How does GreenTunnel compares to Stubby?

[tuqueque]

Hey, this is not a feature request, but more of a series of question/inquiries about this cool utility.

I don't know if you know about Stubby ( https://github.com/getdnsapi/stubby )... It seems like both utilities have somewhat similar scopes, but it also seems like GreenTunnel might be "sneakier" (better) in its approach to DNS requests... Although, Stubby seems to be a more mature and developed project.

I am a relative ignorant when it comes to DNS stuff and privacy/anti-censorship tools (I'm not a programmer, but I live in a very censorship-heavy Country)... so I'm just guessing things after reading about how both tools work. I've used Stubby for more than a year now and I'd like to test GreenTunnel to see how it works and performs.

I haven't made any test, but it seems like GreenTunnel and Stubby wouldn't (couldn't) work together (have them running both at the same time), since both seem to channel traffic through 127.0.0.1, so I guess I would have to use one or the other (especially because it seems like there's significant redundancy in the use cases of these tools).

The concrete questions I have are:

• Does GreenTunnel solves the same "problems" of Stubby, just in a more clever way?

• If the answer to the previous question is "yes", I would like to have GreenTunnel running as a Systemd service, but I couldn't understand the "instructions" in the related issue ( https://github.com/SadeghHayeri/GreenTunnel/issues/65 )... So if I could do a "feature request", that would be to have GreenTunnel as a Systemd service (just by running the usual "sudo systemctl enable GreenTunnel")

Thank you in advance!

[dhruvdgupta]

In the context of DNS resolution:

Stubby resolves DNS using DoT (DNS-over-TLS) but it doesn't do much more than that. In my experience, anyone on the wire can still see the SNI (Server Name Indication) field. Some ISPs (such as mine) do that hence we can't bypass the censorship just using Stubby.

Whereas in the case of GreenTunnel (from the FAQ):

Server Name Indication (SNI) is an extension to TLS (Transport Layer Security) that indicates the actual destination hostname a client is attempting to access over HTTPS. For this Web Filter feature, SNI hostname information is used for blocking access to specific sites over HTTPS. For example, if the administrator chooses to block the hostname youtube using this feature, all Website access attempts over HTTPS that contain youtube like www.youtube.com in the SNI would be blocked. However, access to the same hostname over HTTP would not be blocked by this feature. GreenTunnel tries to split first CLIENT-HELLO packet into small chunks and ISPs can't parse packet and found SNI field so bypass traffic!

For your second question: Check how to run a program at startup in the documentation of your operating system. For example in Ubuntu, just add a new item in the "Startup Applications" menu with the command "green-tunnel".

[tuqueque]

Thank you for responding my questions!

I have a few more questions, though... I hope to explain myself clearly, since my questions might be difficult to express from a tech-savvy point of view and English is not my native language.

My first question is: How can I check if GreenTunnel is working properly? (tunneling DNS requests and splitting SNI packets)... I run GreenTunnel CLI with the "-v" or "--verbose" argument but I don't see any extra info.

My second (and rather complicated) question is: In the case of Stubby, I have to change in Network IPv4 settings and my systemd-resolved config file to 127.0.0.1 in the DNS sections (more info in https://www.linuxbabe.com/linux-mint/dns-over-tls-stubby )... Just in case, I don't use Mint, I use Manjaro... So... do I have to do the same setup for GreenTunnel if I want to use it globally on my system?... Or does GreenTunnel automatically (somehow) does that for me?... If GreenTunnel automatically sets itself to be used globally on my system, does it affect its behavior even if I leave my Network and systemd-resolved settings to 127.0.0.1?... I stopped and disabled Stubby on my system, of course. I only have GreenTunnel running.

BTW, I managed to create a systemd .service file and make it work!... For those interested:

1.- Create a plain text file (with ".service" extension instead of ".txt", of course). 2.- fill it with the following text:

[Unit]
Description=GreenTunnel

[Service]
Restart=always
RestartSec=5
User=[YOUR USERNAME]
ExecStart=/usr/bin/green-tunnel --verbose

[Install]
WantedBy=multi-user.target

3.- Name the file e.g.: GreenTunnel.service and copy or move it to "/etc/systemd/system/" 4.- Enable the systemd service with "sudo systemctl enable GreenTunnel" 5.- Start the service with "sudo systemctl start GreenTunnel" 6.- You can check if the service is running with "systemctl status GreenTunnel".

EDIT:

Doing a few basic tests following some of the instructions in the previous cited article ( https://www.linuxbabe.com/linux-mint/dns-over-tls-stubby ), I've noticed that Stubby listens to both, TCP and UDP traffic in both, IPv4 and IPv6 (as shown in the article)… but GreenTunnel "only" listens to TCP traffic on IPv4. I don't really know what this means, but it seems like Stubby offers "protection" to both protocols and IP versions while GreenTunnel doesn't.

sudo netstat -npltu | grep node
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      1686865/node

Could you explain/comment on this?

Greets!

[SadeghHayeri]

Hi! I checked Stubby and found it's a cool tool to have secure DNS and send DNS queries over TLS.

before I answer your questions, let's explain a little about the basics! We have two concepts here, DNS and DPI.

• DNS is a protocol to convert domain names to IP addresses. it's an old protocol and doesn't support encryptions, fully plane text!
• DPI is a type of data processing that inspects in detail the data being sent over a computer network and usually takes action by blocking, re-routing, or logging it accordingly.

Ok now lets talk about Stubby and GreenTunnel.

• Stubby: It's a tool to add encryption support to the default system DNS service, it's run as a local DNS server (listen on 127.0.0.1:53) and get DNS queries from clients (like Firefox), it connects to DoT providers (like 1.1.1.1) with TLS encryption layer and then answer the clients.
• GreenTunnel: it's an HTTP proxy server, it gets HTTP/HTTPS request from a client, find the IP address using DoH or DoT and bypass DPI using packet splitting.

If Stubby works for you, I recommend to do not use GreenTunnel. GreenTunnel encrypts only HTTP/HTTPS requests but Stubby is a system-wide secure DNS solution. Also, you can use both at the same time, use GreenTunnel to bypass censorship and use Stubby to secure all other queries.

NOTICE: Do not use GreenTunnel for a critical situation, check Tor Project.

[tuqueque]

Thanks again for your feedback... I've done some more testing and at least in my opinion, GreenTunnel is indeed a more basic (but great) utility to circumvent censorship, it is especially useful for novice users that don't want (or don't know how) to fiddle with more complex setups like Stubby or dnscrypt-proxy.

A few years ago I tried dnscrypt-proxy and it worked for awhile, but shortly after, it stopped working and at that time I couldn't manage to make it work. Yesterday I followed their much improved help wiki and this time I managed to make it work again and I could even activate some of the fancier features, like ESNI, which is another way (still in its early stages) of solving what GreenTunnel solves.

But I repeat, GreenTunnel is still a great tool and a MUCH EASIER one to set up! Keep up your great work!

[dhruvdgupta]

Thanks again for your feedback... I've done some more testing and at least in my opinion, GreenTunnel is indeed a more basic (but great) utility to circumvent censorship, it is especially useful for novice users that don't want (or don't know how) to fiddle with more complex setups like Stubby or dnscrypt-proxy.

A few years ago I tried dnscrypt-proxy and it worked for awhile, but shortly after, it stopped working and at that time I couldn't manage to make it work. Yesterday I followed their much improved help wiki and this time I managed to make it work again and I could even activate some of the fancier features, like ESNI, which is another way (still in its early stages) of solving what GreenTunnel solves.

But I repeat, GreenTunnel is still a great tool and a MUCH EASIER one to set up! Keep up your great work!

As far as I can tell the ESNI with dnscrypt-proxy only works with firefox (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH). Have you got it to work system-wide? I don't have deep knowledge about TLS etc. but GreenTunnel is the only tool I've tried so far that has actually managed to circumvent censorship based on DNS hijacking

[tuqueque]

Hey... You're right that currently, ESNI only works with Firefox (hopefully in the middle/long term this will be implemented by other browsers and applications and will become the de facto way of circumventing censorship)...

I've been doing more digging and I've found a program called "PowerTunnel" ( https://github.com/krlvm/PowerTunnel ), which seems to do VERY similar things to what GreenTunnel does to DNS requests, and it looks like its in a more advanced development state. I'm actually thinking that both projects could benefit from each other, and who knows, they could be merged and work together or something like that.