celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
2.99k stars 151 forks source link

VPN proxy does not give the apps access to VPN's private network #1016

Open rhusiev opened 1 year ago

rhusiev commented 1 year ago

I have a wireguard VPN that acts as a way to connect to my computer(in my case for KDE Connect) even when on a different network.

With the just Wireguard app it works fine, but when I connect to the same peer from Rethink, the connection is lost. Even though my phone(android 13) and computer(fedora linux) are on the same private network and can both ping each other, the kde connect can't find. The problem is definitely not with the computer or the VPN, as it all worked before adding Rethink to the mix.

I tried excluding, bypassing universally and only DNS & firewall, allowing the IPs and ports for the specific app and universally, but nothing worked.

I was able to make KDE Connect work when both the Linux and Android machines are on the same WIFI and I remove KDE Connect from being sent to DNS, but I can't find how to allow it to access VPN's private network freely

ignoramous commented 1 year ago

As a workaround, turn ON Configure -> Network -> Do not route Private IPs and see things work.

Keep in mind that, the WireGuard impl in Rethink is more of a TCP/UDP L4 proxy and not an IPsec-esuqe L3 VPN.

Also, ICMP and DNS do not get tunneled through WireGuard (this is an Android limitation). For DNS, there's an approximation we have identified to fool apps into split-tunneling their DNS to appropriate WireGuard channels, but it is planned for a later release: #979

Also, does KDE Connect rely on multicast DNS? If so, that is broken in v055 (but hopefully, we fix it soon): #1005

rhusiev commented 1 year ago

The "Do not route Private IPs" option just sends the KDE Connect(and other programs connecting to local IPs) to the local network, for example WIFI.

In my use case I need it to be able to connect to another device on the same Virtual network.

I believe it has nothing to do with DNS, as KDE Connect tries to find local IPs and not domains. However even though I can ping the other device from termux, the KDE Connect can't interact with it(Maybe, it's a port issue or something else)

ignoramous commented 1 year ago

Gotcha.

I believe it has nothing to do with DNS, as KDE Connect tries to find local IPs

Hm, is there a documentation about how KDE Connect works (networking-wise)? Rethink's impl of WireGuard is at L4 (TCP / UDP layer) as opposed to L3 (like in the official WireGuard app). I wonder if that is incompatible with however KDE Connect is trying to "find local IPs".

Are you using IPv6 within your wg tunnel / peer routes by any chance?

rhusiev commented 1 year ago

I don't use IPv6 and I am not competent enough to understand all the intricacies of L4, L3 and how KDE Connect works on a network level, so, unfortunately, I won't be able to help with this.

For now I use the Do not route Private IPs, but it only works when both devices are connected to the same wifi.

ignoramous commented 1 year ago

Related: https://github.com/safing/portmaster/issues/667

And: https://github.com/Catfriend1/syncthing-android/issues/735

See also: https://github.com/xjasonlyu/tun2socks/pull/245

ignoramous commented 7 months ago

Possibly also related to scenario where Termux forwarding connections to WireGuard doesn't work: