[guardian-dev] orplug, an Android firewall with per-app Tor circuit isolation

Rusty Bird rustybird at openmailbox.org
Sun Feb 14 06:12:02 EST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi coderman,

> with VPN approach you don't get to control traffic outside routed 
> range, or before VPN activates, or fail-safe if it drops 
> un-expectedly, or ...

I heard that Android VPNs can have some sort of fail-closed mode, does
this apply to Orbot?

> note that a tor enforcing gateway approach is preferable to 
> transparent proxy, security wise. e.g. corridor. i haven't seen
> this applied to Android env, which might be interesting safety
> buffer around Orweb&Orbot.

But the Android device isn't a gateway, unless you're tethering? If you
mean only applications with native Tor support should be let through,
that's the "access:fenced" option. Setting it up for all of the main
device user account is literally that as one line, "access:fenced". Or
for just a specific app, it's "access:fenced app:com.example.foo":

https://github.com/rustybird/orplug/blob/9a9f53154f5da19216d4d2a893057a9b0d5f438f/orplug/conf/rules/90-user.conf.example#L11-L15

I don't see any security problems per se with transtorifying *on the
device that's generating the traffic*? (Transtorifying *other client
devices* is problematic, for sure.)

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJWwGECXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfTpcP/14P32z9Bx5DXXgLSiysuSXa
+yBg4DnJ6Vf67nB7COxoE6ca8Q2cz7kT/6dV7/KKkB2RM6ghzG+kH1b1Xz1FSl6F
Am6xeRFX8Vu1SOzmMQ2ZG1zcIssP7hlqZHqxrHnN1buKiHj5j7PG1bsMsavtUhJB
oHLZmQpMl/RZxf1zsv/uABjU3wcPrIMXbFTYi+mywT2Opr/EGq8pFbP5kj5Lj7dt
xyC98lgr3A0WGL3lofQ2Dwmz8gcxBsb5my9yip4JKnvp4sh0yhdvw9rNqLI5NDiz
ZB2OjrnW2T6UjmDQXprSFsJKoxWV/Gjz/vh5dzEhEBEs9bWIznaMPhtzXrPrs9ns
6hwvpIsQy/7bTS1X6Itrq6Td/EGIHADtegiD9CBQbOB1wGXrPyAs9KCgV8Em2JNb
+zdi4vfm2ZToujqGmltinV51XzyEyNw9j3d44uMY3/yIdpVcwVOIiBvvvBqHLZbT
ya9ercbB/b9OIF7bgybVjll6B5SutyGxV2oFVv7p87tw/jAKLZG0ThuRIS4qH69Z
noS718nOaa52ZM2FRP+h2nOeJvQo784OisZVvWFy/9LbDHdrDfjhswqa0x0RM78Z
zqdiOZ57qlkHwL9MQ+BJ11KNqzFN1x7is7OCIQRJaGp/fZNSfZMsZd1+6gUF8p6r
RA6BSiCbgHDFqkZLzxwy
=hnP5
-----END PGP SIGNATURE-----


More information about the guardian-dev mailing list