[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Fwd: [guardian-dev] Progress on OrbotVPN

The work below would remove the root/transproxy feature from Orbot, and
replace it with using a Android VPN/tuntap interface capability routed
through Tor's SOCKS via tun2socks. This means anyone can enable the
"send all apps through Tor" feature even without needing root. When the
VPN mode is on, we will also by default only allow secure ports (443,
etc) through in the torrc configuration, as well. 

For users wanting to have root/transproxy capabilities (including app by
app proxying options), they will be able to still use Orwall.

Feedback is welcome, especially from anyone with experience using Tor
and tun2socks.

----- Original message -----
From: Nathan of Guardian <nathan@xxxxxxxxxxxxxxxxxxxx>
To: guardian-dev@xxxxxxxxxxxxxxxxxx
Subject: [guardian-dev] Progress on OrbotVPN
Date: Tue, 21 Oct 2014 13:09:00 -0400

I have successfully gotten the Psiphon version of tun2socks working with
Orbot. You can see the code here:

The trick with Android VPNService is that you have to mark sockets
"protected" in order to not have them be sent through the VPN. Tor opens
a ton of sockets all the time to many remote servers, so it is hard to
track those at the Android/Java level, since those are happening in the
Tor native process. Instead, I set Tor to use a mini outbound SOCKS
proxy I am running in the TorService class, and then I mark all the
sockets outbound from that proxy I mark protected. Seems to work without
much performance issue.

Aside from UI integration, the main outstanding issue is getting DNS to
work. When you create an Android VPNServer instance, you can only set
the DNS host "" but not the port. Since Tor's DNS service is
running on I somehow need to get DNS packets to go there,
and drop the rest of the UDP.

My idea is to use the udpgw_client feature of tun2socks, and then run
the udpgw daemon on the device. I have already modified the tun2socks
code to change all DNS packets to use 5400 port, before they get sent
through udpgw. 

I did also have the idea for a bit of setting up a ton of remote udpgw
servers that Orbot users could randomly connect through, because that
would allow for UDP to work over Tor... I really don't like
running/managing servers however, but maybe Tor exit providers could
start running udpgw instances?

More on badvpn-tun2socks and udpgw here:


  Nathan of Guardian
Guardian-dev mailing list

Post: Guardian-dev@xxxxxxxxxxxxxxxxxx
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe@xxxxxxxxxxxxxxxxxx
        Or visit:

You are subscribed as: nathan@xxxxxxxxxxxxxxxxxxxx
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to