search

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
3.02k stars 154 forks source link

Wireguard unexpected behaviour outside of Allowed IPs range #1769

Open xrob opened 2 weeks ago

xrob commented 2 weeks ago

When using the 'official' wireguard app for android, I am able to set the Allowed IPs field to a CIDR range such as 192.168.0.0/0 and I get the behaviour I would expect, i.e. that all traffic to the 192.168.0.0/0 range is send through the wireguard tunnel and all other traffic is sent 'in the open' via the device's active network connection.

When I apply the same configuration to the RethinkDNS app, I find that traffic in the range of 192.168.0.0/0 is indeed sent through the tunnel, however all other traffic gets thrown away. As such, I'm unable to use the RethinkDNS app to filter certain traffic through a tunnel, whilst leaving other traffic in the open; this feels like an unnecessary restriction.

ignoramous commented 2 weeks ago

Thanks. The next version, v055o has completely overhauled the routing apparatus. But in the current versions, what you describe should not happen either.

I find that traffic in the range of 192.168.0.0/0 is indeed sent through the tunnel, however all other traffic gets thrown away.

If you're running in Simple mode and/or when running in Advanced mode but without Lockdown turned ON, traffic outside of Allowed IPs must be let through.

xrob commented 2 weeks ago

I think you might be right. Thanks for your quick response.

Howver, it seems the problem I've been experiencing is caused when the IP address of the Wireguard tunnel's DNS provider is within the CIDR range of tunnel's Allowed IPs range. When I try to make a web request in the browser, it seems to be the failure of DNS resolution of domain names that makes it appear to me that all other traffic is thrown away.

Having set the tunnel's DNS provider to 1.1.1.1, I do get the expected behaviour described in my initial comment.

ignoramous commented 2 weeks ago

Howver, it seems the problem I've been experiencing is caused when the IP address of the Wireguard tunnel's DNS provider is within the CIDR range of tunnel's Allowed IPs range.

Gotcha. This is something that we have since addressed (or attempted to). It was first reported here: https://github.com/celzero/rethink-app/issues/1700#issuecomment-2359912145