The work below would remove the root/transproxy feature from Orbot, and replace it with using a Android VPN/tuntap interface capability routed through Tor's SOCKS via tun2socks. This means anyone can enable the "send all apps through Tor" feature even without needing root. When the VPN mode is on, we will also by default only allow secure ports (443, etc) through in the torrc configuration, as well.
For users wanting to have root/transproxy capabilities (including app by app proxying options), they will be able to still use Orwall. Feedback is welcome, especially from anyone with experience using Tor and tun2socks. ----- Original message ----- From: Nathan of Guardian <[email protected]> To: [email protected] Subject: [guardian-dev] Progress on OrbotVPN Date: Tue, 21 Oct 2014 13:09:00 -0400 I have successfully gotten the Psiphon version of tun2socks working with Orbot. You can see the code here: https://github.com/n8fr8/orbot/tree/dev_orbotvpn The trick with Android VPNService is that you have to mark sockets "protected" in order to not have them be sent through the VPN. Tor opens a ton of sockets all the time to many remote servers, so it is hard to track those at the Android/Java level, since those are happening in the Tor native process. Instead, I set Tor to use a mini outbound SOCKS proxy I am running in the TorService class, and then I mark all the sockets outbound from that proxy I mark protected. Seems to work without much performance issue. Aside from UI integration, the main outstanding issue is getting DNS to work. When you create an Android VPNServer instance, you can only set the DNS host "127.0.0.1" but not the port. Since Tor's DNS service is running on 127.0.0.1:5400 I somehow need to get DNS packets to go there, and drop the rest of the UDP. My idea is to use the udpgw_client feature of tun2socks, and then run the udpgw daemon on the device. I have already modified the tun2socks code to change all DNS packets to use 5400 port, before they get sent through udpgw. I did also have the idea for a bit of setting up a ton of remote udpgw servers that Orbot users could randomly connect through, because that would allow for UDP to work over Tor... I really don't like running/managing servers however, but maybe Tor exit providers could start running udpgw instances? More on badvpn-tun2socks and udpgw here: https://code.google.com/p/badvpn/wiki/tun2socks https://github.com/guardianproject/badvpn +n -- Nathan of Guardian [email protected] _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info You are subscribed as: [email protected] -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
