search

Gedsh / InviZible

Android application for online privacy and security
https://invizible.net
GNU General Public License v3.0
1.43k stars 99 forks source link

UDP (without Tor) doesn't work? #286

Open mvevitsis opened 2 weeks ago

mvevitsis commented 2 weeks ago

I am not using tor, however, the DNS log shows that outgoing UDP connections are still being blocked.

I am using a socks5 proxy for outgoing traffic. I am also using the firewall, however the apps in question have been allowed. Other traffic works ok.

Is this the intended behavior? Do you also need to give an app LAN access to allow UDP?

Gedsh commented 2 weeks ago

I am using a socks5 proxy for outgoing traffic.

The socks5 proxy in InviZible does not support UDP. UDP will work if you use a direct connection.

mvevitsis commented 2 weeks ago

I am using a socks5 proxy for outgoing traffic.

The socks5 proxy in InviZible does not support UDP. UDP will work if you use a direct connection.

Should I enable the force TCP toggle even if I am not using tor?

Also, is it possible to add UDP support? It seems like technically it is possible as some similar apps seem to have implemented it (e.g. rethink).

Gedsh commented 2 weeks ago

Should I enable the force TCP toggle even if I am not using tor?

The Force TCP option forces DNSCrypt to use TCP instead of UDP for the native DNSCrypt protocol. And that's all it does. It must be enabled if you are using DNSCrypt over Tor. In other cases, it is optional. But I prefer to keep it enabled, as it improves reliability when using DNSCrypt anonymising relays.

is it possible to add UDP support?

It is technically possible, but in practice it is very complicated. InviZible uses NetGuard core code for VPN mode. NetGuard doesn't support UDP for proxy, and I can't add it myself since the NetGuard core is written in Clang. I only know this programming language to fix some minor things, but not to add such major ones. My programming languages are Java/Kotlin and Go. Also, I can't use the source code of other apps like RethinkDNS, as the VPN mode is completely based on NetGuard core code.

Since InviZible doesn't support UDP for proxy only, I don't plan on fixing this issue anytime soon, as not too many people need this feature. If the Tor developers implement UDP support, I will find a way to fix it.

mvevitsis commented 2 weeks ago

Should I enable the force TCP toggle even if I am not using tor?

The Force TCP option forces DNSCrypt to use TCP instead of UDP for the native DNSCrypt protocol. And that's all it does. It must be enabled if you are using DNSCrypt over Tor. In other cases, it is optional. But I prefer to keep it enabled, as it improves reliability when using DNSCrypt anonymising relays.

is it possible to add UDP support?

It is technically possible, but in practice it is very complicated. InviZible uses NetGuard core code for VPN mode. NetGuard doesn't support UDP for proxy, and I can't add it myself since the NetGuard core is written in Clang. I only know this programming language to fix some minor things, but not to add such major ones. My programming languages are Java/Kotlin and Go. Also, I can't use the source code of other apps like RethinkDNS, as the VPN mode is completely based on NetGuard core code.

Since InviZible doesn't support UDP for proxy only, I don't plan on fixing this issue anytime soon, as not too many people need this feature. If the Tor developers implement UDP support, I will find a way to fix it.

I guess another possible solution would be to add the option for a wireguard upstream (to use instead of the socks5 proxy), then the 'proxy to work profile with vpn installed' workaround to use a 'real' VPN alongside invizible's local VPN would not be necessary.

Wireguard itself is written in go, so maybe it's easier to implement as well. It is available in rethink; might be possible to use that as a reference.

(I don't want to just use rethink because it does not handle lan traffic correctly for apps like kde connect and localsend, and especially now that I got the local doh feature of dnscrypt working; these are big advantages of your app. I could never get ech to work with a local VPN type app before).

Gedsh commented 2 weeks ago

a wireguard upstream

https://github.com/Gedsh/InviZible/issues/254

mvevitsis commented 2 weeks ago

a wireguard upstream

https://github.com/Gedsh/InviZible/issues/254

The procedure referenced here: https://github.com/Gedsh/InviZible/wiki/Using-InviZible-alongside-with-VPN

would also not allow udp traffic.

So I think it is worth integrating wireguard, if enabling UDP for the socks 5 proxy is too difficult.

The reason: some android apps do not behave properly without UDP (e.g. Facebook messenger).

Gedsh commented 2 weeks ago

some android apps do not behave properly without UDP

The problem occurs only when using the socks5 proxy. In other cases, you can simply exclude UDP from Tor or exclude the app from Tor completely.

I think it is worth integrating wireguard

To use all the features of InviZible, such as firewall or bypassing LAN addresses, the NetGuard core code is still required, which does not support UDP for proxy. Implementing wireguard without all these features makes no sense, since you can use any other app with wireguard for this purpose.

The only real solution is to add UDP support to the core NetGuard code. I would most likely need a professional Clang developer to do this, which is quite expensive for the current level of donations to the project.