Delivery-Date: Tue, 21 Oct 2014 13:34:24 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id E276C1E0A53;
	Tue, 21 Oct 2014 13:34:22 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5F1ED31308;
	Tue, 21 Oct 2014 17:34:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A0EDE312E0
 for <tor-talk@lists.torproject.org>; Tue, 21 Oct 2014 17:34:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 4u6V2QwuQJsn for <tor-talk@lists.torproject.org>;
 Tue, 21 Oct 2014 17:34:13 +0000 (UTC)
Received: from gil.mayfirst.org (gil.mayfirst.org [216.66.23.48])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 81C3A312DB
 for <tor-talk@lists.torproject.org>; Tue, 21 Oct 2014 17:34:13 +0000 (UTC)
Received: from gil.mayfirst.org (localhost [127.0.0.1])
 by gil.mayfirst.org (Postfix) with ESMTP id 4F35F5E61
 for <tor-talk@lists.torproject.org>; Tue, 21 Oct 2014 13:34:09 -0400 (EDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender:
 nathanfreitas@gil.mayfirst.org) with ESMTPSA id 03D4A5E59
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
 by gateway2.nyi.internal (Postfix) with ESMTP id 224DB20D8A
 for <tor-talk@lists.torproject.org>; Tue, 21 Oct 2014 13:34:06 -0400 (EDT)
Received: from web1 ([10.202.2.211])
 by compute6.internal (MEProxy); Tue, 21 Oct 2014 13:34:06 -0400
Received: by web1.nyi.internal (Postfix, from userid 99)
 id F17A2AE3CED; Tue, 21 Oct 2014 13:34:05 -0400 (EDT)
Message-Id: <1413912845.652244.181636949.59D82AB4@webmail.messagingengine.com>
X-Sasl-Enc: cuytUV2uBkATSIS/CoG7xj6EWIKjUVsanJFMk12qtm1d 1413912845
From: Nathan Freitas <nathan@freitas.net>
To: tor-talk@lists.torproject.org
MIME-Version: 1.0
X-Mailer: MessagingEngine.com Webmail Interface - ajax-e69fc525
X-Forwarded-Message-Id: <512753.55494435383635312d31343036383939313433@popretr.messagingengine.com>
Date: Tue, 21 Oct 2014 13:34:05 -0400
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: [tor-talk] Fwd: [guardian-dev] Progress on OrbotVPN
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

The work below would remove the root/transproxy feature from Orbot, and
replace it with using a Android VPN/tuntap interface capability routed
through Tor's SOCKS via tun2socks. This means anyone can enable the
"send all apps through Tor" feature even without needing root. When the
VPN mode is on, we will also by default only allow secure ports (443,
etc) through in the torrc configuration, as well. 

For users wanting to have root/transproxy capabilities (including app by
app proxying options), they will be able to still use Orwall.

Feedback is welcome, especially from anyone with experience using Tor
and tun2socks.


----- Original message -----
From: Nathan of Guardian <nathan@guardianproject.info>
To: guardian-dev@lists.mayfirst.org
Subject: [guardian-dev] Progress on OrbotVPN
Date: Tue, 21 Oct 2014 13:09:00 -0400

 
I have successfully gotten the Psiphon version of tun2socks working with
Orbot. You can see the code here:
https://github.com/n8fr8/orbot/tree/dev_orbotvpn

The trick with Android VPNService is that you have to mark sockets
"protected" in order to not have them be sent through the VPN. Tor opens
a ton of sockets all the time to many remote servers, so it is hard to
track those at the Android/Java level, since those are happening in the
Tor native process. Instead, I set Tor to use a mini outbound SOCKS
proxy I am running in the TorService class, and then I mark all the
sockets outbound from that proxy I mark protected. Seems to work without
much performance issue.

Aside from UI integration, the main outstanding issue is getting DNS to
work. When you create an Android VPNServer instance, you can only set
the DNS host "127.0.0.1" but not the port. Since Tor's DNS service is
running on 127.0.0.1:5400 I somehow need to get DNS packets to go there,
and drop the rest of the UDP.

My idea is to use the udpgw_client feature of tun2socks, and then run
the udpgw daemon on the device. I have already modified the tun2socks
code to change all DNS packets to use 5400 port, before they get sent
through udpgw. 

I did also have the idea for a bit of setting up a ton of remote udpgw
servers that Orbot users could randomly connect through, because that
would allow for UDP to work over Tor... I really don't like
running/managing servers however, but maybe Tor exit providers could
start running udpgw instances?

More on badvpn-tun2socks and udpgw here:
https://code.google.com/p/badvpn/wiki/tun2socks
https://github.com/guardianproject/badvpn

+n

-- 
  Nathan of Guardian
  nathan@guardianproject.info
_______________________________________________
Guardian-dev mailing list

Post: Guardian-dev@lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe@lists.mayfirst.org
        Or visit:
        https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info

You are subscribed as: nathan@guardianproject.info
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

