[guardian-dev] Progress on OrbotVPN

Nathan of Guardian nathan at guardianproject.info
Wed Oct 22 11:08:37 EDT 2014



On Wed, Oct 22, 2014, at 01:58 AM, Cédric Jeanneret wrote:
> On my side, I confess I decided to let the VpnService part as "possible
> feature in a far future, when it offers some better way to handle
> packets"… after some tests for orWall, it's really horrible, as we have
> to manage, by hand, each packet… no connection tracking feature [of
> course, that's kernel-level], meaning it's just not something we want to
> do in java :/. Or, at least, I don't want to do .

Yes, tun2socks handles all of that, so it really is not so bad. I
wouldn't be against Orwall also having VPN capability, I just know we
need some option built into Orbot directly, as well.

> Thus, orWall will stay with the root requirement, least someone take the
> time to provide some patch set in order to provide non-root feature.

Yup!
 
> Regarding UDP support: hmmm… not sure if it's a thing Tor will like…
> Last time someone asked about that, there was an answer like "duh, no,
> Tor won't support UDP, ever" :]. And I can understand them…

The interesting thing about udpgw project is that it tunnels UDP within
TCP, so it allows UDP over Tor without Tor making any changes. It just
requires someone to provide Tor accessible udpgw servers somewhere, and
pay for all that bandwidth.

In the case of something like OStel.co, it means we could build in
tun2socks and udpgw-client into a SIP app, and make that work over Tor
(i think!)

> 
> Cheers,
> 
> C.
> 
> 
> PS: would be great if mailman could be configured so that it adds some
> reply-to field to the mails…
> 
> On 10/21/2014 07:09 PM, Nathan of Guardian wrote:
> >  
> > I have successfully gotten the Psiphon version of tun2socks working with
> > Orbot. You can see the code here:
> > https://github.com/n8fr8/orbot/tree/dev_orbotvpn
> > 
> > The trick with Android VPNService is that you have to mark sockets
> > "protected" in order to not have them be sent through the VPN. Tor opens
> > a ton of sockets all the time to many remote servers, so it is hard to
> > track those at the Android/Java level, since those are happening in the
> > Tor native process. Instead, I set Tor to use a mini outbound SOCKS
> > proxy I am running in the TorService class, and then I mark all the
> > sockets outbound from that proxy I mark protected. Seems to work without
> > much performance issue.
> > 
> > Aside from UI integration, the main outstanding issue is getting DNS to
> > work. When you create an Android VPNServer instance, you can only set
> > the DNS host "127.0.0.1" but not the port. Since Tor's DNS service is
> > running on 127.0.0.1:5400 I somehow need to get DNS packets to go there,
> > and drop the rest of the UDP.
> > 
> > My idea is to use the udpgw_client feature of tun2socks, and then run
> > the udpgw daemon on the device. I have already modified the tun2socks
> > code to change all DNS packets to use 5400 port, before they get sent
> > through udpgw. 
> > 
> > I did also have the idea for a bit of setting up a ton of remote udpgw
> > servers that Orbot users could randomly connect through, because that
> > would allow for UDP to work over Tor... I really don't like
> > running/managing servers however, but maybe Tor exit providers could
> > start running udpgw instances?
> > 
> > More on badvpn-tun2socks and udpgw here:
> > https://code.google.com/p/badvpn/wiki/tun2socks
> > https://github.com/guardianproject/badvpn
> > 
> > +n
> > 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
>         https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
> 
> You are subscribed as: nathan at guardianproject.info


-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the Guardian-dev mailing list