Roadmap

Milestone Features

There’s a lot of extra features, some small, some large, to add to Synclias.

Of this list, these are considered required for V1:

  • Flush State changes
  • New API exposure
  • Envar token loading
  • Encryption key cycling
  • Logging improvements
  • Change from Ajax to Websockets for reporting
  • GUI stability (too many things move about)
  • A few know and badly implemented/inconsistent function returns/internal logic

Here are some thoughts on them:

Flush State Changes

This is top of the list At the moment, Flush State clears the state table of the firewall. It should only be necessary to drop any established connection to a VPN’d IP. However, the OPNsense docs are a little confusing on this: “del_state” should take “$stateid,$creatorid”, however querying the state just gives “id”

It appears from looking through some forum posts that the code is in OPNsense to drop by IP, but more than a little obfuscated.

API Exposure

There is an internal API that the website etc uses, but it’s not self documenting/accessible at this time. A newer, swagger documented API is already partially complete but disabled.

Envar Loading of Tokens/Keys

Given it’s Docker, loading any of the tokens/keys should ideally be by Envar. Migration shouldn’t be overly difficult, but the app was built one way, I just need to make sure they’re available in the right places

Cycling Encryption Keys

Any token/api keys are encrypted in the database, however there’s no real way to rotate the keys. Just need to develop a method to read in new keys and rotate without risk

Logging Improvements

Currently, all logging is console only on the background worker and app. This functions fine for reviewing an individual sync, but historical data might be useful.

All of the components are in there for centralising for human review on the site, and the syncer collects them all but at this time, other things have been higher priority. They just need putting into the database, and a page for reading them easily adding

Improved IPv6 Support

IPv6 works, and seems fine, but I can already see people having problems with IPv6 connections only configuring IPv4 and telling me it doesn’t work. Not sure how to deal with that really, detecting that IPv6 is there is easy. I’ve got some docs to read about tunnelling.

Also, having support to recognise when something’s supplying IPs from a dedicated pool. Facebook like to put “f4c3b00” in their IPv6 addresses, and I’ve seen it in other places too, spotting these (without a preconfigured list) shouldn’t be too difficult, and then we just add anything with that tag into the VPN. It’s just an extra wrapper on the IPv6 part, but takes time to not screw up and overly force an entire datacenter through the VPN.

DNS Record Tracking

The only major thing really that breaks Synclias is CDNs with rotating IPs. It’s a good setup and if I was hosting it’s an option I’d consider. Whilst Synclias does pull as many IPs as possible during a scan, keeping historical data on these would be beneficial. Also, would potentially be a side benefit of improved logging.

Need an option to track the IPs, decide on a retention period, actually doing the code should be easy

GUI Improvements

Bulk Site Imports

Already have a bulk importer in there, just need to expose it

List sorting

Shouldn’t be too difficult, just need to add a parameter to allow the GET to control the DB query

Websockets

Yeah, I know

Raw Subnet/IP

This is more “people think it should be there”, but really, if you’ve got an IP that needs permanent addition, the right place for it isn’t in a dynamic firewall alias, it should be in it’s own on the router.