v055d: SOCKS5 via Termux, RDNS Default do not work

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.

https://rethinkfirewall.com/

Apache License 2.0

2.64k stars 135 forks source link

v055d: SOCKS5 via Termux, RDNS Default do not work #1323

Closed Amir2367 closed 1 month ago

Amir2367 commented 3 months ago

Hello, the first problem is that when we enter the program for the first time, we see NOTE: NO FIREWALL RULES FOUND, which was a problem in the previous 2 versions, but it was not a problem in version 0.5.5a.

The second problem: when we select RDNS DEFAULT as DNS and press the connection button, it remains in WAITING mode and no connection is made. This problem was the same as the previous problem in the previous 2 versions. This was not a problem only in version 0.5.5a.

The third problem: when from the SETUP SOCKS5 PROXY section To connect, we choose the TERMUX program, no connection is made while the connection is made with Other programs. While in all previous versions, the program was compatible with TERMUX

All problems are recorded in order in the video below

https://github.com/celzero/rethink-app/assets/83357422/fde6b7d0-0318-450d-a403-3cc7a9a7077c

ignoramous commented 3 months ago

when we select RDNS DEFAULT as DNS and press the connection button, it remains in WAITING mode and no connection is made.

Can you check DNS Logs after you connect to RDNS (ie, when it goes into "waiting" and no websites would load in Chrome) and see what it says?

The entries in DNS Logs should have an "exclamation" (!) or a "question" (?) mark against them (as they're failing).
The footer of the bottomsheet that comes up when you tap on these failing entires should have a status / error message revealing just why the query failed.

My guess is, your ISP is blocking connections to rethinkdns.com. You can test for this by:

Switching to "System DNS" in Configure -> DNS
Then attempting to access max.rethinkdns.com, rethinkdns.comin the browser to see if loads.
After you attempt to load those domains in your browser, you can also search them (max.rethinkdns.com, sky.rethinkdns.com, rethinkdns.com) in DNS Logs to see if you received expected IPs or not.

No firewall rules

Yeah, I can see why that can happen. Tracking it here: https://github.com/celzero/rethink-app/issues/1324

To connect, we choose the TERMUX program, no connection is made while the connection is made with Other programs.

You mean, the SOCKS5 proxy running within a Termux session doesn't "see" any packets from Rethink in this version but it did in v055c (the previous version)? Curious, because we haven't changed much wrt SOCKS5 in v055d at all to break something like this.

Amir2367 commented 3 months ago

when we select RDNS DEFAULT as DNS and press the connection button, it remains in WAITING mode and no connection is made.

Can you check DNS Logs after you connect to RDNS (ie, when it goes into "waiting" and no websites would load in Chrome) and see what it says?

The entries in DNS Logs should have an "exclamation" (!) or a "question" (?) mark against them (as they're failing).

The footer of the bottomsheet that comes up when you tap on these failing entires should have a status / error message revealing just why the query failed.

My guess is, your ISP is blocking connections to rethinkdns.com. You can test for this by:

Switching to "System DNS" in Configure -> DNS

Then attempting to access max.rethinkdns.com, rethinkdns.comin the browser to see if loads.

After you attempt to load those domains in your browser, you can also search them (max.rethinkdns.com, sky.rethinkdns.com, rethinkdns.com) in DNS Logs to see if you received expected IPs or not.

Hello again, yes, DNS reports should have an "exclamation mark" (!) or a "question" (?) in front of them. (You can see the reason for these ERRORs in the video below)

But the interesting thing is that my ISP has not blocked any of RETHINK's DNS. Because according to the instructions you said, after changing to SYSTEM DNS, all RETHINK's DOMAIN and DNS were opened.

Most importantly, I must say that the only version where I didn't have any of these problems is version 0.5.5a.

I recorded the following video according to what you said.(I'm sorry for the low quality of the video)

https://github.com/celzero/rethink-app/assets/83357422/778b4bae-3880-4222-8b80-5c4550b225c7

Amir2367 commented 3 months ago

You mean, the SOCKS5 proxy running within a Termux session doesn't "see" any packets from Rethink in this version but it did in v055c (the previous version)? Curious, because we haven't changed much wrt SOCKS5 in v055d at all to break something like this.

I just installed version 0.5.5a, which has none of the above problems and works with TERMUX as well.All these problems have been found for me after version 0.5.5a

The video below shows the perfect working and flawless version 0.5.5a

https://github.com/celzero/rethink-app/assets/83357422/60cc75a9-ce2e-4c02-b561-c4b303f31235

ignoramous commented 3 months ago

Thanks, the video demo helped a tonne!

just installed version 0.5.5a, which has none of the above problems and works with TERMUX

Unsure what Termux is doing here, but on v055d, do you see Termux related entries in Network Logs?

If so, is Termux being blocked? It should; in fact, appear with a white-coloured left-hand side border, bypassing all firewall rules.
If Termux is not blocked, what do you see in the bottomsheet's footer (which shows the final status of the connection) that comes up when you tap on Termux-related Network Log entries?

screenshot

1. white highlight shows active connections; these won't have final status just yet. 2. red highlight shows time of the connection and total data transfer for the connection. 3. yellow highlight shows the final status message from the connection. ![Screenshot_2024-04-03-15-23-36-55_c8cbde12d3521911922be4eee6a05664~2](https://github.com/celzero/rethink-app/assets/852289/3c3b8df9-b86d-4ed1-a97a-94159e428a61)

What's changed from v055a is that, apps that route SOCKS5 (Termux in your case) are not bypassed from Rethink's firewall and DNS rules nor are they excluded from Rethink's VPN tunnel. Equivalent of v055a behaviour in v055b+ is to manually exclude Termux. Things should then work as before.

I'm curious why Termux hates being tunneled by Rethink while running SOCKS5. How did you install and setup warp-plus so that I may test this myself? Will be straightforward to fix, if I can reproduce it on my Android.

Amir2367 commented 3 months ago

Thanks, the video demo helped a tonne!

just installed version 0.5.5a, which has none of the above problems and works with TERMUX

Unsure what Termux is doing here, but on v055d, do you see Termux related entries in Network Logs?

If so, is Termux being blocked? It should; in fact, appear with a white-coloured left-hand side border, bypassing all firewall rules.

If Termux is not blocked, what do you see in the bottomsheet's footer (which shows the final status of the connection) that comes up when you tap on Termux-related Network Log entries?

screenshot What's changed from v055a is that, apps that route SOCKS5 (Termux in your case) are not bypassed from Rethink's firewall and DNS rules nor are they excluded from Rethink's VPN tunnel. Equivalent of v055a behaviour in v055b+ is to manually exclude Termux. Things should then work as before.

I'm curious why Termux hates being tunneled by Rethink while running SOCKS5. How did you install and setup warp-plus so that I may test this myself? Will be straightforward to fix, if I can reproduce it on my Android.

Hello, I recorded all DNS LOGS(version 0.5.5d)of TERMUX in the form of a video below.

https://github.com/celzero/rethink-app/assets/83357422/07c2ee6d-f497-4e40-b9ad-08608f7e133a

Is it possible to fix again what you changed about TERMUX from version 0.5.5A, or is there another way? I think there must be another way (we need TERMUX to connect to free internet in our region and When combined with the RETHINK app, it blocks a lot of ads and improves speed )

Of course, WARP is the WIREGUARD GO project and is used for areas where WARP is completely blocked. You can use this project from the link below. https://github.com/bepass-org/warp-plus

ignoramous commented 3 months ago

Thank you.

Is it possible to fix again what you changed about TERMUX from version 0.5.5A, or is there another way?

To achieve v055a equivalent behaviour in v055d, exclude Termux.

Of course, WARP is the WIREGUARD GO project and is used for areas where WARP is completely blocked.

Why not import WARP profile in Rethink (ref) than run Termux in the background as a SOCKS5 proxy forwarding WireGuard packets?

https://github.com/bepass-org/warp-plus

Thanks. I think I know why this has trouble working in v055d (as Termux is routed back into Rethink's VPN tunnel which itself is trying to establish a WARP tunnel of its own)... Can't say if we'll fix it right away, as I am not sure just what "kind" of changes are needed to support such a usecase.

Amir2367 commented 3 months ago

Thank you.

Is it possible to fix again what you changed about TERMUX from version 0.5.5A, or is there another way?

To achieve v055a equivalent behaviour in v055d, exclude Termux.

Of course, WARP is the WIREGUARD GO project and is used for areas where WARP is completely blocked.

Why not import WARP profile in Rethink (ref) than run Termux in the background as a SOCKS5 proxy forwarding WireGuard packets?

https://github.com/bepass-org/warp-plus

Thanks. I think I know why this has trouble working in v055d (as Termux is routed back into Rethink's VPN tunnel which itself is trying to establish a WARP tunnel of its own)... Can't say if we'll fix it right away, as I am not sure just what "kind" of changes are needed to support such a usecase.

See, WARP doesn't work with or without a profile in Iran, it's completely blocked, and the only way to run it is the WIREGUARD GO project and plugging it into proxy runner programs.

I hope that with the help of your good team, you will solve this problem and we users will be able to access the free internet.

vertuk commented 3 months ago

I'm not sure if this needs it's own issue, but I have problems with Nekobox SOCKS5 proxy in v0.5.5d too. Rethink doesn't seem to route any traffic to it as it has been in v0.5.5c. When I try to check my IP with the same setup I've had before update it shows me my real IP instead of my proxy's, and all of my ISP's blocklists apply too.

I have Rethink in Always-on VPN mode, Nekobox in proxy mode, port 1234 for SOCKS5, port 6450 for DNS proxy, and I set up SOCKS5 proxy in Rethink to 127.0.0.1:1234 - Nekobox, and DNS proxy to 127.0.0.1:6450 - Nekobox. Nekobox is excluded from dns and firewall rules.

It all did use to work before update, I haven't changed anything.

ignoramous commented 3 months ago

Rethink doesn't seem to route any traffic to it as it has been in v0.5.5c. When I try to check my IP with the same setup I've had before update it shows me my real IP instead of my proxy's, and all of my ISP's blocklists apply too.

Strange. Is SOCKS5 generally working for other such apps (like with ShadowRocket or Orbot or SingBox for example)?

Please track at: https://github.com/celzero/rethink-app/issues/1337

ignoramous commented 1 month ago

v055j onwards (github, website, f-droid), proxy forwarder apps when selected (like Termux, ShadowRocket, Orbot) are Excluded by default from Rethink's VPN tunnel, like before.

To not have those proxy forwarder apps Excluded, one can turn ON Loopback proxy forwarder apps in Configure -> Network.

If this issue isn't fixed with Loopback proxy forwarder apps turned OFF (which is the default), feel free to re-open this issue. Thanks.