[guardian-dev] Using Android VPN settings to secure all outbound traffic (without it actually being a VPN)

Chris Ballinger chrisballinger at gmail.com
Fri Mar 21 18:05:31 EDT 2014 

Thanks for the informative response! I feel like supporting users that
don't have root on their phones is pretty important, especially because
rooting your phone can potentially have a lot of unintended security
consequences.


On Wed, Mar 12, 2014 at 10:43 AM, Rod Hynes <r.hynes at psiphon.ca> wrote:

> > From: Chris Ballinger <chrisballinger at gmail.com>
> > Subject: Re: [guardian-dev] Using Android VPN settings to secure all
> >         outbound traffic (without it actually being a VPN)
> >
> > I've been trying to port
> > tun2socks<https://code.google.com/p/badvpn/wiki/tun2socks>to OS X for
> > an unrelated
> > project <https://github.com/chrisballinger/Tether-iOS> but I believe it
> > solves the same problem. Here is the meat:
> >
> https://code.google.com/p/badvpn/source/browse/trunk/tun2socks/tun2socks.c
> >
> > Might be easier to use the NDK than do a full rewrite in Java.
>
> FWIW, tun2socks was a good choice for Psiphon's Android VpnService.
> We've been deploying it for about a year now
> (https://play.google.com/store/apps/details?id=com.psiphon3). Our
> non-root "whole device" tunneling option is pretty popular since it
> tunnels all apps.
>
> If you go with tun2socks, you might consider using the Psiphon fork of
> it, as we've already implemented a JNI layer [1] and fixed some
> resource leak issues related to that [2]. Depends on whether you want
> to run tun2socks as a separate binary or not (we did not). In any
> case, tun2socks builds for Android quite easily.
>
> Psiphon uses the stock DNS functionality of tun2socks, including using
> udpgw to tunnel UDP packets. I expect that Orbot would need to treat
> DNS differently to ensure resolution happens locally with Tor, as it
> does with the iptables-based transparent proxy mode. I think this
> would be a straightforward tun2socks customization.
>
> Over the course of deploying this we've gotten feedback from users
> with problems on different Android devices and have some
> fixes/workarounds in the Psiphon's VpnService implementation that
> would be useful for Orbot. For example:
>
> - Fix for routing issues with VpnService on HTC devices [3].
> - Work-around for runtime exception thrown by
> VpnService.Builder.addRoute when the local language is Farsi [4].
> - Work-around for missing VpnService pieces on some Sony devices [5].
> - Backwards compatibility with < 4.0 devices by exploiting lazy class
> loading.
>
> One of the big challenges with VpnService is calling protectSocket()
> to exclude a socket from the tun device. In Psiphon, we have our
> tunnel transport socket -- an SSH connection -- at hand in Java so
> it's easy to call VpnService.protectSocket() on that. Still, we had to
> integrate a custom DNS stack [6] just to be able to make untunneled
> web requests while the VpnService is up (the custom DNS stack is
> necessary just to ensure protectSocket() is called on the DNS UDP
> socket).
>
> I'm guessing you already know all about this but, with Orbot, it's not
> obvious how to call protectSocket() on all the connections the tor
> binary makes to relays. The ics-openvpn project solved this by
> customizing the OpenVPN management interface to send a "PROTECTFD"
> message, with the socket file descriptor specified, from a customized
> openvpn binary back to the Java code [7].
>
> Another issue with VpnService is whether it has "always on" support,
> as there is for the built-in Android VPN client. This is not something
> we required for Psiphon, but probably an issue for Orbot if you don't
> want to accidentally leak traffic outside Tor.
>
> If you do want to make use of the Psiphon code, we'd be happy to help
> answer questions, etc. There's a lot of complicated, unrelated stuff
> in the code so it's not exactly a clean tun2socks+VpnService example
> as it stands.
>
> [1]
> https://bitbucket.org/psiphon/psiphon-circumvention-system/src/default/Android/PsiphonAndroidLibrary/src/com/psiphon3/psiphonlibrary/Tun2Socks.java
> [2]
> https://bitbucket.org/psiphon/psiphon-circumvention-system/src/default/Android/badvpn/tun2socks/tun2socks.c?at=default#cl-567
> [3]
> https://bitbucket.org/psiphon/psiphon-circumvention-system/commits/6945ff2c9286703b20ccf156d0f947ee4c6affc9
> [4]
> https://bitbucket.org/psiphon/psiphon-circumvention-system/src/default/Android/PsiphonAndroidLibrary/src/com/psiphon3/psiphonlibrary/TunnelCore.java?at=default#cl-1330
> [5]
> https://bitbucket.org/psiphon/psiphon-circumvention-system/src/default/Android/PsiphonAndroidLibrary/src/com/psiphon3/psiphonlibrary/MainBase.java?at=default#cl-1202
> [6]
> https://bitbucket.org/psiphon/psiphon-circumvention-system/src/default/Android/PsiphonAndroidLibrary/src/com/psiphon3/psiphonlibrary/ServerInterface.java?at=default#cl-1134
> [7]
> https://code.google.com/p/ics-openvpn/source/browse/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java#152
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>
> You are subscribed as: chrisballinger at gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140321/42536d96/attachment.html>

More information about the Guardian-dev mailing list