Tethering doesn't seem to go through orbot

[cjeanneret]

@hxe reported, as a side comment, tethering doesn't seem to go through orbot with newer versions (see #29). There are apparently multiple problems:

• [ ] tethering doesn't go through orbot
• [ ] tethering seems seems to make all the apps bypass orbot (probably a problem in nat table)
• [ ] when tethering is disabled in orwall, it seems to break the whole rule-set

[hxe]

hmm well this wasnt exactly my issue, as i didnt test the actual tethering on 0.19. on 0.15 when i tether, my device continues using tor, while my pc which is tethered, uses my device's clearnet. (which is what i want, i dont want my pc forced through tor as well, because i use tor and multiple other proxies etc on there)

on 0.19 i ticked 'enable tethering' in the settings (as i do on 0.15), and then i pressed 'enable tethering' in the main orwall window (i wasnt connecting it to my pc yet, it was just an accidental press). but still, that caused my device to start using clearnet for some reason, and required a reboot to fix.

i am pretty sure once ticking 'enable tethering' and then enabling it in the main window, it stays like that on 0.15 all the time, and im able to actually tether whenever i want. but yeah even without trying to actually tether, enabling it in orwall options broke 0.19 for some reason. but i dont really want the tethered device to be forced through tor too.

and an issue with 0.15 (and maybe all versions too), was that ticking 'enable tethering' wasnt enough to make tethering work. i would have to tick 'enable lan connections' sometimes too, until the pc was able to successfully use the phone's internet, then i could untick 'enable lan connections' again once the pc was successfully tethered

[cjeanneret]

My bad. Thanks for the corrections. So I should let tethering allow to bypass the Onion — good to know ;). Wasn't my plan at first.

[hxe]

well it already does on 0.15. and maybe the other versions too? i hope neither of us are getting confused about anything

"Enable Tethering Caution! Enabling this means (all your secondary device traffic will go to the wild! That means you may get compromised!"

doesnt this mean the device will continue using orbot/orwall, but the secondary tethered device will be using the phone's normal internet? because thats how it works on 0.15, and thats what i prefer i guess? the only thing is having to tick 'enable lan connections' sometimes to get tethering to successfully work. and then on 0.19, toggling tethering seems to break the rest of the orwall rules (causing the device to bypass tor, and then causing the device to not be able to connect to anything). thats all

[cjeanneret]

Heya!

well it already does on 0.15. and maybe the other versions too? i hope neither of us are getting confused about anything

"Enable Tethering Caution! Enabling this means (all your secondary device traffic will go to the wild! That means you may get compromised!"

doesnt this mean the device will continue using orbot/orwall, but the secondary tethered device will be using the phone's normal internet?

hmm nope, this means all secondary device connections cannot be filtered at all. But it should still go through Tor. The term "in the wild" isn't the right one I guess ;). Was more related to possible java/flash/javascript things going through Tor, hence providing a way to compromise you like FBI did some months ago with freehosting (or whatever the name was).

because thats how it works on 0.15, and thats what i prefer i guess?

should be an option, will work on it. A second tick to add in order to let secondary bypass Tor isn't that hard. Just have to ensure the rule order are correct.

the only thing is having to tick 'enable lan connections' sometimes to get tethering to successfully work. and then on 0.19, toggling tethering seems to break the rest of the orwall rules. thats all

o_O LAN ?? err… unrelated, though… hmmm. well, yes, maybe related, due to subnet attached to wlan0, and dedicated rules for that subnet allowing some other connections.

Gasp, that's a lot of things. Will poke some friends in order to get some help, it becomes a bit huge for a single person…

[hxe]

haha yeah :(

and uh yeah, the last few times ive tried to tether my pc via usb or wifi, it would hang and then either not end up connecting to the network, or it would be connected with 'limited connectivity', where the pc says its connected to a lan/wlan, but it is unable to connect to the internet. but then when i tick 'enable lan connections' in orwall, a few seconds later, the pc's tether begins to work and the internet is reachable. then i untick 'enable lan connections' and it's fine. like it needs to enable lan connections while establishing the tether or something. i dont know anything about it, but thats what ive been having to do! :)

[cjeanneret]

hmm… tethering does work for me, using latest release.

Setup:

• nexus4 with f-droid version (0.19-beta), running CM 11 (snapshot M9-mako)
• HP Slate 7, stock 4.1.1 (though rooted)

Steps:

• started tethering on the nexus, then activated the tethering in orWall
• connected Slate to the Nexus, and that's it.

The only "unknown" for now: does it bypass orbot or not. As the Slate is the primary dev-device for orwall, I have to deactivate it ;).

[cjeanneret]

uhooo… that's weird: when removing orwall (and deactivating orbot) from the Slate, no more network access, though the Slate is connected to the nexus (IP, route and so on are OK).

There's something weird in here. I'll dig it, it's really unusual.

[cjeanneret]

GOT IT ! dns queries. gosh. Without -j LOG target, it was so hard to find… But ok, now I see what's missing, why and so on.

[cjeanneret]

Status: still not working. I'll test the whole stuff on a Pi in the following days. Using a Pi will allow me to get a real iptables support, with logs and so on. It's a really nasty thing :(.

[hxe]

so, you said tethering doesnt work on 0.20. but i got it to work fine for me and im using it right now. tethering is quite important to me so i always have to try :p

i have "enable tethering" and "secondary device bypasses orbot" ticked. i also had to temporarilty "enable lan connections" (https://github.com/EthACKdotOrg/orWall/issues/32#issuecomment-54046388), even though it crashes orwall 0.20 (https://github.com/EthACKdotOrg/orWall/issues/37). and then i had to go to the main orwall window and "disable tethering" then "enable tethering", and surprisingly it started working. my laptop is using my mobile data clearnet, and my phone is still using tor. so for my situation, it seems to be working, with some extra toggling of options etc. not sure about all the other possible tethering situations though (wanting secondary device to go through tor, etc).

and "disable tethering" doesnt seem to break the rest of the orwall rules anymore, like it did for me on 0.19 or whatever

[cjeanneret]

good news then, though Tethering isn't working as I want: it acts now as you chose to always bypass Orbot, even if you do't check the option in the prefs. Also, if you have to do a lot of hacks in order to get it up, it's not "working" ;). I'm working with a friend on this thing, he's also a bit amazed on how the transparent proxy works in the end (among other things). Thus this feature is considered as broken, and only works by accident.

Thank you for the inputs on how you get it working — this may provide some more information on how to make it work properly.

[hxe]

ah. like i said, in version 0.15 and the ones before, the tethering option bypassed orbot. so it was always like that for me, even though it seemed like u didnt expect it to do that. so the default orwall tethering behaviour has been to bypass orbot (so far). just letting u know in case u didnt

[cjeanneret]

I'm pretty sure the answer is there. Just trying to get it working on my Pi. Once it's OK, I guess I'll be able to push it to orwall :).

[hxe]

so is this still the main thread for tethering issues? im guessing you're already aware tethering doesn't work in the latest versions? also it seems the option to pick whether or not tethering goes through tor is now gone. but tethering doesnt work anyway, on 0.29. it did a version or two ago

[cjeanneret]

Yep, I know. This is a broken feature for now, but I didn't have time to solve it properly. The new UI was priority in order to offer the new features, among them orwall deactivation. This might be a (temporary) solution, though that's obviously NOT the right one.

I hope I'll get some time next week for this thing. Sorry for the inconvenient.

[hxe]

i updated to orwall 1.0, and tethering is suddenly working perfectly lol, (I have the tethering box 'on' and the lan connections box 'on', havent tried any other ways yet). was it fixed intentionally?

[cjeanneret]

errr… wasn't intentionally nope. Didn't even test it for 1.0 release in fact. But I suspect it's working by chance, if you cut the "Lan" it won't work. I'm pretty sure of that, seeing the kind of rules it adds.

[cjeanneret]

Hello,

hmm, I think the main confusion is due to names and application usages: orbot, mostly maintained by @n8fr8 from GuardianProject, is the client app for Tor. It has some capabilities for traffic redirect and so on. For this one, versions are 14.xx for stable, 15.xx for RC, and so on.

orwall, on the other hand, is "only" a firewall application, deeply linked to orbot. Versions were 0.x.y until "stable" release, which is now 1.x.y

That said: tethering part isn't the easiest thing, as there are system firewall rules being applied on the fly, meaning we first must understand fully what have been added, which network interfaces are affected by the rules, what do the rules do. We already had a hard time allowing tethering without having to disable orwall (this part isn't really stable for now), and we will also need to dig a bit further in order to see, once a device is connected, how its traffic is redirected on the device.

Also, I had some discussions with some Tor Project people regarding the "good and bad" for some kind of "anonybox", which will be what your smartphone will become in your use case — it seems there are pros and cons, among cons "bad idea to redirect all your traffic through tor, especially if you don't know what app access network nor what they do on it". And I must agree with this statement — doesn't mean I won't try to make it work, just it might be an option you must enable.

You might prefer some tor entry on your computer/tethered device instead, and doing the proper configurations on it, at least for now.

TLDR; Status for now: not working for this particular part. Tethering isn't easy to manage due to system iptables rules being added, new network device being created/activated and so on.

Cheers,

C.