Android 9 (Pie): Tor control does not work

[jw243]

I cannot get Tor control to work on Android 9.

Orbot is up and running, Wifi checked for the app. As soon as I check the Tor check box, traffic of the app is denied.

Does Tor control not work (yet) on Android 9?

[jw243]

Orbot 16.1.2-RC-2 (latest) MotoX4 Lineage 16.0 Where would I find the AFWall log file?

Thanks.

[tusch001]

most lilely related to issue #983 Log there - log says something about not being able to initialize nat table. Then it was Orbot 16.0.5 and AFwall 3.1.0 on LineageOS 16 on a clean install. Just turning on tor control in settings / rules throws the error.

Still the same with Orbot 16.1.2-rc2 and AFwall 3.2.0-BETA.

When I use rules in my custom script with -t nat they do work.

If you need more info / tests please let me know. I'm also very interested in getting this fixed.

Thanks

[tusch001]

Playing around with custom scripts I just realized that even in the terminal of LineageOS 16 /system/bin/iptables -t nat -F throws an error if there are no nat rules defined yet / not set in custom script.

Is AFwall flushing the nat table before applying its rules? This would explain while I could not activate tor control.

I also remember reading something similiar in issue #993 although concerning ip6tables.

I don't know enough about android but maybe this is worth looking into it. Could be LineageOs related.

[ProjectMoon]

I'm having a similar problem. Tor control works over WiFi, but not cellular. It's not Orbot (it works fine in VPN mode). There's something funky with the rules generated by AFWall+. No failures are shown in the logs, but it's clearly something in the firewall. Using 3.1.0 and Orbot 16.1.2-RC2. OnePlus 6 with Oxygen OS 9. Is there something I can upload to help with this?

Edit here's the rules and detailed logs: https://gist.github.com/c8c0e093c27a469df8b6edb6063c5f3c

[tusch001]

@ProjectMoon

(just to make sure you don't have a DNS issue) I don't really know much about iptables but I have looked quite a lot at these logs in recent days. In your log nearly every connection (eg afwall-lan afwall-3g-home and afwall-vpn) has port 53 blocked but not afwall-wifi and afwall-3g. And Afwall log doesn't show nat table. How do you give access for resolving dns with cellular? Do you use -t nat to orbot dns on port 5400? (I don't know on your cellular which of the afwall-3g-.... is used.)

I spent far too much time to solve my problems (on another device / os) and most of the time when there was nothing in the logs it was a blocked port for dns (udp with port 53 or tcp with port 853 for private dns).

For testing I would recommend to activate netd in settings - binaries and allow dns on every connection. And / or try pinging google dns (8.8.8.8) in terminal. edit: just test with iptables -A OUTPUT -p udp --dport 53 -j ACCEPT at the beginning of your script (correct iptables path if necessary)

And unfortunately afwall doesn't clear all rules totally. You should do it manually while testing. I have a script with a shortcut for this.

Just a thought.

I rather hope this is your problem because this can be fixed (more or less) easily.

[ProjectMoon]

Currently I have only some apps going through Tor, with no custom rules currently. Not sure what the rules are doing exactly. I'll try this out later today though.

[ProjectMoon]

Also should mention I'm using Android 9 private DNS, pointed to Cloudflare.

[ProjectMoon]

When I try pinging, I get this:

PING firefox.com (63.245.208.212) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

This means DNS is working, but other traffic is blocked in some way.

[ProjectMoon]

Bit more info: ping works on root. So that was just a permissions issue. Curl can load HTML through Tor. But for some reason, traffic in other apps is still broken. Firefox gives a connection reset error

[tusch001]

@CHEF-KOCH I'm not so sure any more if NAT works at all on my LineageOS 16 device. I just never got errors with the rules in my custom script. Reading on the web my error messages in the terminal and afwall logcat (and the same one in post 993) could mean that the kernel has deactivated nat / isn't compiled with nat support.

I don't have an official lineage build (device too old). But I wrote to the developer over at XDA. If I get an answer I will let you know. Maybe you together with the team from the guardian project can figure out a way around this without using nat.

Just to let you know. Error might not be in afwall app itself.

Thanks anyway for looking into it.

[tusch001]

@ProjectMoon On LineageOS 16 = Android 9 private DNS uses tcp protocol on port 853. I don't know about Stock Android Pie but I would assume it's the same. (I already wrote this in another issue because afwall DNS with UID -12 doesn't open this). I know because it took hours for me to find out. Since private DNS is already encrypted there is no need to send it over tor. edit: tor uses own DNS therefore no problem (don't know how exactly) and your wifi is open to port 53 (maybe fallback in Android if private dns not working?)

My solution at the beginning of my custom script (adjust path if necessary):

IPTABLES=/system/bin/iptables

#DNS
# in Android networks settings my private dns is set to "dns2.digitalcourage.de" (without "")
# digitalcourage.de (DigitalCourage)
DNS_1=46.182.19.48
# alternative
# dnscache.berlin.ccc.de
DNS_2=213.73.91.35

#Allow access in all connections
$IPTABLES -A "afwall" -d $DNS_1 -p tcp --dport 853 -j ACCEPT
$IPTABLES -A "afwall" -d $DNS_2 -p tcp --dport 853 -j ACCEPT

[ProjectMoon]

Unfortunately that doesn't work. My problem isn't with DNS, based on the ping test. It can resolve IPs, but apps can't have any traffic.

[tusch001]

@ProjectMoon And exactly because ping 8.8.8.8 is working I think you have a dns problem :-) if you go to google.com in your browser dns is to find out which ip address is behind this. With ping you don't need the lookup because you supply the ip address in the parameters.

And wifi is open for port 53 to look this up (I guess it's fallback).

Sorry I forgot to mention (in terminal) ping -c 1 -W 1 google.com | grep PING|cut -d "(" -f 2|cut -d ")" -f 1 uses dns to find ip address. Compare output to ping 8.8.8.8 edit: ip adress is not the same but you should get an ip address as answer in the first line.

I really don't want to annoy you but from my hours of getting my setup working I'm 99.99999% sure you have a dns issue. Especially using private dns. Because afwall doesn't support that yet (at least with lineageOS). Maybe Stock Android 9 uses a different port? Maybe you can find out on the web.

But first I would activate netd in afwall settings - binaries so that in afwall rules port 53 is not blocked and also turn off private dns in android settings. You need to reboot your device. Then test again.

[ProjectMoon]

The reason I don't think it's a DNS issue is because the terminal could resolve IPs and pages fine through Tor. But maybe the terminal doesn't respect the private DNS settings?

[tusch001]

Tor does the lookup differently. For connections to the tor network it starts with fixed ip addresses and then dns dequests are sent through these "tunnels". I know it works differently (but don't know exactly how) because on my older phone with Android 6 there is no private dns and I reroute port 53 (which I have blocked) to orbot with ip 127.0.0.1 and port 5400. Orbot provides this service when activated as vpn natively and sends the dns request to the dns server. The answer is collected by orbot and given to the requesting app. But if afwall blocks the connection between the app and orbot by blocking port 53 (when netd is deactivated / private dns port not open / not supported) the app can't resolve ip addresses. Maybe Android falls back on port 53 when private dns is not working? But because port 80 (http) / port 443 (https) is open between app and orbot you can still ping 8.8.8.8. Just test it with dns widely allowed on port 53 and forget private dns for the moment as I suggested in the last sentence. Also make sure in afwall to check every box for tethering / dns (uid -12). Just to make double sure port 53 is open.

Does the second ping with google.com in it work?

[tusch001]

@ProjectMoon small correction fyi: I think ping uses imcp protocol and port 0 (?). This should always be open by afwall because it is needed for network communication. That's why ping 8.8.8.8 works as soon as there is any mobile connection

[ProjectMoon]

I also tried curl.

[tusch001]

I would not completely rule out a dns issue as long as port 53 is blocked on some 3g rules (the ones which start with af-wall-3g-... in your log). Only the developers probably know when one of these is used. And wifi is working (no blocked port on afwall-wifi chain) That's why I would deactivate private dns and allow dns on all connections. I would even activate netd in settings. And check all boxes for uid -12.

Then -A you can use apps with tor = dns issue -B still blocked = problem somewhere else.

But before you go on check your logs. Because often in my case afwall didn't delete old rules even with deactivating the rules in the app. Especially those related to port 53. That was more than annoying. There is so much in the background going on. I always flushed all chaines in the terminal and often rebooted. And then I checked in the rules protocol.

Do you still have blocked port 53 somewhere in your log?

[tusch001]

@ProjectMoon Do you use curl in Android terminal / shell or in a separately installed app like Termux or Terminal Emulator? In the last case there should be no difference to a browser app. In the first - under which uid is it listed in afwall?

[ProjectMoon]

I'm using curl in termux. It works fine over Tor. However, termux might be using 8.8.8.8 directly for DNS. In any case, I tried your suggestions. Still the same result. New rules here: https://gist.github.com/ProjectMoon/c8c0e093c27a469df8b6edb6063c5f3c

[ProjectMoon]

Firefox reports secure connection failure because the data could not be verified.

[tusch001]

don't know about firefox (does it relate to a bocked port 443?) Anyway in your rules there is still port 53 blocked. 4 times (lines 116, 125, 145, 157) the first is the afwall-vpn chain (you do use orbot vpn, don't you?) so we have to open this for troubleshouting my suggestion: go around afwall by adding the following in a custom script

IPTABLES=/system/bin/iptables

Allow dns access in all connections

$IPTABLES -A "afwall" -p udp --dport 53 -j ACCEPT

just in case somewhere dns uses tcp protocol (unlikely)

$IPTABLES -A "afwall" -p tcp --dport 53 -j ACCEPT

[tusch001]

@ProjectMoon just checking: both log files look exactly the same is the 2. link a new file (link is also the same)?

[ProjectMoon]

It should be a new file but I'll double check. I don't use orbot in VPN mode. AFWall redirects traffic to the transparent proxy.

[ProjectMoon]

Results of accepting all DNS: I can load duck duck go, but other websites give connection reset errors.

[tusch001]

Ok dns only one problem.

Then there are dropped packets in the chain of fw_standby. I don't know what that chain is for. I don't know the apps to your uid but probably browser, orbot, ...

On my lineageos 16 without tor connectivity this chain is not there. Can't activate tor for comparison because afwall crashes. On android 6 with a setup similiar to yours this chain does exist but doesn't drop anything (no entry).

How about another custom rule for testing?

$IPTABLES -A "fw_standby" -p tcp -d 0.0.0.0/0 -j ACCEPT $IPTABLES -A "fw_standby" -p udp -d 0.0.0.0/0 -j ACCEPT

if everything works with this quirky work-around I would activate private dns in android settings and test if now $IPTABLES -A "afwall" -p tcp --dport 853 -j ACCEPT works.

[tusch001]

ähm maybe fw_standby is inserted by orbot or the system to block internet when in standby? also unrelated?

[tusch001]

I'm still not sure about that log link.

Edit: my app showed only the original, found the revision with the browser - sorry. will have a look

Created 11 hours ago? is that correct? https://gist.github.com/ProjectMoon/c8c0e093c27a469df8b6edb6063c5f3c/revisions

[tusch001]

When you get connection resets in your browser - does afwall show a toast about blocking an ip / which uid (kernel / android / browser)? Have you allowed root apps (uid 0)?

[ProjectMoon]

https://gist.github.com/ProjectMoon/a42b7b4cc0b60e40ec546e4e4651fda5 is the correct gist. Whether or not it's the right log is another question. No toasts from the firewall when browsing. The root apps are allowed, but not forced through Tor.

[tusch001]

I'm still wondering why port 53 is partially blocked. It should not show up anymore in your log with netd activated as dns proxy in afwall settings - binaries (please check again). Can you flush your rules manually in terminal (as root):

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Do you get error messages there, esp with iptables -t nat -F? Apply afwall rules again. Reboot (orbots own rules are gone too). Are the connection resets gone?

If not Access tor in your browser without afwall by rules in custom script (replace de.baumann.browser by package name of your browser)

#FOSS Browser
BROWSER_UID=`dumpsys package de.baumann.browser | grep userId= | cut -d= -f2 - | cut -d' ' -f1 -`
$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner $BROWSER_UID -j DNAT --to-destination 127.0.0.1:9040
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner $BROWSER_UID -j DNAT --to-destination 127.0.0.1:9040

(Make sure orbot uses 9040 for transparent proxy in settings or replace port in script) Any connection resets? (To remove this rule later you need to repeat the flushing part from above, I can't remember how to delete a single rule)

3. If you still have connection issues, please post log again along with result of (terminal as root) iptables -t nat -n -L edit: and your custom script - will try to see if it would work on my phone

[tusch001]

@ProjectMoon and you should (at least temporarily) allow root apps (uid 0) to access tor. If netd is deactivated this is necessary for dns (I just read this on a German blog)

[ProjectMoon]

Tried these steps. Same result. Uid of the browser is 10213 (Firefox Klar). Logs: https://gist.github.com/ProjectMoon/1e6890f95eeccbfe6eb27a61ec588181

[tusch001]

Can you please post your custom script. I think with copy and paste the definition of the variable $IPTABLES is missing First line should be IPTABLES=/system/bin/iptables (please adjust path if iptables are in a different directory) and make sure that afwall uses system iptables (preferences - binaries - iptables binary)

[Error command '$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner $BROWSER_UID -j DNAT --to-destination 127.0.0.1:9040' exited with status 2]

And a personal thing: Octodroid app doesn't work with gist revisions and with the browser the file is hardly readable (heavy content + coloured revision is too much :-). Can you please just save the rules file with afwall and append both files (IPv4rules.log and your custom script) to the post. Thanks

[ProjectMoon]

After more thorough testing, I will concede at least part of this is a DNS issue. On WiFi, my connections are routed through Tor by the firewall, but the DNS is just using the regular configuration (private DNS or not). This means I can't reach Onion sites for example. Running orbot in VPN mode worked just fine. So maybe AFWall needs to be updated to force DNS through Tor as well.

[tusch001]

you might want to read issue #985 about private dns. In there @CHEF-KOCH explains a bit about dns (and how some apps can get around it - I think curl might use its own dns lookup not android's). I think that you need to allow root apps to tor in general. And private dns is at the moment obviously not a good choice. I don't have my tablet with me. I will later post my custom script over there. It should work with your cellular, most likely even with tor. But will take some hours. We can go from there.

[jw243]

Upon a fresh install of lineageOS, AFWall, Orbot, etc. Tor control does not work on my system.

It started to work after something strange happened. I tried to install the custom script vom kuketz-blog.de (https://www.kuketz-blog.de/afwall-digitaler-tuervorsteher-take-back-control-teil4/). This led to a freeze and reboot of the phone. This reboot happened over and over again. Fortunately, I was able to intercept and disable the custom script again and my system became stable again.

The funny thing is, afterwards tor control worked absolutely flawless.

Unfortunately, I had to reinstall my system, and now its back to start and tor control does not work anymore :-(

What's going on?

[jw243]

I installed AFWall 3.2.0 on LineageOS 16 (MicroG version from 24/10/2019). Still tor control does not work!