Client Update v0.10.4
Published at December 29, 2020 · 5 min read
Share on:This is our last release for the year and our client has come a long way in 2020. Revision 0.10.4 includes some new features and some bug fixes.
All of our downloads are available on our downloads page. Getting this update is really convenient if you’re using one of our Linux repos.
# centos
[user@host ] sudo yum clean expire-cache # refresh repos
[user@host ] sudo yum upgrade pktriot
# fedora, centos:8
[user@host ] sudo dnf clean expire-cache # refresh repos
[user@host ] sudo dnf upgrade pktriot
# debian, ubuntu
[user@host ] apt-get install --only-upgrade pktriot
Mac users can use brew.
[user@mac-host ] brew upgrade packetriot/homebrew-tools/pktriot
Logging
Logging has been requested several times this year and it’s included in this release.
We’ve include an log that will record all incoming traffic and the service that the traffic is requesting. The service is described using a colon-separated tuple, e.g. tcp:domain.com:80, tcp:domain.com:443.
This traffic log is called access.log and is stored in the same directory as the client configuration file.
The actual IP address of the client is included in the log. Users on all tiers will have the access log but those on the free tier will get anonymized or scrubbed IP addresses. This is an artificial restriction that the free tier always had.
Note, we’ve had a section on the Packetriot dashboard to view access information but this log is more convenient.
Trace and debug logs are included as well. Errors and warnings encountered by the client are logged by default. You can customize the amount of information stored to the logs by passing different log level values to the --trace command.
The --trace command is support in the start, http and tcp sub-commands. The default level 2 is warnings. The levels and their value are below:
- 0 - debug
- 1 - info messages
- 2 - warnings (default)
- 3 - errors
For example setting the level to 0 will store messages at all levels that are generated by client.
Reconnection Options
We’ve included a new flag --reconnect-attempts to the pktriot start command. If you use a negative number, e.g. -1 the client will continuously attempt to reconnect.
Prior to this it would make 20 attempts and then give up.
We’ve added reconnection intervals (wait time) and attempts as optional flags in the pktriot unmanaged configure command. This command is used to configure a client with a Spokes server.
Typically, with a Spokes server, an operator wants their tunnels (clients) to attempt reconnecting forever. The values you pass to the --reconnect-attempts and --reconnect-wait will be saved the confguration file.
For users connecting to Packertriot.com, our default interval of 30 seconds is maintained, but you can enable infinite reconnects with the new flags added to the start command.
Traffic Policy Management
We added local policies to primarily support our enterprise customers that use the Spokes, our self-hosted server.
These policies enable local IT admins to set constraints on what network destination (hostname, IP addresses) and ports can be used with tunnel traffic rules.
Management is performed using the client program and the new pktriot policy sub-command. Check out our docs for more information on this command.
This feature is useful in scenarios where an admin attempts to push new traffic rules from the Spokes server to a client. A local admin can constrain the network destinations specified by a rule, enforcing their own security policy or posture.
Policies help admins manage endpoints running Packetriot clients and can only be modified by using the CLI tool giving admins assurance that the rules they setup cannot be changed remotely.
One example of using a policy is to limit traffic sent over a tunnel to be proxied only to endpoint and not the greater network (LAN) that the endpoint is connected to.
Here is an example of the commands run to implement this
[user@host ] pktriot policy allow --destination 127.0.0.1
[user@host ] pktriot policy allow --dstport 8080
These two commands restrict traffic to proxied only to 127.0.0.1 and port 8080. We could expand the list of acceptable ports by just adding more.
Bug Fixes
This release includes some fixes. We finally fixed the old and incomplete email we include in our configuration on-boarding summary print-out.
A bug was found in our password portal code. This body of code implemented the HTTP Basic digest and session-based password authentication. The logic did not distinguish if the Authorization header was using basic, bearer or other mechanisms.
This unintentionally evaluated web-apps using JWT tokens from their (mostly reactive) frontends.
Thank You
This has been a challenging year and we’ve all been impacted in different degrees. I’d like to express my thanks to my users for supporting Packetriot. You enable me to work on a project and business I love.
A lot of improvements and changes have been implemented with most of it driven by your requests and feedbacks, thanks!
I’d like to also thank my enterprise customers. This area of our business has grown a lot and is driving many of the new the features we’ve been releasing in the past few months.
Spokes has evolved into a more mature product and we have added many new features. We have a lot of improvements and new features planned on our roadmap in 2021.
Thank you all again and wish you all the best in the New Year!