zer0def
commented
7 months ago One additional remark regarding non-VPN mode is that the user can also use it with VPN-based firewalls and Block connections without VPN turned on, improving leak handling at boot or when said firewall gets killed by the system for whatever reason.
For the case of NetGuard, Nebulo has to be configured with all of the following:
- "Apply rules and conditions" turned on (counter-intuitive, bear with me)
- "Allow in lockdown mode" turned on from it's NetGuard app fold
- configure internal DNS server to "Service provider (unencrypted)", leveraging the fact that NetGuard is going to redirect plaintext DNS back to Nebulo itself
- connect to a target DoH/DoT resolver by IP, since it wouldn't be able to resolve any domain name yet
This may constitute a vaguely associated issue, however considering the amount on needle-threading for this particular case, it may warrant extending server addition options to cover specifying (likely through QR code, since we are talking about a mobile device case) either of the following for authenticity purposes:
- a
sdns://stamp - additional host header, SNI field (including disparate SNI-host for meeking, where it may be applicable), optionally some form of the endpoint's expected certificate's public key (most likely inferred through HPKP means) for DoH
- for DoT: provider name with either the provider's public key directly or the TXT record containing it
Considering that built-in "Private DNS" (actually DoTLS over port 853/tcp) has become an opt-out feature among numerous vendors by default, the non-VPN section may require additional steps remarking on either settling for that or disabling for the sake of using Nebulo. Not addressing this leads to suggested configuration never matching on DNS traffic, as it is never sent over 53/udp.