Orbot 16.1.2-RC-tor-0.4.1.5-rc running on Android 10 is not resolving onion addresses when put in VPN mode

[n1m1]

As per title.

I am running Orbot 16.1.2-RC-tor-0.4.1.5-rc on Android 10. In general the app is working just fine but I can't use it anymore in order to connect my smartphone to a self-hosted Nextcloud onionized instance. I have been using Orbot for months without a problems under Android 9. Until few days ago, before upgrading my device from P to Q and using the same Orbot version, everything was just fine.

I have made several attempts to better define the problem. When using Android 10:

0. Orbot is working just fine as proxy. When using it with apps like Twidere (or any other app which has a Config -> Proxy section) there are nor problem at all. I can connect to "normal" and onion domains as well.

1. Orbot is working just fine in VPN mode when connects to "normal" domains. I made a test routing Chromium traffic through Orbot using the VPN mode and everything was fine.

2. Orbot is NOT working in VPN mode when connects to onion domains. I made several tests with Nextcloud for Android, an ssh client, Davdroid or browser to connect to the onionized Nextcloud instance.

There is no need to say that the onionized Nextcloud instance is working and using my laptop (or Tor Browser on my phone) I can connect without problems.

Any help would be really appreciated. Cheers.

[n8fr8]

Thanks for the report. Looking into this today. Definitely related to the code for handling Tor specific DNS In the VPN adapter.

[n1m1]

Thanks for your answer and help. I will be glad to test a fix for Orbot version and see if that works. Cheers.

[n1m1]

Hi, I have a question. It is not clear to me whether this bug is reproducible on other Android 10 phones, or it is just me. In the first case, while I am waiting for a fix to be pushed out, is there any workaround that you can suggest? Unfortunately NC does not seem to be interested in deploying a local proxy setting in their Android client (issue https://github.com/nextcloud/android/issues/606) .

Apologies, I do not mean at all to bother Guardian Project team, nor asking for ETA and I am grateful for the excellent work you have done in the previous 10 years. However, onions are important for me - even on my phone - and not being able to use them make me feel like I am impaired.

Thanks for your help and time.

[n8fr8]

We are working to reproduce on Android 10. We hope to have an update tomorrow EOD.

In other news, we are helping build an app called SAVE by OpenArchive, which is a WebDAV client with Tor support (https://open-archive.org/). It may not do all you need, but for at least being able to backup from your device to an Onion-based NextCloud, it should soon work.

[n1m1]

Hello, I am testing the new beta (16.1.3-BETA-1-tor-0.4.1.6-rc) on Android 10. Unfortunately the problem is still present. When put in VPN mode Orbot does not solve onion addresses.

Cheers

[n8fr8]

Have you looked into the "Private DNS" feature in Android 10, under Network & Internet? Is it on? If so, then Orbot will not be able to intercept DNS. Please try turning it off and seeing if that improves your ability to resolve Onion addresses.

[navbas]

Using 16.1.4-RC-1-tor-0.4.2.5-RC on Xiaomi mi series Phone. My Andriod updated to 10 today. After that orbot stopped working on bridge using any OBFS4 bridges. I didn't find Private DNS on Xiaomi MiUi settings anywhere. But I don't think the problem related to that. Orbot was working fine on Android 9 on the same phone with obfs4 bridges.

[galeksandrp]

I am confirming this issue on Android 10 (LineageOS 17.1 built 2020-02-23) with Orbot 16.1.4 rc1 f-droid. Disabling Private DNS (DNS over TLS) fixed the problem.

Seems that Private DNS cannot be overridden by Android VPN API. Related issue.

[n8fr8]

Glad that private DNS change fixed it for you. For others still having problems, there is a new build out that addresses other Android 10 related issues with obfs4proxy: https://github.com/guardianproject/orbot/releases/tag/16.2.0-BETA-2-tor-0.4.2.7

@galeksandrp still looking into how to programmatically override the private DNS settings. we already set our own DNS, but it seems like browsers still try to use it.

[n1m1]

Yeah, same here. VPN mode now is working with Orbot 16.2.0-BETA-3 tor-0.4.2.7 but Private DNS still needs to be disabled. Well, better than nothing.