Open OrkoGrayskull opened 4 days ago
ignoramous
commented
3 days ago Make sure the app you're visiting whatismyip.com is not Excluded or Bypass app from all proxies is not enabled.
Are you visiting whatismyip.com from a browser? If so, looking for the browser (type the browser's name in the search bar at the top), what do you see in Network Logs?
OrkoGrayskull
commented
3 days ago The browser is not excluded. All apps are routed via WireGuard.
Are you visiting whatismyip.com from a browser? If so, looking for the browser (type the browser's name in the search bar at the top), what do you see in Network Logs?
ignoramous
commented
3 days ago Looks like the WireGuard Peer (endpoint) is missing IPv6 routes and so Rethink split tunnels to underlying network (which, it looks like, has IPv6 routes). If you don't know how to check this, please post the screenshot of the WireGuard configuration that's not working for Brave.
OrkoGrayskull
commented
3 days ago This is the WireGuard config, provided by the FRITZ!Box (well known router in germany):
[Interface]
PrivateKey = ***
ListenPort = 52880
Address = 192.168.50.1/24
DNS = 192.168.50.1
DNS = fritz.box
[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 192.168.50.201/32
PersistentKeepalive = 25Yes: It is missing IPv6 routes.
When this WireGuard is enabled:
Can you share screenshots of the above if you're comfortable?
OrkoGrayskull
commented
2 days ago ignoramous
commented
2 days ago Okay, gotcha.
There's a mismatch in what the underlying network supports (just IPv6)[^f] and what the WireGuard tunnel can (just IPv4).
What do you have set in Configure -> Network -> Choose IP version?
[^f]: The network may probably also support IPv4 with 464 translations like DNS64/NAT64
Lanius-collaris
commented
2 days ago @OrkoGrayskull Did you let rethink app import the "server-side" conf file ( which doesn't have an endpoint ) ?
OrkoGrayskull
commented
2 days ago After enabling connectivity checks it works. But I think that should be recognised somehow. The user relies on all the traffic going through the tunnel, which it doesn't really do.
FYI: _Does the FRITZ!Box transmit IPv6 network traffic via VPN? The FRITZ!Box can establish VPN connections (IPSec, WireGuard) via both IPv4 and IPv6. VPN connections are therefore also possible if the FRITZ!Box is operated on an Internet access with Dual-Stack Lite (DS-Lite).
However, the FRITZ!Box can only transfer IPv4 data within the VPN tunnel. Access to IPv6 Internet services or devices in the remote network that can only be reached via IPv6 is not possible via the VPN connection. We are working on a solution and will also transfer IPv6 data within the VPN tunnel for WireGuard connections in an upcoming FRITZ!_
ignoramous
commented
1 day ago The user relies on all the traffic going through the tunnel, which it doesn't really do.
Here, WireGuard does not have IPv6 but underlying network does. And so, the routes don't match. The current behaviour is to split the tunnel to maintain connectivity (as trying to force IPv6 into IPv4 will result in no internet). In the next version, Rethink will make this split behaviour explicit and show this in the Network Log.
VPN connections are therefore also possible if the FRITZ!Box is operated on an Internet access with Dual-Stack Lite (DS-Lite)
Rethink cannot add routes that aren't in the WireGuard configuration presuming some upstream does DS-Lite or 464Xlat or NAT64 or Teredo or ... this is, unfortunately, untenable and will cause more pain.
After enabling connectivity checks it works
This should be left enabled, because in your case, the network has IPv6 routes but can also route IPv4 (even though Android doesn't tell Rethink that unless it does its own connectivity checks).
OrkoGrayskull
commented
1 day ago Ok. Thank you. Is connectivity checks enabled by default?
ignoramous
commented
1 day ago Is connectivity checks enabled by default?
We had it turned ON by default, but folks complained. I think it is better we enabled it back again.
OrkoGrayskull
commented
1 day ago To which remote station does the check go?
ignoramous
commented
1 day ago These don't send any data, but opens a socket then closes it right away.
Note that, Android itself has DNS, HTTP connections probes built-in, which is what Rethink relies on when its own connectivity probes are disabled.
OrkoGrayskull
commented
1 day ago These don't send any data, but opens a socket then closes it right away.
Maybe you should users define the connectivity check server/endpoint. Or at least choose more privacy friendly ones.
Note that, Android itself has DNS, HTTP connections probes built-in, which is what Rethink relies on when its own connectivity probes are disabled.
I know that. But with enabled connectivity check (Android -> GrapheneOS) its not working. Connectivity check in RethinkDNS must be enabled for my setup to work.
ignoramous
commented
1 day ago Maybe you should users define the connectivity check server/endpoint
Defeats the point of these checks as it is now beholden to free-form user inputs. For instance, Android's connectivity checks are not changeable, even on GrapheneOS and CalyxOS (I don't think)?
I think we can let users choose from a list of IPs that their Android has already connected to in the recent past... but building such features costs time, which we'd rather spend on fixing other completely broken features.
Connectivity check in RethinkDNS must be enabled for my setup to work.
We know (464 translation is common in Europe/US mobile phone networks but not in other places where DS-Lite is) as we see issues with using Android's connectivity checks (#554, #1550). But some people really hated Rethink enabling connectivity checks by default.
OrkoGrayskull
commented
1 day ago I understand. Last question: Are you planning to make local IP addresses accessible after a tunnel has been set up? It is currently not possible to reach local home services.
ignoramous
commented
1 day ago Are you planning to make local IP addresses accessible after a tunnel has been set up?
Local IP address within WireGuard? These should also be tunneled through them if the Peer endpoint configuration allows for that. If you want to reach these outside WireGuard (over underlying network wifi/mobile/usb etc), turn ON Do not route Private IPs from Configure -> Network.
OrkoGrayskull
commented
1 day ago I have just imported the WireGuard configuration into the WG Tunnel app. If I use it to set up the VPN tunnel, I can reach local IP addresses (in the private network of the Fritz Box) and have the IP address of the Fritz Box on the outside.
OrkoGrayskull
commented
1 day ago To formulate it clearly once again.
If I create a WireGuard VPN configuration in the Fritz!Box, I can roll it out to different apps/programs.
One of them is RethinkDNS. If I install the WireGuard VPN profile there, access to local resources (e.g. 192.168.50.5 (pi-hole)) does not work. The same applies to access to the Internet. Internet destinations are accessed directly via RethinkDNS (if IPv6) and are not tunneled. Traffic only flows reliably through the WireGuard tunnel once the connectivity check has been activated.
If I install the same WireGuard VPN profile in the WG Tunnel app, the result is different. There, access to local resources (e.g. 192.168.50.5 (pi-hole)) works without any problems. All traffic is also tunneled when accessing the Internet.
RethinkDNS is great, but bugs/problems like this are simply annoying.
ignoramous
commented
1 day ago We do not have access to a fritzbox to test what's going on. That's the gist of it.
WgTunnel is a UI wrapper on top of the official WireGuard code. Rethink does way more and has to make sure all the different parts of its feature set (including supporting multiple WireGuards at once) work as expected.
flows reliably through the WireGuard tunnel once the connectivity check has been activated.
Like I mentioned before, we know connectivity checks are important, but we got a lot of hate emails for enabling it by default. I guess, we'll revert back to enabling it by default.
If I install the WireGuard VPN profile there, access to local resources (e.g. 192.168.50.5 (pi-hole)) does not work.
Are you using WireGuard in Simple mode or Advanced mode?
What do you see in Network Log when you try to access pi-hole (using its private IP not domain name)? Tap on the entries in Network Log, which should bring up a bottomsheet, the footer of which should show final connection status (iff the connection has ended).
OrkoGrayskull
commented
1 day ago Are you using WireGuard in Simple mode or Advanced mode?
I tried both.
What do you see in Network Log when you try to access pi-hole (using its private IP not domain name)? Tap on the entries in Network Log, which should bring up a bottomsheet, the footer of which should show final connection status (iff the connection has ended).
I can't see any connection attempts in the logs to the IP adddress.
ignoramous
commented
1 day ago can't see any connection attempts in the logs to the IP adddress
Strange. If you know how to fetch logs via adb logcat, can you put Rethink in Very Verbose mode (Configure -> Settings -> Log level), then put WireGuard in Simple mode, capture logs as you try to access pi-hole and email it to me (mz at celzero dot com), if you're comfortable?
Just to be clear, you're trying to access pi-hole via the browser, correct? Not trying to set it up as DNS Proxy?
When the WireGuard connection is active, the traffic is not tunneled through the VPN - but the remote station indicates that the VPN connection has been established.
I have even activated "Total blocking" and "Always-on" under Advanced. However, the traffic does not flow into the tunnel, but past it.
Nevertheless, the traffic is not tunneled, but flows past the WireGuard VPN. You can check this with various sites such as "https://www.whatismyip.com/". This does not output the IP address of the WireGuard remote peer, but of the mobile device or mobile phone provider (when phone is connected to mobile ISP).
Version RethinkDNS:
I have not checked other versions.