How to protect socket - Githubissues

tabjy / android-vpn-tun2socks

GNU General Public License v3.0

20 stars 16 forks source link

How to protect socket #2

Open zmou opened 1 year ago

zmou commented 1 year ago

https://github.com/tabjy/android-vpn-tun2socks/blob/master/app/src/main/java/com/example/test/MyVpnService.java

My socket is created in local golang,and how to protect golang socket,Thank you!

tabjy commented 1 year ago

I did a little research into this. It seems Go allows you to configure a socket right after initialization before the actual connection by creating a custom Dialer with a Control function set.

I've not attempted this, but I imagine the workflow would be like:

export the VpnService#protect(int fd) function (or your wrapper to it) to Go with reverse bindings.
create a custom Dailer with Control field set to a callback that:
1. gets the underlying socket fd with conn.Control(func (fd uniptr))
2. protects that fd by calling protect(int fd) exported from java
use this dialer for all tunneling sockets.

Alternatively, you could try setsockopt() yourself instead of calling protect(). In which case I'd suggest looking into NetworkUtils.protectFromVpn(FileDescriptor fd) and see how Android implements VPN bypassing with fwmark.

zmou commented 1 year ago

Thank you very much!

l, err := net.Listen("tcp", addr)
if err != nil {
   return nil, err
}

https://github.com/Dreamacro/clash/blob/master/listener/mixed/mixed.go In clash project, mixed package,New function, it created a listening service using net.Listen.I need to get the fd of this listening service.So you can't connect through dial.

tabjy commented 1 year ago

You don't need to protect the local SOCKS server

zmou commented 1 year ago

You don't need to protect the local SOCKS server

Call VpnService.protect() to keep your app's tunnel socket outside of the system VPN and avoid a circular connection. I'm going to do it the following way.

ParcelFileDescriptor tunDevice = new Builder()
    .addAddress(VPN_ADDRESS, 32)
    .addRoute(VPN_ROUTE, 0)
    .addDnsServer(VPN_DNS)
    .addAllowedApplication("com.google.android.tethering")
    .establish();

engine.Key key = new engine.Key();
key.setMark(0);
key.setMTU(0);
key.setDevice("fd://" + tunDevice.getFd()); // <--- here
key.setInterface("");
key.setLogLevel("debug");
key.setProxy("socks5://127.0.0.1:7890"); // <--- and here
key.setRestAPI("");
key.setTCPSendBufferSize("");
key.setTCPReceiveBufferSize("");
key.setTCPModerateReceiveBuffer(false);

engine.Engine.insert(key);
engine.Engine.start();

clash started a service listening on port 7890. I'm having a problem with a loop connection on port 7890.Now I don't know how to protect 7890 port from circular connections. In your reply: export the VpnService#protect(int fd) function (or your wrapper to it) to Go with reverse bindings. I tried to do it this way, but it didn't work.