search

xjasonlyu / tun2socks

tun2socks - powered by gVisor TCP/IP stack
https://github.com/xjasonlyu/tun2socks/wiki
GNU General Public License v3.0
2.84k stars 403 forks source link

[Bug] ICMP packets escapes proxy #361

Open balki opened 1 month ago

balki commented 1 month ago

Verify steps

Version

latest

What OS are you seeing the problem on?

Linux

Description

Started tun2socks using below command

tun2socks -device tun0 -proxy socks5:///run/tor/socks

And moved the device to a network namespace.

ip netns add torns
ip link set tun0 netns torns
ip -n torns addr add 198.19.0.1/15 dev tun0
ip -n torns link set dev tun0 up
ip -n torns route add default via 198.19.0.1 dev tun0 metric 100

Inside the namespace, all request go through tun0 and then via socks proxy on the unix socket. Everything works as expected except for ping.

ping should either not work or go through proxy. But instead goes through host's default network stack. I am able to ping devices in local network.

CLI or Config

No response

Logs

No response

How to Reproduce

Create network namespace as shown above and start a shell in the namespace.

sudo systemd-run --property=NetworkNamespacePath=/run/netns/torns --property=User=$USER --pty --same-dir --wait --collect zsh

ping a local resource. It should not be able to ping.

❯ ping -c3 192.168.XX.YY
PING 192.168.XX.YY (192.168.XX.YY) 56(84) bytes of data.
64 bytes from 192.168.XX.YY: icmp_seq=1 ttl=64 time=0.257 ms
64 bytes from 192.168.XX.YY: icmp_seq=2 ttl=64 time=0.270 ms
64 bytes from 192.168.XX.YY: icmp_seq=3 ttl=64 time=0.267 ms

Other requests work just fine.

❯ curl --resolve check.torproject.org:443:116.202.120.181 -sL https://check.torproject.org | grep -A5 'Congratula'  | tail   
  <link rel="icon" type="image/x-icon" href="/torcheck/img/tor-not.png" />
  <style>
    html { height: 100%; }
--
      Congratulations. This browser is configured to use Tor.

  </h1>
  <p>Your IP address appears to be:  <strong>109.70.100.2</strong></p>
xjasonlyu commented 1 month ago

Yes, this is expected. All ping requests will be responded immediately by tun2socks' netstack.

balki commented 1 month ago

Thank you! Is it possible to provide a cli flag to disable ICMP?

As a workaround, If I set NoNewPrivileges=yes when starting the shell, ping does not work but regular connections work. But it would be good if it is blocked in the interface level.

gaby commented 3 weeks ago

👍 for adding a flag to disable ICMP

balki commented 3 weeks ago

All ping requests will be responded immediately by tun2socks' netstack.

Just realized all ping requests mean, whether or not the local ip exists, the ping is successful, i.e. it is not really pinging.I think this is better as it is not leaking any local information.

xjasonlyu commented 3 weeks ago

hmm, it wouldn't leak any information. In fact, the icmp packets will only reach the tun2socks network stack and be instantly replied.

balki commented 3 weeks ago

Thanks for clarifying. Feel free to close the issue if no further changes are planned.