Support for local proxy - e.g. for Orbot (Tor)

[github-user-1]

Actual behaviour

-Tell us what happens The nextcloud app can't connect to .onion nextcloud-servers

Expected behaviour

-Tell us what should happen There should be an option (like many other apps do have, e.g. Privacy Browser, Davdroid, ...) do route traffic through a local proxy (e.g. localhost:8118). Orbot is one of the android proxies that enables access to Tor.

Steps to reproduce

1. Enter a valid .onion nextcloud server address - it's not recognized
2. There is no option to enable a local proxy either

Environment data

Android version: 5.1

Device model: Fairphone

Stock or customized system: Stock

Nextcloud app version: 1.4.0, F-Droid

Nextcloud server version: 11.0.1

[mario]

You should be able to configure Android to use proxy.

Connect to WIFI network (e.g. 'Mario') Settings->WIFI Long tap on connected network's name (e.g. on 'Mario') Modify network config-> Show advanced options Set proxy settings

Would that work? :)

[github-user-1]

That's a well known option, however, doesn't help since this must be at an app-level and the option mentioned is affecting the whole connection. Google themselves and several other companies don't like to get traffic from specific routers and they block the account in that case. Therefore it must be on an app-level and this is why quite some sensible apps include this feature in the meantime.

[mario]

Thank you for the explanation of the use-case. We will consider your request.

Keep in mind this would probably be an app-level setting, rather than a per-account setting - is that ok? :)

[github-user-1]

Yes, absolutely. The idea for quite some people is to have some kind of traffic (like e.g. davdroid, ...) to be routed differently.

Just btw - another argument against using the Wifi setting in that case is when moving/travelling and switching between connection methods, e.g. switching between different WLANs and 3G/4G networks.

[mario]

@github-user-1 would you be so kind to post a screenshot of where these tools hide the proxy settings? I would like to avoid putting it in the login procedure.

[AndyScherzinger]

Davdroid is GPL3 -> https://gitlab.com/bitfireAT/davdroid and we also integrated the login process to some extends so we can talk to them if they are fine with taking a peek there and incorporate the code for the proxy part to also support this. cc @rfc2822 from bitfire :)

[mario]

@AndyScherzinger true, but it's still possible that some users don't have davdroid and want proxy.

[mario]

(If you meant getting the proxy settings directly from the davdroid app)

[github-user-1]

Here you go (screenshots of Davdroid and Privacy Browser):

[mario]

While I do not understand this "weird" language, I understand the intention. Thank you very much @github-user-1 - I can't promise when will this be implemented, but it will be done - I'm hoping 1.6.x since for 1.5.x we're already quite at full capacity :(

[github-user-1]

Same screenshots in English :-)

[strugee]

Probably the best way to do this would be to add a toggle for using Tor and display it only when Orbot is detected on the device. I don't really see a usecase for an app-specific proxy for anything but Tor.

Thoughts?

[alecbl]

What usecase does Tor have that I2P doesn't? And maybe other options now, or in the future.

[QuibblingAsh42]

Following up to alecbl's comment: I2P is one option I'm currently investigating instead of Tor. I generally only use Tor via TAILS, not my phone. I don't need absurd levels of security for my day-to-day things, but am setting up my new NextCloud instance on I2P primarily to make it not as easily accessible. I don't need to open a port to my webserver through my firewall, thus minimizing script-kiddie-like attacks because the server's not accessible on the clearnet. I can also limit who can access the site at all by requiring a specific key, thus protecting my stuff better than I could on the clearnet.

There are other options out there as well, so this is better served as an app-specific setting. For example, I'd been playing around with using OpenVPN to connect to my internal network, and once there I use an internal proxy to get to the Internet. I'd need to bypass that proxy for NC to cut out an extra hop through the proxy.

That being said, it would also be helpful if we could make that setting PRIOR to setting up the app. Like Tor, I2P has it's own domain extension (.i2p), and these sites are only accessible via the I2P proxy. Since my NC instance lives at an .i2p address, I can't access it initially to set it up. I'm thinking the only way to do it right now is set a system-wide proxy, get the NC app setup on my phone, and if it were available (I don't know if you've implemented this feature yet), then set the app-specific proxy settings and turn off system-wide. Would be better to have a "setup a proxy" option on the initial login if app-specific is implemented.

Thanks!

[ghost]

What is the status of this issue, any updates? I would also highly like a orbot option :)

[tobiasKaminsky]

While this is a nice enhancement, I fear that we currently do not have the time to do this. (3.1 will be mainly a bug fixing release, so removing milestone)

[amuuza]

Any update on the status? I would also like to connect it through Orbot.

[bakkegaard]

You can already do this. From Orbot you can choose "VPN mode" and select the Nextcloud app.

[amuuza]

That does not work. At least for me. Did you manage to connect the Nextcloud Android client to a .onion Nextcloud server?

[bakkegaard]

Yes. Did you remember to put "http://" in front of the address?

[amuuza]

Hey, it works! I tried again, doing the same, and now it works, don't know why. Thank you!!

[lnuser]

Would you consider giving this a higher priority. Also I don't think it would be too difficult to implement. The problem with the VPN mode in Orbot as a work around is that then you can't use normal VPN anymore. Or at least not at the same time as you're using Nextcloud

[dali-does]

@amuuza @bakkegaard I am currently trying to configure the same setup, but am unable to get it to work. I can access the server through the Tor Browser, but not through the Android app (v. 3.5.0, F-droid v. 1.5.1). VPN mode is activated for the Nextcloud app. Adding http:// does not help, it still gives the Could not find host-message.

Could you confirm whether you are still able to do this? What version(s) are you running?

[amuuza]

I am still using version 3.4.2 and it works for me. Did you check first the app can connect to a Nextcloud server without Tor? Do other apps work ok through Orbot?

[JJohnGreenSr]

Any update on this? Orbot support would be very much appreciated!

[tobiasKaminsky]

This is currently unsupported and we don't have support for it on our current roadmap. We would accept patches, if you feel like developing this feature.

If you can't develop it yourself you can of course also contact our sales team and become a customer - we develop features our customers need...

[cm157]

Anyone willing to find this feature I can commit to $500. Maybe others join me ?

[amuuza]

If you are ok without having a specific button for that feature, this easy solution works:

In your Android Nextcloud app configure your account with your user and onion address. Set Orbot to VPN-mode and select the Nextcloud app so that it torifies it. That's all.

[cm157]

In your Android Nextcloud app configure your account with your user and onion address.

Set Orbot to VPN-mode and select the Nextcloud app so that it torifies it.

It is a far from ideal solution. First, I am not specifically interested in Orbot support just socks5 proxy or http that is sufficient to allow folks in non permissive environments access censored or denied services. Second for onion use this setup would require user to accept that all connections for the whole phone and all apps either go out over Tor or are deny those apps network access all together. For a lot of reasons this is not good. Simple http or proxy support at application level gives user far more granular control over his or her network

[amuuza]

for onion use this setup would require user to accept that all connections for the whole phone and all apps either go out over Tor or are deny those apps network access all together.

That is not correct. Orbot's VPN-mode lets you select which apps you want to torify.

That does not always necessarily mean that your chosen app will be completely anonymised, but you can Tor-enable it individually.

[amuuza]

That does not always necessarily mean that your chosen app will be completely anonymised, but you can Tor-enable it individually.

I mean that tor-browser is not just a torified Firefox, there's much more work there. Some programs get completely anonymous just by torifying them, others don't.

[cm157]

for onion use this setup would require user to accept that all connections for the whole phone and all apps either go out over Tor or are deny those apps network access all together.

That is not correct. Orbot's VPN-mode lets you select which apps you want to torify.

That does not always necessarily mean that your chosen app will be completely anonymised, but you can Tor-enable it individually.

This is not correct.

[amuuza]

What exactly is not correct? Please elaborate.

[andreas1107]

If I choose Nextcloud to be torified via Orbot, I must also select "forbid non-VPN" connections to avoid leakage. This means ALL connections must go via Orbot.

Can Nextcloud implement its own killswitch, so that it will not connect unless via Tor?

[damascene]

Hi, Any update on this issue? would be nice to be able to sync with a self hosted tor service without a need for a static ip or 3rd party service.

[joshtrichards]

Update: Proxy support is now implemented (#12312) since it was requested by a customer of Nextcloud GmbH (from what I can tell). It is initially targeted at custom builds only, however, since there is currently no in-app UI for configuring it (it's a compile-time only option).

If someone in the community wishes to implement a Settings UI, the underlying pieces are in place.