jbweston / nord Goto Github PK

Countries with large numbers of hosts (e.g. US) mean that we typically have to ping ~400 hosts. This is not inherently a problem, but as we have to spawn a subprocess for each ping this gets quite expensive.

There are several options:

1. pre-select a fixed number of hosts with the smallest load and then ping these
2. ping all hosts and wait only for the first "n" to return

The problem with 1 is that we may end up with servers with a very large round trip time. The problem with 2 is that we mix up latency from starting processes with round trip time.

The solution is probably that slight variations in RTT make less of a difference to VPN performance than load, so even if we don't choose the optimal server based on RTT, this isn't the end.

OTOH saving a few seconds on startup is not the end of the world, as the connection will tyically last a while

A graphical frontend would be useful. Rather than using a GUI framework like GTK or QT, if we instead make nord into a web service then it can also run on a router and be controlled by clients on the network, which is useful when you want to have a whole network behind NordVPN.

In its basic form the web frontend would have a top dashboard showing the current connection status (up or down) and our current ip address. The main part of the page would show a world map with markers for each server, you can click through to get more detailed information and to connect to that server.

Extensions could be:

• auto-select a server by selecting a given country
• live-updating server load and RTT

requirements.txt shall have development requirements, like pylint and pytest

At the moment we pass basically no flags to openvpn, which means that we have to handle many things in Python code (e.g. if we want some action to be performed when openvpn starts up or goes down, or we want to reconnect when the connection goes down).

However, openvpn itself has many flags that can control this behaviour (--up, --down, ...).
The advantage of using these flags is that it is less likely that bugs in nord will cause the system to be left in an inconsistent state (e.g. DNS settings not reset).

Tutorial probably not necessary

Currently clients get informed about state changes (connecting/connected/disconnecting/disconnected) but have no way to query the current state, which means that the UI is incorrect until the first state change.

We will need to store some more state on the app object that is written by the vpn coroutine and can be read by an API endpoint.

Using the tools in #1 we can improve the CLI by connecting to the "best" server if no host is given.

This will mean that we need to add command-line options to control the selection.
Typically I would imagine the following would be sufficient:

• Filter by Country (probably providing the 2-letter abbreviation is enough)
• Filter by "search keywords" (e.g. 'P2P" or "sha512")
• Ping timeout: larger means RTT is more accurate, lower means we get an RTT faster

At the moment all log messages are printed to the screen. We should be able to control exactly which messages are printed (e.g printing all OpenVPN stdout if --debug is specified)

Simple enough to fix; we need to stop the existing VPN process before starting a new one

the VPN functionality has logging, so the API part should probably also

If a single client connects to the web interface and connects to a server, the next client to connect will not see the 'connected' state. This can also be observed by connecting to a VPN and then refreshing the page.

Currently the coroutine that manages the VPN connection does not provide a method for querying its state, but it should.

There are currently no tests (!). As the functionality is quite modular and configurable it should at least be easy to test pieces in isolation, even if testing all failure modes is a challenge.

We depend on Python 3.6 so as to use improved asyncio among other things, however typically people will not have Python 3.6 installed, so we should also provide a "frozen" build that bundles the Python interpreter also.

Notice that if we kill nord some time after the initial startup, sudo complains that it needs a password.

We have the maintain_sudo context manager that is meant to take care of this, but clearly it is not working correctly.

Write /etc/resolv.conf when bringing nord up, and restore it when bringing nord down

We would like to be able to get an accurate RTT to VPN servers, even when the VPN is up.
This information could be used to automatically reconnect to a better server if the connected one becomes sluggish.

If we naively ping, then the ICMP packets will get routed through the VPN, which will give us inaccurate RTT for the purposes that we require.

The solution is to set up explicit routes so that traffic destined for the VPN servers themselves is not routed through the VPN. This can be achieved by placing lines at the end of the openvpn client config:

route <ip address> 255.255.255.255 net_gateway

These lines can be manually added to the config file that we get from the NordVPN web service before pass it off to OpenVPN.

Refactor code, to split NordAPI/OpenVPN/Application itself as self-sustained chunks of the application and let another people to write interfaces to their own VPN providers

At the moment we expose just the raw API that NordVPN provides.

Specifically we would like to have:

• Filtering servers by certain criteria: load, country, features...
  We probably don't need to support arbitrary filters, as these are just convenience
  functions anyway

• Ping servers to get an approximate RTT. We should be able to combine this with filters
  to avoid pinging the whole internet.

styles.css, mentioned in https://github.com/jbweston/nord/blob/master/web/Nord.jsx#L28 is missing, thus web compilation failing

Embed a .webm showing the CLI, but also make it clear that it is a library

useful for storing credentials

aiohttp recommends using a ClientSession object, and when you don't use this interface it sprouts warnings.

I don't know if the public api of NordVPN changed, but the url 'https://api.nordvpn.com/dns/smart' isn't working anymore...

It returns a Not Found message.

/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/api.py:80: RuntimeWarning: coroutine 'ClientSession.close' was never awaited
  self._session.close()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/cli.py", line 54, in main
    returncode = loop.run_until_complete(command(args))
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/asyncio/base_events.py", line 641, in run_until_complete
    return future.result()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/cli.py", line 210, in connect
    output = await asyncio.gather(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/decorator.py", line 221, in fun
    return await caller(func, *(extras + args), **kw)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/_utils.py", line 105, in _memoized
    cache[key] = await func(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/api.py", line 170, in dns_servers
    return await self._get_json('dns/smart')
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/api.py", line 91, in _get_json
    async with self._session.get(url, headers=self.headers) as resp:
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/aiohttp/client.py", line 1138, in __aenter__
    self._resp = await self._coro
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/aiohttp/client.py", line 640, in _request
    resp.raise_for_status()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/aiohttp/client_reqrep.py", line 1004, in raise_for_status
    raise ClientResponseError(
aiohttp.client_exceptions.ClientResponseError: 404, message='Not Found', url=URL('https://api.nordvpn.com/dns/smart')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/bin/nord", line 8, in <module>
    sys.exit(main())
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/cli.py", line 61, in main
    remaining_tasks = cancel_all_tasks()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nord/cli.py", line 71, in cancel_all_tasks
    remaining_tasks = asyncio.Task.all_tasks()
AttributeError: type object '_asyncio.Task' has no attribute 'all_tasks'

Python 3.10
macOs m1

Even if we initially have sudo, cached credentials timeout after 15 minutes.

A solution is to have supervise run sudo -v -n every 5 minutes or so