Support Upstream Proxy/VPN

[anoadragon453]

Hey there, love the ad-blocking features of this app. Only problem is as this uses Android's VPN feature, I'm unable to use my personal VPN service alongside it.

Fortunately however, the service also offers a SOCKS5 gateway, allowing one to use their service through a proxy as well.

As DNS66 takes over the traffic from the phone, is it possible to route it through an upstream proxy/VPN just as it done for upstream DNS providers?

Thanks!

[julian-klode]

Well, everything is possible, but I'm not really interested in that. There are reasons why I don't particularly like this:

1. DNS66 only redirects DNS traffic, nothing else. An upstream proxy would require redirecting all traffic, and that has one problem: All that traffic will be accounted to DNS66, making it look quite bad in battery stats.
2. SOCKS only allows forwarding TCP and UDP traffic, not other forms of traffic. This means that ICMP and stuff stops working.
3. Implementing support for proxies (and debugging errors later) is a bit too annoying.

What might be fun to do is implement support for upstream VPNs by allowing DNS66 to redirect all traffic to another socket. Then you could have a second app that accepts IP packets on a socket and does whatever it wants with those (heck, you could chain various kinds of services provides by various apps). This solves 2 and 3.

[anoadragon453]

Yes, that could work.

Another idea would be for DNS66 to create a DNS server on the device, which the VPN app could then use (the non-root VPN app on F-droid supports this). However that would then allow for the leakage of location/IP as we would now be using the DNS server that's on-device, rather than using the VPN's provided one.

I'm eager for any progress on this, I'm currently using my own VPN full time and as such won't be able to take advantage of ad-blocking until there's some way to meld the two application's abilities together.

On 03/27/2017 10:47 AM, Julian Andres Klode wrote:

Well, everything is possible, but I'm not really interested in that. There are reasons why I don't particularly like this:

1. DNS66 only redirects DNS traffic, nothing else. An upstream proxy would require redirecting all traffic, and that has one problem: All that traffic will be accounted to DNS66, making it look quite bad in battery stats.
2. SOCKS only allows forwarding TCP and UDP traffic, not other forms of traffic. This means that ICMP and stuff stops working.
3. Implementing support for proxies (and debugging errors later) is a bit too annoying.

What might be fun to do is implement support for upstream VPNs by allowing DNS66 to redirect all traffic to another socket. Then you could have a second app that accepts IP packets on a socket and does whatever it wants with those (heck, you could chain various kinds of services provides by various apps). This solves 2 and 3.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/julian-klode/dns66/issues/96#issuecomment-289529962, or mute the thread https://github.com/notifications/unsubscribe-auth/ABR7mIGTkcDjuYZws3gTLs-1lJ3SRd1fks5rp_YigaJpZM4MpAF6.

[julian-klode]

3 is actually not a real issue I think, SOCKS support is built into Java. That said, running an unencrypted proxy connection (which SOCKS is) is probably not that useful: Your ISP can read all your traffic, log it, analyse it, forward it, etc. A local non-UNIX socket is probably not safe, I don't think Android blocks ports to the outside world. Sending data around in RPC calls via binder would be interesting.

So, I think adding a forward-all-traffic-to-SOCKS-proxy option is something I could add reasonably well, but I'm not sure if it is really useful. The other options require active collaborations between Android VPN providers, so I'm not sure if it's even worth developing it.

[julian-klode]

That does not seem to be supported for datagram sockets. I'm also not terribly interested in pursuing this.

[DejayRezme]

There might have been a slight miscommunication. I think anodragon453 only mentioned the socks5 option as a workaround, not as a requested feature. It would be really great if OpenVPN and ad blocking could work together. But I don't understand enough about networking to know if that is possible.