search

Gedsh / InviZible

Android application for online privacy and security
https://invizible.net
GNU General Public License v3.0
1.49k stars 103 forks source link

Webtunnel in InviZible only connects via IPv4 #261

Closed wreps8Owt closed 6 months ago

wreps8Owt commented 6 months ago

According to my understanding, webtunnel-client connects to the webtunnel server via the given "url=" parameter.

However, for a webtunnel server whose domain name in the url has both IPv4 and IPv6 address, the webtunnel-client bundled with InviZible (libwebtunnel.so) always connect via IPv4, even when both address are available, while other PT needing domain name resolution, like meek-lite, can connect to server via IPv6.

Besides, the webtunnel-client bundled with the Tor Browser (for PC) can connect via IPv6.

Is this an intentional design for InviZible? If not, please allow webtunnel to connect via IPv6 when both address are available.

Gedsh commented 6 months ago

the webtunnel-client bundled with InviZible (libwebtunnel.so) always connect via IPv4

How did you check this?

Is this an intentional design for InviZible?

InviZible does not restrict the use of the protocol version in any way if you haven't configured it yourself. It uses almost the same version of the webtunnel bridge library as the Tor Browser. I just added support for the UTLS library, which is necessary to protect from fingerprinting on the mobile device.

https://gitlab.torproject.org/Gedsh/webtunnel/-/compare/main...feature%2Futls-with-isrgrootx1?from_project_id=1674

wreps8Owt commented 6 months ago

the webtunnel-client bundled with InviZible (libwebtunnel.so) always connect via IPv4 How did you check this?

  1. Stop all applications that will connect to Internet directly.

  1. Set Tor of InviZible to use some webtunnel bridges whose url have both IPv4 and IPv6 address, with dnscrypt-proxy and i2p disabled.

  2. Start Tor.

  3. Check established TCP connections with "$ ss -nt" under adb shell.

I can only see established TCP connections with IPv4 addresses.

wreps8Owt commented 6 months ago
  1. Set Tor of InviZible to use some webtunnel bridges whose url have both IPv4 and IPv6 address, with dnscrypt-proxy and i2p disabled.

I mean, some webtunnel bridges whose domain name in the url can be resolved to both IPv4 and IPv6 address.

Gedsh commented 6 months ago

I can only see established TCP connections with IPv4 addresses.

But why do you think that IPv6 will not be used if the IPv4 connection is not available?

Which mode are you using, Root or VPN in InviZible?

wreps8Owt commented 6 months ago

I can only see established TCP connections with IPv4 addresses. But why do you think that IPv6 will not be used if the IPv4 connection is not available?

What do you mean?

Other PTs needing domain name resolution, for example, meek-lite, will connect to server via IPv6 when both IPv4 and IPv6 address can be resolved from its "fronts=" parameter.

Which mode are you using, Root or VPN in InviZible?

Pure proxy mode.

Gedsh commented 6 months ago

Other PTs needing domain name resolution, for example, meek-lite, will connect to server via IPv6 when both IPv4 and IPv6 address can be resolved from its "fronts=" parameter.

Why do you think webtunnel should prioritize IPv6?

wreps8Owt commented 6 months ago

Other PTs needing domain name resolution, for example, meek-lite, will connect to server via IPv6 when both IPv4 and IPv6 address can be resolved from its "fronts=" parameter. Why do you think webtunnel should prioritize IPv6?

Further test shows that, if I leave only IPv6 addresses (e.g. by editing my APN), webtunnel will become totally unable to connect.

Gedsh commented 6 months ago

I checked the webtunnel source code and found that it has no restrictions on protocol version. But IPv4 has a priority, so it will be used in the first place if it is available.

Further test shows that, if I leave only IPv6 addresses (e.g. by editing my APN), webtunnel will become totally unable to connect.

It's not quite clear how you performed this test, because if your ISP only gives you an IPv6 address, Android will use the CLAT service to translate IPv4 connections to IPv6. It's called 464XLAT. I actually use webtunnel bridges with an IPv6 only network without any problems. But I can't easily check which protocol version is being used because of CLAT.

wreps8Owt commented 6 months ago

Further test shows that, if I leave only IPv6 addresses (e.g. by editing my APN), webtunnel will become totally unable to connect. It's not quite clear how you performed this test, because if your ISP only gives you an IPv6 address, Android will use the CLAT service to translate IPv4 connections to IPv6. It's called 646XLAT.

I edit my APN to IPv6-only, and connect only via cellular network. At this point, only IPv6 addresses are assigned to my phone (seen via "$ ip a" under adb shell), and 464XLAT cannot work in this situation, for at least it needs a private ipv4 address, as seen in https://www.rfc-editor.org/rfc/rfc6877#section-4.2 .

Webtunnel will become totally unable to connect in this situation, which seems to mean that its native IPv6 capability is broken, while meek-lite can still work.

I actually use webtunnel bridges with an IPv6 only network without any problems. But I can't easily check which protocol version is being used because of CLAT. If CLAT works, ss should see IPv4 connections under adb shell.

Gedsh commented 6 months ago

464XLAT cannot work in this situation

It's intended for this exact situation, but your phone may have a problem with it. But for our test, it's fine.

I modified a webtunnel to only use IPv6 addresses and I think I found a bug in the latest commit from the Tor Project developers. But I still can't connect to the available webtunnel bridges over IPv6. Servers reject the connection. Do you have any bridge that definitely works with IPv6 so I can test it? I found a working bridge and was able to connect to it via IPv6.

wreps8Owt commented 6 months ago

464XLAT cannot work in this situation It's intended for this exact situation, but your phone may have a problem with it. But for our test, it's fine.

I modified a webtunnel to only use IPv6 addresses and I think I found a bug in the latest commit from the Tor Project developers. But I still can't connect to the available webtunnel bridges over IPv6. Servers reject the connection. Do you have any bridge that definitely works with IPv6 so I can test it?

webtunnel [2001:db8:7611:bb20:5735:6a58:fe34:21e2]:443 77FE389A29CEF14869D10E5A61E35A7DFF19F52B url=https://parallelworks.cloud/eib9aecai6shae0PhaoT ver=0.0.1

$ host parallelworks.cloud parallelworks.cloud has address 104.21.88.238 parallelworks.cloud has address 172.67.154.57 parallelworks.cloud has IPv6 address 2606:4700:3030::6815:58ee parallelworks.cloud has IPv6 address 2606:4700:3036::ac43:9a39

Gedsh commented 6 months ago

Thank you!

I can confirm a bug that the Tor Project developers have made in the last commit 2 months ago. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/commit/399c24557a186fcb8ca079f6be38d9cba5fa8ec5

They do not use square brackets for IPv6 addresses. I fixed it and was able to connect to the webtunnel bridge via IPv6. I will leave the issue on the Tor Project's webtunnel repository or I will make a pull request.

Gedsh commented 6 months ago

@wreps8Owt please try beta version 2.2.0

wreps8Owt commented 6 months ago

@wreps8Owt please try beta version 2.2.0

Thanks. Now the webtunnel can connect to server when only IPv6 addresses are available locally.

Gedsh commented 6 months ago

Thanks for raising the issue!

Gedsh commented 6 months ago

Fixed via a28a61c110b9de1025b3054ade9f11b7d669ee56