Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for dynamic access keys #4

Open
lunarthegrey opened this issue Jun 19, 2024 · 0 comments
Open

Add support for dynamic access keys #4

lunarthegrey opened this issue Jun 19, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@lunarthegrey
Copy link
Contributor

lunarthegrey commented Jun 19, 2024
edited
Loading

Reference: https://www.reddit.com/r/outlinevpn/wiki/index/dynamic_access_keys/

Potential benefits:

  • Allows the Outline servers to become even more censorship resistant by not directly revealing them to end users (which obfuscates a bit more from potential censors).
  • Creates the potential for the FCP to create dynamic access key "mirrors" on several S3 providers (AWS, Cloudflare, Wasabi, etc). S3 bucket links using the S3 provider's hostnames is better, and more censorship resistant.
  • Would allow the FCP to provide a random (or many) ssconf:// mirror to users that they could try.
  • Allows for the FCP to dynamically update access keys if a server gets blocked (e.g. take a server out of rotation from all dynamic access keys, and update them with a new server).
  • Steers us away from using DNS hostnames for the Outline servers, we could use raw IPs to circumvent any potential DNS-based filtering of our Outline server domains.

Potential design:

Access key retrieval:

  1. User attempts to retrieve an access key via HTTP.
  2. FCP queries all available Outline servers via the closest serverless edge datacenter, picks best latency and lowest access key count Outline server.
  3. FCP creates a dynamic S3 access key file in a directory (using randomized character string) on 3 or more S3 bucket providers (AWS, Cloudflare, Wasabi & others potentially). The dynamic access key contains the JSON config from the chosen server.
  4. FCP stores the access key mirror ssconf:// links in a Workers KV namespace in JSON format to be used when updating or deleting access keys later.
  5. FCP returns the ssconf:// S3 mirrors to the user, allowing them to pick one that works for them.
  6. User enters the ssconf:// line in their Outline client, which pulls the JSON and connects to the server the FCP chose for them.

Considerations:

  • Each dynamic access key URL must be unique and contain a randomized character string.
  • Each dynamic access key's JSON must contain a unique access key (don't reuse the same keys).
  • The FCP should be able to mass-update the contents of dynamic access keys if a server gets blocked, the IP gets rotated, or get decommissioned.
@lunarthegrey lunarthegrey added the enhancement New feature or request label Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lunarthegrey