App does not work with Wi-Fi but works with mobile internet

[isaackielma]

Platform: Android, Message: My problem is that the app does not work with Wi-Fi but works with mobile internet. This happened two days ago and it is not just my problem. Some of my friends are also facing this problem.

mysterium-node.log m

[Snawoot]

It seems we're banned in Iran:

2021-12-07T11:47:03.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:07.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:16.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:20.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:29.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:31.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "pilvytis.mysterium.network" error="lookup pilvytis.mysterium.network: No address associated with hostname"
2021-12-07T11:47:33.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:42.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"
2021-12-07T11:47:46.000 WRN app/requests/dialer_swarm.go:293 > Failed to lookup host: "broker.mysterium.network" error="lookup broker.mysterium.network: No address associated with hostname"

For some reason ban is not effective on mobile connection.

[PatriceVignola]

A feature that would fix this would be to give the option to wrap the connection in an SSL layer (e.g. Stunnel), This would make it seem like the user is just using any other SSL traffic and make it hard to block. This is something I could implement if there's interest for it from the Mysterium team. I haven't used Stunnel in Iran, but I used it in Egypt where most VPNs are blocked and it worked flawlessly (although it's obviously slower than not wrapping it in an SSL layer).

[Snawoot]

Hello, @PatriceVignola

At this moment Mysterium relies on few central services for following purposes:

• Discovery of other nodes proposals.
• Initial communications to build P2P connections.
• Payment-related operations and access to blockchain RPC API.

All these interactions are performed via HTTPS except interaction with message broker (NATS protocol). Therefore TLS is already employed in almost all cases. There is a proposal to get rid of centralized discovery, but we're far from there yet.

Sessions between nodes for actual connection are two UDP sessions: one is pristine Wireguard for VPN itself, another is KCP (see it as sort of TCP over DTLS) session for invoices and service requests. We use UDP for all P2P communications because it makes it possible to use NAT hole punching to establish direct connections between consumer and provider.

What happened in this case is access to these central servers was blocked. Skipping excess details, bans usually have following filtering criterias:

• DNS filtering (we see it in log above as lookup errors).
• Block of server IP (likely it's the cause of 2021-12-07T11:37:39.000 WRN app/communication/nats/connection_wrap.go:117 > Failed to connect to NATS servers [nats://broker.mysterium.network:4222 nats://broker.mysterium.network:4222 nats://51.158.129.204:4222 nats://broker.mysterium.network:4222 nats://51.158.129.204:4222 nats://broker.mysterium.network:4222 nats://51.158.129.204:4222 nats://51.158.129.204:4222], will reconnect again error="read tcp 192.168.1.33:35055->51.158.129.204:4222: i/o timeout").
• TLS names filtering. Mostly it's SNI filtering, but sometimes names in X.509 certificates are also checked. Later is lesser concern because since TLS 1.3 certificates in TLS ServerHello messages are encrypted.
• Some well-known protocol signatures.

The approach you've proposed (wrap things into TLS) indeed works perfectly as long as it's not a well-known service which connections metadata (domains, IPs, certs) are also well-known. Unfortunately, it won't be sufficient alone in case of public service. More insights on that subject can be found in MIP about state censorship circumvention. By the way, feedback will be really helpful. This improvement proposal, however, is a long road to go. So maybe we need something "for now".

Speaking of Egypt and VPN bans, I've made some effort to validate our beliefs about TLS, names and censorship. I've made few opensource versions of clients for popular VPN services which actually do work somewhere in Egypt, Russia, ... etc:

• hola-proxy
• opera-proxy
• windscribe-proxy

These applications replicate browser extensions (or browser itself in Opera case) and provide access via HTTP-over-TLS proxies used by original apps as a plain HTTP proxy on local port. These implementations have few changes which make them work in censored environment:

• There is an option to use DNS-over-HTTPS or DNS-over-TLS or DNS-over-QUIC or DNSCrypt.
• SNI is supressed for TLS client handshake.

So, approach you've proposed indeed works to some degree if we manage to hide attribution of connection to specific VPN service.

This way in order to unban access to central servers right now, we can go following ways (one or both):

• Suppress SNI and allow use of custom encrypted DNS resolvers. It doesn't solve IP ban problem, though.
• Allow use of proxies for connections to central servers. This way we can make possible to assist Mysterium with own proxies to reach central servers.

Please let me know what do you think about all of this.

[isaackielma]

Possible solutions to the issue were addressed no further discussions were brought up. Closing this issue.