[guardian-dev] orbot VPN mode and outbound UDP source address selection

[Nathan of Guardian]

On 10/13/19 1:46 PM, Greg Troxel wrote:
> I found an interesting bug -- not clear where -- and am writing in the
> hopes that someon who already really understands this might comment.
>
> Phone is running lineage 15.1, and all apps are from f-droid (main repo,
> guardianproject repo).
>
> Orbot is configured in VPN mode for selected apps.  One app is chosen to
> be sent over tor.   The chosen app works, and the other apps work.
>
> I installed baresip and tried to configure it for an on-LAN asterisk
> PBX.  Let's say asterisk is at 10.2.3.1/24 (which is also the router).
> This is normal UDP SIP with user/password, no encryption -- the first
> step in getting running and then turning up security to adequate.
>
> I then saw packets heading to my asterisk server with source address
> 192.168.200.1.  Looking at logcat on the phone, I realize this is the
> address on tun0 which is I am 99% sure used by Orbot to get access to
> the to-be-torified traffic.
>
> If I exit Orbot, then I start seeing the normal on-wifi IP address (and
> then baresip runs into a different problem, but the address part is
> fine).

Thanks for the report. That is indeed the address we use for our Orbot
VPN settings.

First, any UDP packets that go through the Orbot VPN should just get
dropped. Tor doesn't handle UDP. If those are somehow getting through,
then that is a bug.

Second, are you saying baresip is NOT selected as an app for Orbot VPN,
but somehow its packets are getting mangled?

+n