[tor-talk] Fwd: [guardian-dev] Progress on OrbotVPN
Nathan Freitas
nathan at freitas.net
Tue Oct 21 17:34:05 UTC 2014
The work below would remove the root/transproxy feature from Orbot, and
replace it with using a Android VPN/tuntap interface capability routed
through Tor's SOCKS via tun2socks. This means anyone can enable the
"send all apps through Tor" feature even without needing root. When the
VPN mode is on, we will also by default only allow secure ports (443,
etc) through in the torrc configuration, as well.
For users wanting to have root/transproxy capabilities (including app by
app proxying options), they will be able to still use Orwall.
Feedback is welcome, especially from anyone with experience using Tor
and tun2socks.
----- Original message -----
From: Nathan of Guardian <nathan at guardianproject.info>
To: guardian-dev at lists.mayfirst.org
Subject: [guardian-dev] Progress on OrbotVPN
Date: Tue, 21 Oct 2014 13:09:00 -0400
I have successfully gotten the Psiphon version of tun2socks working with
Orbot. You can see the code here:
https://github.com/n8fr8/orbot/tree/dev_orbotvpn
The trick with Android VPNService is that you have to mark sockets
"protected" in order to not have them be sent through the VPN. Tor opens
a ton of sockets all the time to many remote servers, so it is hard to
track those at the Android/Java level, since those are happening in the
Tor native process. Instead, I set Tor to use a mini outbound SOCKS
proxy I am running in the TorService class, and then I mark all the
sockets outbound from that proxy I mark protected. Seems to work without
much performance issue.
Aside from UI integration, the main outstanding issue is getting DNS to
work. When you create an Android VPNServer instance, you can only set
the DNS host "127.0.0.1" but not the port. Since Tor's DNS service is
running on 127.0.0.1:5400 I somehow need to get DNS packets to go there,
and drop the rest of the UDP.
My idea is to use the udpgw_client feature of tun2socks, and then run
the udpgw daemon on the device. I have already modified the tun2socks
code to change all DNS packets to use 5400 port, before they get sent
through udpgw.
I did also have the idea for a bit of setting up a ton of remote udpgw
servers that Orbot users could randomly connect through, because that
would allow for UDP to work over Tor... I really don't like
running/managing servers however, but maybe Tor exit providers could
start running udpgw instances?
More on badvpn-tun2socks and udpgw here:
https://code.google.com/p/badvpn/wiki/tun2socks
https://github.com/guardianproject/badvpn
+n
--
Nathan of Guardian
nathan at guardianproject.info
_______________________________________________
Guardian-dev mailing list
Post: Guardian-dev at lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To Unsubscribe
Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
Or visit:
https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
You are subscribed as: nathan at guardianproject.info
More information about the tor-talk
mailing list