Re: [tor-talk] Fwd: Orbot v15.1.0 Alpha 1

[Nathan Freitas <nathan@xxxxxxxxxxx>]

On Tue, Jan 12, 2016, at 04:42 PM, Dash Four wrote:
> Nathan Freitas wrote:
> > I really don't understand how Orbot or Droidwalls iptables rules are
> > co-existing with Android VPN. This is really a new one for me. I will
> > make sure transproxy is working on Android 5.1 though, so that at least
> > we can be sure we didn't break anything.
> I have completely re-defined the "transproxy" feature using iptables
> rules in the nat table. Transproxy in orbot is completely de-activated (I
> don't use it at 
> all). Didn't trust the Orbot transproxy feature as:
> 
> 1. It was returning icmp codes instead of dropping the packets silently
> (standard practice in firewalling);
> 2. Allows full net access to selected applications (I need to have the
> ability to specify which application should be allowed to transproxy
> which 
> protocols/ports, not just proxying everything with no control over
> anything).

That's great, and yeah, we should probably improve our transproxy
feature, though with things like Orwall and Droidwall, as well as our
VPN feature, it has become less of a focus recently.

I've made changes in Orbot now so that if you don't have the transproxy
feature enabled, it won't write any related settings. This means you can
override it with your own now more easily.

> >> 3. Orbot simply ignores what I have specified as Socks, Transproxy and
> >> DNSPorts to be used. Example: in my configuration I specify the interface
> >> to be used 
> >> explicitly, i.e. "127.0.0.1:5400" as DNS port (this was the only way I
> >> could get it to work in the "latest" stable Orbot version). I tried
> >> variations of that 
> >> configuration (i.e. specify just the port number), but that didn't work
> >> either.
> > 
> > That is strange. It shouldn't ignore that. This is configured in the
> > Orbot individual settings values, or through torrc entries?
> Through the GUI settings. Can't use "DNSPort" because of "DNSPort auto"
> definitions and the fact that tor chokes on it (see below).

DNSPort is also now not specified unless you have Orbot's transproxy
enabled. This means you can override it.

> 
> > 
> >> 4. No matter what I configure in my settings, Orbot (both versions)
> >> always generates torrc file that contains "SocksPort auto", "DNSPort
> >> auto" and "TransPort 
> >> auto". Why? I know that it closes the old (auto-generated) ports and
> >> re-opens different ones (as per my custom torrc) later, but that should
> >> not be the case and 
> >> it should honour what I have specified in my configuration. 

There may have been some bugs in the last build that were causing this.
Again, it now won't set DNSPort or TransPort if you don't have
transproxy enabled, and you can manual set them in the "Torrc Custom
Config" field, or even modify the default torrc file on disk. I have
also made some changes related to using the Orbot settings properly, if
you do have transproxy enabled in the app, but that shouldn't matter for
you now.


> >> 5. There is no GeoIP database supplied with any Orbot version, which
> >> makes all GeoIP-related commands I issued in my custom torrc completely
> >> useless. I had to 
> >> copy these files from my desktop tor version in order to make this work
> >> (Orbot is supposed to "come with tor", but apparently not everything is
> >> included).
> > 
> > There is GeoIP but it only unpacks it from the APK if you specify rules
> > in Orbot settings that need it.
> It should, in my view, always unpack these files. What happens if I don't
> use any options at the point of installation, but include these in my
> custom torrc 
> file at some late point. What then?

Okay, this is now changed, as well. Since we now show an easy exit
country selector option, it is more likely these files are needed
anyhow.

> > Thanks for the very detailed notes. I will try to reproduce what you are
> > seeing.
> No worries - let me know if you need any information from me.
> 
> I have been running the old (stable) Orbot for nearly a week now without
> any issues. Pleasantly surprised how it adjusts to changing IP addresses
> when my VPN 
> connects/disconnects (by the way, I do not use the VPN which comes with
> the stock android - I use the VPN apk which comes from the guardian
> project and the 
> FDroid repo!).

Agreed that Tor's ability to deal with network changes is quite
admirable, and one of the many reasons why it makes sense on mobile
networks and devices.

Stay tuned for our next beta update.

+n
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk