-
-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UDP (without Tor) doesn't work? #286
Comments
The socks5 proxy in InviZible does not support UDP. UDP will work if you use a direct connection. |
Should I enable the force TCP toggle even if I am not using tor? Also, is it possible to add UDP support? It seems like technically it is possible as some similar apps seem to have implemented it (e.g. rethink). |
The Force TCP option forces DNSCrypt to use TCP instead of UDP for the native DNSCrypt protocol. And that's all it does. It must be enabled if you are using DNSCrypt over Tor. In other cases, it is optional. But I prefer to keep it enabled, as it improves reliability when using DNSCrypt anonymising relays.
It is technically possible, but in practice it is very complicated. InviZible uses NetGuard core code for VPN mode. NetGuard doesn't support UDP for proxy, and I can't add it myself since the NetGuard core is written in Clang. I only know this programming language to fix some minor things, but not to add such major ones. My programming languages are Java/Kotlin and Go. Also, I can't use the source code of other apps like RethinkDNS, as the VPN mode is completely based on NetGuard core code. Since InviZible doesn't support UDP for proxy only, I don't plan on fixing this issue anytime soon, as not too many people need this feature. If the Tor developers implement UDP support, I will find a way to fix it. |
I guess another possible solution would be to add the option for a wireguard upstream (to use instead of the socks5 proxy), then the 'proxy to work profile with vpn installed' workaround to use a 'real' VPN alongside invizible's local VPN would not be necessary. Wireguard itself is written in go, so maybe it's easier to implement as well. It is available in rethink; might be possible to use that as a reference. (I don't want to just use rethink because it does not handle lan traffic correctly for apps like kde connect and localsend, and especially now that I got the local doh feature of dnscrypt working; these are big advantages of your app. I could never get ech to work with a local VPN type app before). |
|
The procedure referenced here: would also not allow udp traffic. So I think it is worth integrating wireguard, if enabling UDP for the socks 5 proxy is too difficult. The reason: some android apps do not behave properly without UDP (e.g. Facebook messenger). |
The problem occurs only when using the socks5 proxy. In other cases, you can simply exclude UDP from Tor or exclude the app from Tor completely.
To use all the features of InviZible, such as firewall or bypassing LAN addresses, the NetGuard core code is still required, which does not support UDP for proxy. Implementing wireguard without all these features makes no sense, since you can use any other app with wireguard for this purpose. The only real solution is to add UDP support to the core NetGuard code. I would most likely need a professional Clang developer to do this, which is quite expensive for the current level of donations to the project. |
If one desires the same behaviour as InviZible with Rethink, one can enable Do not route Private IPs in Configure -> Network. @GDESH can correct me, but InviZible, by default, lets private IPs and multicast/broadcast traffic bypass it's VPN tunnel (which is why apps like localsend work out-of-the-box).
Someone did submit UDP support as PR, but Marcel avoided merging it as he didn't want to add anymore new features: M66B/NetGuard#523
Happy to help in case you want to use firestack instead (: Also, Mercury Li's building a pure Kotlin-only (tun2socks) network engine, which is another option. lihenggui/blocker#406 |
That would not work with "block connections without VPN enabled" when using rethink. It does work with invizible, however. |
My understanding is, this will stop working (even with InviZible) once Android fixes this routing anomaly (which, to me, looks like a leak) in their network stack. |
The bug report on Google right now is regarding incoming connections, which could be a leak. The outgoing connections already work as intended. If it's not routed through the VPN it is blocked. Most VPNs ignore private IPs, but invizible doesn't because it needs to own these connections to apply its firewall rules (if the user enables the firewall). Personally, I wish Google would just give us a toggle to fix this problem (allow private IPs in lockdown, on or off). Then any VPN app should work. |
From my reading of the code, InviZible does the exact opposite of what you describe. I may be wrong; Gedsh can clarify, if so.
Unsure about KDE Connect, but a recent bug report mentioned outgoing connections for localsend works with Rethink. It is incoming that doesn't. That said, we don't yet test LAN / P2P apps, so you are absolutely right that Rethink is pretty poor at P2P / LAN. |
You are right, but not entirely. The Bypass LAN option is enabled by default. But all traffic still passes through the local VPN and then is routed with the magic of the NetGuard code to the desired destination, like Tor or a direct connection.
Because technically all traffic is still running through the VPN.
This will continue to work. Android indeed has a VPN tunnel leak, but it's only related to the captive portal. InviZible uses legitimate technology, so the feature will work stable.
I saw it a long time ago and had high expectations for that code. But unfortunately it doesn't work, and I haven't been able to fix it as it seems to have fundamental problems.
Thanks for the suggestion! But InviZible is highly tied to the NetGuard core code. It is extremely fast, flexible and stable. In addition, I know it quite well, as I have had to modify it many times to meet my needs. I don't think any other code has comparable capabilities. |
Thanks for your answers.
The VpnBuilder code (here) excludes broadcast and multicast routes explicitly. Do the packets destined for those routes end up in InviZible's tunnel despite that? Or, do I misunderstand? For Rethink, from what I've observed, when the multicast/broadcast routes are excluded (like so), packets don't flow through its tunnel. I'd want to make broadcast/multicast work with Rethink for P2P/LAN apps, and I've been on the look out for examples like InviZible that might help me (@mvevitsis encouraged me to look at InviZible for inspiration: celzero/rethink-app#1618), but I guess my lack of knowledge about networking ends up making it difficult. |
You're right. But this is not the only place. InviZible/tordnscrypt/src/main/java/pan/alexander/tordnscrypt/vpn/service/ServiceVPN.java Line 468 in 958c111
I've noticed that phone manufacturers like to play with routing tables, and sometimes it doesn't work as intended. Therefore, InviZible excludes multicast and broadcast addresses both from the VPN tunnel and for packets that are already inside the VPN tunnel. LAN addresses are excluded only for packets that are already inside the VPN tunnel. I mean that these addresses are excluded from routing to Tor or proxy.
I also have no academic knowledge of networking. So I prefer an experimental and practical approach. I spent some time with apps like Syncthing to make it work with InviZible. I was intercepting packets, analysing what was being blocked or routed wrong, and fixing it. So it was a continuous process. Unfortunately, I don't have a definitive answer as to what exactly did the trick. I think it's a complex of all the provided solutions. |
@Gedsh , Is the source code of pcapdroid (it’s with firewall now) suits to be good or better for IZ, instead of NG ??? |
@DI555 Hello, Thanks! I have no any plans to change the app core as NG is perfect, except that it doesn't support UDP for proxy.
Of course it's there :))) https://github.com/emanuele-f/PCAPdroid/tree/master/app/src/main/jni |
yep, NG is pretty fast :// .. |
Please read the discussion above. It doesn't work. |
oh, yes, pardon, of course, |
I am not using tor, however, the DNS log shows that outgoing UDP connections are still being blocked.
I am using a socks5 proxy for outgoing traffic. I am also using the firewall, however the apps in question have been allowed. Other traffic works ok.
Is this the intended behavior? Do you also need to give an app LAN access to allow UDP?
The text was updated successfully, but these errors were encountered: