-
-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: control server authentication #2238
Comments
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
|
Please change your issue title to a Feature request since this isn't a bug, and it isn't urgent. In the meantime, you can do one of the following:
|
Thanks for the feedback. Sure, I changed it accordingly. I was not really sure how to classify it myself. It reallly depends on how you use the gluetun. But yes, agreed, changed. Depending on the setup a firewall won't be easily achievable, especially if you use it as a sidecar. But for all that might expose the port currently, I second your suggestions. |
The area of the Control Server, updaters (and a general security audit) has had my attention lately so I feel obliged to comment on this. I suggest applying a different priority to this and/or adopting an interim solution so that these sensitive details aren't exposed. I understand this only becomes available when the control server port is exposed, however:
For my own implementation, I'm willing to continue the risk, mainly because of 'add host firewall rules' noted above has always been the case for me. While the ideal solution has been noted here, would it be possible to offer an interim solution, one that potentially makes this endpoint unavailable by way of a config option (eg, |
Is this urgent?
No
Host OS
Fedora CoreOS
CPU arch
x86_64
VPN service provider
Custom
What are you using to run the container
docker run
What is the version of Gluetun
Running version v3.38.0 built on 2024-03-25T15:53:33.983Z (commit b3ceece)
What's the problem 🤔
The internal service exposes its complete configuration to unauthenticated local services and users. It is also possible to change the state of the VPN by restarting the VPN (and maybe other things).
A basic protection using an Authorization Header would be good to ensure no thirdparty that might know of the presence of gluetun can gain the VPN credentials.
Otherwise it's nice to have the API.
Share your logs (at least 10 lines)
Share your configuration
No response
The text was updated successfully, but these errors were encountered: