SO_MARK support

[ghost]

Hi, can u add option to mark wstunnel packets as realized in v2ray?

[erebe]

Hello,

Sorry but I don't understand your question :'( What is v2ray ?

[ghost]

v2ray is software to bypass China firewall. I want use your wstunnel, but need SO_MARK option. In C or Golang I can add SO_MARK to socket via setsockopt and routing it via ip rule. I cant find method to add it in Haskell, maybe u can help.

[erebe]

It is not available in Haskell as it is dependent of the platform, SO_MARK exist only in Linux. I can look if there is custom bypass, but I am not sure.

Out of curiosity how does v2ray works ? Why do you need ip rule to route the traffic ?

[ghost]

I combined VPN+v2ray on Android phone. Android use fwmark for internal routing and if I set v2ray fwmark to 0x20000 it can bypass Android VPN Service and connect directly to server. My VPN client connect via v2ray to destination server and all work. VPN-Client -> v2ray-client -> (websocket traffic via Internet) -> v2ray-server -> VPN-Server

[erebe]

Ok Thanks for the explanation :) I will to look this week-end if it is possible to add SO_MARK

[erebe]

I have a proto working, can you tell for which arch do you need the binary ? {x86, armv7, aarch64}

[ghost]

aarch64 :)

[erebe]

ack, I will do a release tonight or tomorrow as I have to spawn somewhere an aarch64

[erebe]

here we are, would you mind testing this release ? https://github.com/erebe/wstunnel/releases/download/SO_MARK/wstunnel

[ghost]

@erebe sorry, i check commits and cant find where i need to set custom mark value, maybe commandline args or something else

[erebe]

it is on by default, so nothing to do normally if it is supported by the kernel. Your packet should be marked without anything extra

[ghost]

it need to be configured with some custom value, and via ip rule it will be detected by mark value and routed

[ghost]

SO_MARK (since Linux 2.6.25)
              Set the mark for each packet sent through this socket (similar
              to the netfilter MARK target but socket-based).  Changing the
              mark can be used for mark-based routing without netfilter or
              for packet filtering.

[erebe]

The mark should be 1 for now (that's the value I passed to setSocketOption), before making it confirgurable I would like to see if it is even working on arm ;x

P.s: Sorry for the lack of explanation ;c

[ghost]

Tested now, think all work good. I set ip rule add pref 9000 from all fwmark 0x0/0x1 iif lo lookup wlan0 on my Android phone and your wstunnel+WireGuard working good, without ip rule it not working. In Android packets market 0x20000 can bypass Android VPN without routing rule add, so can u set it to 0x20000 (131072 in decimal) or add command line arg to set value (its preferable). And one more feature request: in Haskell can you change SNI in ClientHello packet? If i need simulate connection to site whose domain is not mine i need modify my hosts file or inject DNS. It will be good if domain name can be set separated from wstunnel server IP. Thanks 👍

[erebe]

Going to add an option to configure the value. Regarding the SNI, it has been asked several times already but I won't do it as it is too low lvl in the library I use, so I don't have access to it. I can done if I fork the lib, but I would rather avoid doing that?

[erebe]

Here we are, https://github.com/erebe/wstunnel/releases/download/v3.0/wstunnel-aarch64 You now have an option --soMark where you can put the value you want :)

If it is working for you, I would be glad if you have time to write a short page about your setup, so I can link it in the readme

[erebe]

Ping @B1oHazard regarding à little explanation of your interesting setup. Just à paragraphe or 2 would be enough, I am sure it can be appreciated by à lot of other people :)

[mokhtarabadi]

more information here https://stackoverflow.com/a/38764232 but this method needs root access on android devices, I have plan to develop a VPN based on wstunnel for android devices and I need some changes in wsocket I'll create an issue for that in the future (currently I don't know Haskell!)