Issue-Label Bot is automatically applying the label Feature Request to this issue, with a confidence of 0.62. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

Your vpn IS public. You are visible to everyone else on that VPN.

Best solution is to set a username and password like you are supposed to.

I access my local sickchill either from my LAN or from my VPN using no authentication.
Until today, that I am forced to set a password (mandatory)
I'ts not a SC questin whether I connect with or without password from my virtual PRIVATE network.
I'm sure I am not _supposed to_ do anything I don't want. I set my rules in my network, that's not SC decission.

I don't need to change my settings or my networks just because you think there's only a way to work.
In fact there are many options, including:

1. "Don't require passwords local networks" is an optional settings. You don't force us users to use an unneeded feature. We have the right to choose whether we use a feature or not.
2. Set allowed or trusted networks. I don't have to rely on python's is_private() method to decide if I enter a password or not. Again, my network is my decisions, not SC's

Please, there is no need to be so strict, neither to force users.
I think my two options are reasonable, at least the first one.
As always, thank you and best regards

Passwords have been mandatory for a long time, and for good reason:
https://github.com/SickChill/SickChill/issues/5978#issuecomment-590140532

Thousands of users were susceptible to a very elaborate hack because they thought "they knew what they were doing with their own stuff and SC shouldnt tell me what to do"
This will not change.

But it hast just change! Now it's not asking for password from private networks, is it?
That's the "Don't require passwords local networks" feature.

The problem is not about using password. The problem is that you want to use IANA's RFC 1918 for trust, but we users have our specifics networks. A VPN, for example, does not expose my SC to the internet. You need to connect to my VPN server and then, from the local network, access to SC.
That's why a VPN means private network, although you already know this.

All I'm asking you is to be reasonable and flexible. Don't force us, but give us some decissions, let me decide what networks are trusted, even if my local network isn't using IANAs network.

Instead of using is_ip_private, just need to use a new is_trusted_network variable.
It doesn't mean a risk for SC or users, just a setting that allow us to make a better adjustment for SC to our needs and out networks

The current method does not check if it is a private IP. It checks all interfaces on the machine, and compares the accessing IP to see if it fits in one of those IP ranges and net mask that is assigned to the machine.
All networks that are connected to the PC directly (even a vpn) are considered trusted networks.

Again, if you are connected to a 3rd party VPN, it is NOT PRIVATE. It merely protects your privacy. Your machine is still network facing shared with hundreds of users when using a 3rd party VPN (hence the "virtual")

I'm really sorry you don't even want to see my point of view.
I'm tryingto explain there are many configurations out there and you must not set a "one rule fits all" and also make it mandatory.

Again, if you are connected to a 3rd party VPN, it is NOT PRIVATE

miigotu, I use my own VPN server in my home router to access my home lan. There is no 3rd party. There are no "hundreds of users" around, just me connecting home.
But anyway that is out of the question. I'm just showing there is more than one way to filter IPs and it should be done based on trusted networks (customizable) and not fixed parameters.

All networks that are connected to the PC directly (even a vpn) are considered trusted networks.

It should be, but I'm telling you it isn't.
I connect to my OpenVPN server at home to access my network and SC thinks I am on a public network, which is just wrong. It's not a point of view, it is a fact. When you use some vpn servers, like OpenVPN, you get a specific openvpn network (10.8.0.0 most commonly), but again SC sould't even be aware of this condition, it should be transparent for SC because you will find hundred of custom network settings on each user's network and SC shouldn't worry about that. The user could expand SC settings to adapt them.

I think my proposal is reasonable:

1. Create a new setting for trusted networks, comma separated
2. By default, trusted networks are 127.0.0.1 and current local network (192.168.1.0 for example)
3. If in trusted network, then whatever
4. If not in trusted network, then everything else

This way you archieve the same result but also give the user the possibility to adapt or expand your idea. I could adapt it to my local network plus my VPN network, for example, and you dont need to worry about different network settings or custom local nework numerations out of th RFC.

Please, take at least one minute to consider my idea.
Best regards

I will look into why the VPN IP is not trusted. The tun/tap is an interface, and the code is supposed to be getting the assigned up addresses from all interfaces and then trusting all IPs on that up range limited by netmask.

Eg: ip of tun0 is 10.2.0.1/24 it should allow 10.2.0.1-254

User configurable settings will just encourage lazy people to set a trusted IP and continue without a password with web facing installs and that will not be allowed. Security is very important, much higher priority than the convenience of a few people.

6531

Thanks, miigotu
Thing is that you expect the VPN server running in the same machine as SC.
In most cases VPN server runs directly in the router, thats' why you won't find the net device in the same machine SC is running. SC won't be able to know about networkings unless the administrator teaches it. In fact I thing it's not SC dutty to know the network or to manage the IPs, that is out of the scope, that's an user's matter.

User configurable settings will just encourage lazy people to set a trusted IP and continue without a password with web facing installs and that will not be allowed.

Lazy people will still be lazy. But you can also care for the rest of us ;-)

Security is very important, much higher priority than the convenience of a few people.

Trusted networks are used even in security software. Security resides in the capability of the software to be secure, not in forbidding user settings. If there is a setting for not asking for a password, then the user must be able to choose whether to use that feature or how to use it.

Pretty sure my commit fixes your issue for now.

Pretty sure my commit fixes your issue for now.

Yes it does! :-)
I tried removing web authentication and connecting from VPN, and it didn't ask for password.
Great job! Thank you!