018 at 9:21:= 23 PM, Jason A. Donenfeld (jason@zx2c4.c= om) wrote:

=
Hey Eric,

Sorry for not responding earlier when you sent this to me directly.
I'm glad you sent it here and Samuel caught it, so your nice idea
won't go to waste.

On Tue, Jul 3, 2018 at 2:22 AM Eric Kuck <eric@bluelinelabs.com> wrote:
> If I were to do the work I initially proposed (new fragment + GoBa= ckend implementation), would this be enough to get merged?

No, but I can write the C part and just provide you with some sane
interface for passing off the relevant information to wg-quick. Send
me offlist an SSH key, and I'll give you commit access to branches
that begin with `ek/`.

> My proposal is to add another Fragment that=E2=80=99s just a list = of all apps installed on the phone with check boxes next to them.

How would one get to the Fragment? From the overflow menu, or from the
settings? I suspect the settings would be a more natural place for it.
Or were you thinking that this would actually be part of each
individual tunnel profile, stored within the configuration for the
tunnel somehow?

Regards,
Jason

--000000000000a6b21905700f0cc2-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7953009a for ; Tue, 3 Jul 2018 02:25:24 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 28610258 for ; Tue, 3 Jul 2018 02:25:24 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 13e44fcb for ; Tue, 3 Jul 2018 02:24:10 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 0eb0fe3c (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Tue, 3 Jul 2018 02:24:10 +0000 (UTC) Received: by mail-oi0-f42.google.com with SMTP id k81-v6so794154oib.4 for ; Mon, 02 Jul 2018 19:31:47 -0700 (PDT) MIME-Version: 1.0 References:

In-Reply-To: From: "Jason A. Donenfeld" Date: Tue, 3 Jul 2018 04:31:36 +0200 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: eric@bluelinelabs.com Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tue, Jul 3, 2018 at 4:27 AM Eric Kuck wrote: > > I was originally thinking the new fragment would be a per-tunnel thing (s= et when you create the tunnel or edit it), but you=E2=80=99re right - makin= g it a general setting likely makes a whole lot more sense. I can=E2=80=99t= think of any use-cases for different tunnels handling different apps. It might actually make most sense to make it a per-tunnel thing. We'd then have to introduce conf key called, "ExemptedApplications=3D" or something. Samuel - any thoughts on this? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: samuel@sholland.org Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1da52b8d for ; Tue, 3 Jul 2018 18:05:45 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5627a95a for ; Tue, 3 Jul 2018 18:05:45 +0000 (UTC) Subject: Re: Android app whitelist/blacklist feature To: "Jason A. Donenfeld" , eric@bluelinelabs.com References:

From: Samuel Holland Message-ID: <72472182-2f17-ff6d-f76c-f0fa6c98d45e@sholland.org> Date: Tue, 3 Jul 2018 13:12:10 -0500 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On 07/02/18 21:31, Jason A. Donenfeld wrote: > On Tue, Jul 3, 2018 at 4:27 AM Eric Kuck wrote: >> >> I was originally thinking the new fragment would be a per-tunnel thing >> (set when you create the tunnel or edit it), but you’re right - making it >> a general setting likely makes a whole lot more sense. I can’t think of >> any use-cases for different tunnels handling different apps. > > It might actually make most sense to make it a per-tunnel thing. We'd then > have to introduce conf key called, "ExemptedApplications=" or something. > Samuel - any thoughts on this? Right, trying to make it a global setting requires either some sort of out-of-band way to pass the information to wg-quick, or rewriting the configuration file every time the tunnel is brought up. Since from netd's point of view, this is a per-network setting anyway, I agree it makes sense to configure it per-tunnel. ExemptedApplications works as a configuration key, though I prefer ExcludedApplications--the application isn't just not required to use the tunnel, it's not allowed to use the tunnel. In that case, here are my UI suggestions: - Add a button in the editor that switches to a fragment or pops up a Dialog similar to a MultiSelectListPreference. - For consistency, checked means excluded -- everything defaults to unchecked. - The package names of excluded apps are put in the com.wireguard.config.Interface, and wg-quick handles package name to uid translation. How does that sound? Samuel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id c522353f for ; Tue, 3 Jul 2018 18:10:56 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 08cb48cc for ; Tue, 3 Jul 2018 18:10:56 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 46ad714f for ; Tue, 3 Jul 2018 18:09:42 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ff8319b1 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Tue, 3 Jul 2018 18:09:42 +0000 (UTC) Received: by mail-oi0-f51.google.com with SMTP id k12-v6so5684523oiw.8 for ; Tue, 03 Jul 2018 11:17:24 -0700 (PDT) MIME-Version: 1.0 References:

<72472182-2f17-ff6d-f76c-f0fa6c98d45e@sholland.org> In-Reply-To: <72472182-2f17-ff6d-f76c-f0fa6c98d45e@sholland.org> From: "Jason A. Donenfeld" Date: Tue, 3 Jul 2018 20:17:11 +0200 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: Samuel Holland Content-Type: text/plain; charset="UTF-8" Cc: Eric Kuck , WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tue, Jul 3, 2018 at 8:12 PM Samuel Holland wrote: > Right, trying to make it a global setting requires either some sort of > out-of-band way to pass the information to wg-quick, or rewriting the > configuration file every time the tunnel is brought up. > > Since from netd's point of view, this is a per-network setting anyway, I agree > it makes sense to configure it per-tunnel. ExemptedApplications works as a > configuration key, though I prefer ExcludedApplications--the application isn't > just not required to use the tunnel, it's not allowed to use the tunnel. > > In that case, here are my UI suggestions: > - Add a button in the editor that switches to a fragment or pops up a Dialog > similar to a MultiSelectListPreference. > - For consistency, checked means excluded -- everything defaults to unchecked. > - The package names of excluded apps are put in the > com.wireguard.config.Interface, and wg-quick handles package name to uid > translation. > > How does that sound? All of that sounds right-on to me, and I think you're right that ExcludedApplications is the better key. (This also provides a good basis for later adding a "ExcludeLocalNetwork" option.) Eric's git access should be all setup now, so we can watch the commits coming on in. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: eric@bluelinelabs.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b9db1e2f for ; Wed, 4 Jul 2018 22:13:00 +0000 (UTC) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id c78800c2 for ; Wed, 4 Jul 2018 22:13:00 +0000 (UTC) Received: by mail-qt0-x232.google.com with SMTP id f18-v6so5633030qtp.10 for ; Wed, 04 Jul 2018 15:19:37 -0700 (PDT) From: Eric Kuck In-Reply-To: References:

<72472182-2f17-ff6d-f76c-f0fa6c98d45e@sholland.org> MIME-Version: 1.0 Date: Wed, 4 Jul 2018 18:19:36 -0400 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: "Jason A. Donenfeld" , Samuel Holland Content-Type: multipart/alternative; boundary="000000000000778650057033d327" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000778650057033d327 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable A first pass that only works with GoBackend has just been pushed. Feel free to make suggestions or requests. This is the first time I=E2=80=99ve used databinding for more than just a findViewById substitute, so it=E2=80=99s v= ery possible I didn=E2=80=99t do something canonically. On July 3, 2018 at 1:17:27 PM, Jason A. Donenfeld (jason@zx2c4.com) wrote: On Tue, Jul 3, 2018 at 8:12 PM Samuel Holland wrote: > Right, trying to make it a global setting requires either some sort of > out-of-band way to pass the information to wg-quick, or rewriting the > configuration file every time the tunnel is brought up. > > Since from netd's point of view, this is a per-network setting anyway, I agree > it makes sense to configure it per-tunnel. ExemptedApplications works as a > configuration key, though I prefer ExcludedApplications--the application isn't > just not required to use the tunnel, it's not allowed to use the tunnel. > > In that case, here are my UI suggestions: > - Add a button in the editor that switches to a fragment or pops up a Dialog > similar to a MultiSelectListPreference. > - For consistency, checked means excluded -- everything defaults to unchecked. > - The package names of excluded apps are put in the > com.wireguard.config.Interface, and wg-quick handles package name to uid > translation. > > How does that sound? All of that sounds right-on to me, and I think you're right that ExcludedApplications is the better key. (This also provides a good basis for later adding a "ExcludeLocalNetwork" option.) Eric's git access should be all setup now, so we can watch the commits coming on in. --000000000000778650057033d327 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =

A first pass that only works with GoBackend has j= ust been pushed. Feel free to make suggestions or requests. This is the fir= st time I=E2=80=99ve used databinding for more than just a findViewById sub= stitute, so it=E2=80=99s very possible I didn=E2=80=99t do something canoni= cally.

On July 3, 2018 at 1:17:27 PM, Ja= son A. Donenfeld (jason@zx2c4.com) w= rote:

On Tue, Jul 3, 2018 at 8:12 PM Samuel Holland <samuel@sholland.org> wrote:
> Right, trying to make it a global setting requires either some sor= t of
> out-of-band way to pass the information to wg-quick, or rewriting = the
> configuration file every time the tunnel is brought up.
>
> Since from netd's point of view, this is a per-network setting= anyway, I agree
> it makes sense to configure it per-tunnel. ExemptedApplications wo= rks as a
> configuration key, though I prefer ExcludedApplications--the appli= cation isn't
> just not required to use the tunnel, it's not allowed to use t= he tunnel.
>
> In that case, here are my UI suggestions:
> - Add a button in the editor that switches to a fragment or pops u= p a Dialog
> similar to a MultiSelectListPreference.
> - For consistency, checked means excluded -- everything defaults t= o unchecked.
> - The package names of excluded apps are put in the
> com.wireguard.config.Interface, and wg-quick handles package name = to uid
> translation.
>
> How does that sound?

All of that sounds right-on to me, and I think you're right that
ExcludedApplications is the better key.

(This also provides a good basis for later adding a
"ExcludeLocalNetwork" option.)

Eric's git access should be all setup now, so we can watch the
commits coming on in.

--000000000000778650057033d327-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 38c15b07 for ; Thu, 5 Jul 2018 13:17:08 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id be711bbd for ; Thu, 5 Jul 2018 13:17:07 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a0493625 for ; Thu, 5 Jul 2018 13:15:54 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 55dda0b2 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Thu, 5 Jul 2018 13:15:54 +0000 (UTC) Received: by mail-oi0-f47.google.com with SMTP id k12-v6so16791544oiw.8 for ; Thu, 05 Jul 2018 06:23:50 -0700 (PDT) MIME-Version: 1.0 References:

<72472182-2f17-ff6d-f76c-f0fa6c98d45e@sholland.org>

In-Reply-To: From: "Jason A. Donenfeld" Date: Thu, 5 Jul 2018 15:23:38 +0200 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: Eric Kuck Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hey Eric, On cursory glance, this looks really good; well done. It might be desirable to have an easy toolbar icon for deselecting all apps. Great that you managed to use RecyclerView. We'd like to use that on the main tunnel list fragment, but haven't done so yet [1] (if you feel so inclined and want to give it a spin.) I'll let Samuel do a proper of the code. Regards, Jason [1] https://docs.google.com/document/d/15i0Z750eL_OlUyrypUFLF7Hoi5eoF-dTFWj-Rs4RXGI/edit From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 6ef69d06 for ; Thu, 5 Jul 2018 13:17:43 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1946fac8 for ; Thu, 5 Jul 2018 13:17:43 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id fe267b1c for ; Thu, 5 Jul 2018 13:16:29 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id e53422d8 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Thu, 5 Jul 2018 13:16:29 +0000 (UTC) Received: by mail-oi0-f42.google.com with SMTP id k81-v6so16802927oib.4 for ; Thu, 05 Jul 2018 06:24:25 -0700 (PDT) MIME-Version: 1.0 References:

<72472182-2f17-ff6d-f76c-f0fa6c98d45e@sholland.org>

In-Reply-To: From: "Jason A. Donenfeld" Date: Thu, 5 Jul 2018 15:24:13 +0200 Message-ID: Subject: Re: Android app whitelist/blacklist feature To: Eric Kuck Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Thu, Jul 5, 2018 at 3:23 PM Jason A. Donenfeld wrote: > I'll let Samuel do a proper of the code. Missing word: review