[guardian-dev] Progress on OrbotVPN
Cédric Jeanneret
guardian at ethack.org
Wed Oct 22 01:58:46 EDT 2014
Great news!
On my side, I confess I decided to let the VpnService part as "possible
feature in a far future, when it offers some better way to handle
packets"… after some tests for orWall, it's really horrible, as we have
to manage, by hand, each packet… no connection tracking feature [of
course, that's kernel-level], meaning it's just not something we want to
do in java :/. Or, at least, I don't want to do .
Thus, orWall will stay with the root requirement, least someone take the
time to provide some patch set in order to provide non-root feature.
Regarding UDP support: hmmm… not sure if it's a thing Tor will like…
Last time someone asked about that, there was an answer like "duh, no,
Tor won't support UDP, ever" :]. And I can understand them…
Cheers,
C.
PS: would be great if mailman could be configured so that it adds some
reply-to field to the mails…
On 10/21/2014 07:09 PM, Nathan of Guardian wrote:
>
> I have successfully gotten the Psiphon version of tun2socks working with
> Orbot. You can see the code here:
> https://github.com/n8fr8/orbot/tree/dev_orbotvpn
>
> The trick with Android VPNService is that you have to mark sockets
> "protected" in order to not have them be sent through the VPN. Tor opens
> a ton of sockets all the time to many remote servers, so it is hard to
> track those at the Android/Java level, since those are happening in the
> Tor native process. Instead, I set Tor to use a mini outbound SOCKS
> proxy I am running in the TorService class, and then I mark all the
> sockets outbound from that proxy I mark protected. Seems to work without
> much performance issue.
>
> Aside from UI integration, the main outstanding issue is getting DNS to
> work. When you create an Android VPNServer instance, you can only set
> the DNS host "127.0.0.1" but not the port. Since Tor's DNS service is
> running on 127.0.0.1:5400 I somehow need to get DNS packets to go there,
> and drop the rest of the UDP.
>
> My idea is to use the udpgw_client feature of tun2socks, and then run
> the udpgw daemon on the device. I have already modified the tun2socks
> code to change all DNS packets to use 5400 port, before they get sent
> through udpgw.
>
> I did also have the idea for a bit of setting up a ton of remote udpgw
> servers that Orbot users could randomly connect through, because that
> would allow for UDP to work over Tor... I really don't like
> running/managing servers however, but maybe Tor exit providers could
> start running udpgw instances?
>
> More on badvpn-tun2socks and udpgw here:
> https://code.google.com/p/badvpn/wiki/tun2socks
> https://github.com/guardianproject/badvpn
>
> +n
>
More information about the Guardian-dev
mailing list