[tor-talk] Fwd: Orbot v15.1.0 Alpha 1

Sun Jan 10 14:03:55 UTC 2016

I am having all kind of problems with this, but before I go into the details, a bit of background.

Currently, I am running (quite happily) the "latest" Orbot, which uses tor 2.6(.10?) with no issues to report.

My android device uses droidwall with heavily modified firewall script, which restricts and closely controls who accesses what (this script was inspired by the 
excellent Mike Perry's blog a while back).

The firewall script limits, among other things, what gets proxied by which app (the browser, for example, is restricted to ports 80 and 443, everything else 
gets DROPped). Orbot is also restricted to the transproxy, tor dns, tor control and tor socks ports only (this is where I have another axe to grind with tor - 
see below). Again, anything else gets dropped.

For good measure, I also renamed and moved the original (stock-supplied) iptables executables to a different location (they are used in the firewall script). I 
left "dummy" executables (c program compiled for my device, which executes a single statement "return 0;") as /system/bin/ip[6]tables for whoever tries to 
change my iptable chains without my knowledge and thinks it can get away with it.

I also use VPN which redirects traffic from specific apps through the VPN tunnel (it also restricts what gets passed through that tunnel as not everything is 
allowed) - anything else gets DROPped.

With that in mind, I am having a couple of problems with the Orbot specified in the original announcement (v15.1.0-ALPHA):

1. Orbot uses ports outside the "common" list of ports, which are, obviously, DROPped by the firewall. For example, the 15.1.0 version uses random ports on the 
loopback interface in both directions (say, src port 51117, dest port 53123). The previous Orbot version sticks with source or destination ports that are 
pre-defined (i.e. 9040, 9050, 9051 and 5400, as well as ports that are advertised in the tor config file).

2. Even if I allow Orbot to have a free reign (allow all packets going out by Orbot), the transproxy/dns doesn't work. Basically, nothing can get proxied at 
all. I don't have any packets that are dropped on the VPN or anywhere else.

3. Orbot simply ignores what I have specified as Socks, Transproxy and DNSPorts to be used. Example: in my configuration I specify the interface to be used 
explicitly, i.e. "127.0.0.1:5400" as DNS port (this was the only way I could get it to work in the "latest" stable Orbot version). I tried variations of that 
configuration (i.e. specify just the port number), but that didn't work either.

4. No matter what I configure in my settings, Orbot (both versions) always generates torrc file that contains "SocksPort auto", "DNSPort auto" and "TransPort 
auto". Why? I know that it closes the old (auto-generated) ports and re-opens different ones (as per my custom torrc) later, but that should not be the case and 
it should honour what I have specified in my configuration. This maybe related to the previous issue I described above. As a result of this, I cannot have, say, 
"DNSPort" in my custom torrc as tor refuses to run (duplicate DNSPort definitions). Ridiculous! I need to have control of all torrc settings and not have Orbot 
"assume" things. Modifying the torrc file in Orbot's data directory can alter some torrc settings, but not all and some are always included (like the example 
I've given above) no matter what.

5. There is no GeoIP database supplied with any Orbot version, which makes all GeoIP-related commands I issued in my custom torrc completely useless. I had to 
copy these files from my desktop tor version in order to make this work (Orbot is supposed to "come with tor", but apparently not everything is included).

I think that pretty much covers it. I managed to grab the tor executable supplied with v15.1.0-ALPHA and dump it in place with the old "stable" Orbot version 
and it works OK from what I can see, though both Tor versions suffer from bug #9972 I submitted nearly 3 years ago, which is still open.

Another axe to grind with tor is its inability to specify binding interface for the various ports it uses. It currently requires an IP address 
(<ip_address>:<port>). That format can't be used when I have VPN running or have an interface that has a dynamic IP address for example. I'd like to be able to 
specify, say, "DNSListenAddress tun0:7253" for example.

Nathan Freitas wrote:
> 
> ----- Original message -----
> From: Nathan of Guardian <nathan at guardianproject.info>
> To: guardian-dev at lists.mayfirst.org
> Subject: Orbot v15.1.0 Alpha 1
> Date: Mon, 04 Jan 2016 02:04:44 -0500
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> 
> Happy 2016... and here's an update for Orbot to test
> 
> APK:
> https://guardianproject.info/releases/Orbot-v15.1.0-ALPHA-1-1-gf441736.apk
> ASC:
> https://guardianproject.info/releases/Orbot-v15.1.0-ALPHA-1-1-gf441736.apk.asc
> 
> Primary updates are
> - - Update to Tor 0.2.7.6 and OpenSSL 1.0.1q
> - - Fixes for DNS leak in VPN mode (using PDNSD daemon for TCP-DNS over
> Tor thanks to SocksDroid!)
> - - Overall stability improvements to VPN mode with easy ability to
> toggle on and off without Orbot restart
> - - A pretty major update to the graphics/branding with a new icon from
> DrSlash.com
> 
> CHANGELOG
> f441736 update OpenSSL string to show 1.0.1q
> 4098e8e update to 15.1.0-ALPHA-1
> f1fcec3 add support for PDNSD DNS Daemon for VPN DNS resolution Tor's
> DNS port doesn't work well with the VPN mode, so we will use PD
> 8d8fe0c updates to improve VPN support
> 699b60d add linancillary for badvpn tun2socks update for DNS
> 9b2cc52 update badvpn binaries
> 6dc8cf6 update makefile for new pluto builds
> 0261236 change this to "browser button"
> 3462cbd small updates to icon and strings
> bb55557 update installer to get PLUTO binaries from assets
> 7d213e2 delete pluggable transport binaries here; build with Makefile
> use the external/pluto project
> 6cf1201 update makefile to support PLUTO builds
> 871701e add link for new icon
> 51205b8 update for Orfox
> 6fb4f0c update binaries
> 317405d update external versions of Tor 0.2.7.6 and OpenSSL 1.0.1q
> 0a5dd08 use a browser constant here, with the new constant being Orfox
> c54ab18 deleted these graphics
> 534c2fb update style, icons and graphics
> 
> 
> 
> 
> - --
>   Nathan of Guardian
>   nathan at guardianproject.info
> 
> - --
>   Nathan of Guardian
>   nathan at guardianproject.info
> -----BEGIN PGP SIGNATURE-----
> Version: Mailvelope v1.3.2
> Comment: https://www.mailvelope.com
> 
> wsFcBAEBCAAQBQJWihloCRCoARg+abN6qQAAWPcP/jxHlCNFqRu2mQaZ+VcA
> 1WhZVyEWZZHx7Yn7TRs0FtKhpjBgy+UDGF9J+jZSNr+M9qI+TNEXTV7/qAD9
> 4fO2AQVSFmO0EqjciaqEng9QhPxQ8tkIktadskTeZYE8ZQsS3A7oixXMVCPo
> +TvsCdcRRJOw0cWnxOj31vMr2Ubh/odTdSPlRxQzFMVEP2lk3lBWFoH1L99w
> qtGdCLRZ8k0sGb4E4gtGeA75EOdsPqoiwRocJ9DomOeq5JznHEba1lOqx4G4
> C2rbVfKzgLzFMDIGMusCAQPuj6Pjw5v0fIy1Che+r+rUklhhMSOUEWnfWZQC
> ylnNLMkpL8Ipmv8wcR5ycqR29Qp50/HCuzxvQoasSqkLRP/umKnB9PbYVSZQ
> TWOQWxLrQHeforBUcXzPLUw7QyBBRzbDHgsqRHUIz7JAJM6vZuD8k4XMUags
> JiO7eViP7eQIJp6W59weKOtasYFrJxR9tBOK0c6mrQp27722J0OK920MAIiC
> 4/SASCXAy1gSappUoeawp5sTL0Zkx1XOiX8vlwK22jsQIFEZnWUaWHwrWkBL
> LB2aRUal4kb9MIYYVMfh4W0GKn6UV9Ez0I+MmiFYi+iuCUdHp3bo6JC98GfL
> eUWOu9oV79zCXbB19scVkWzZ2TPx7pe0ZWPuqcRb2NhSqF7L3pmhXU63V8BE
> dMO8
> =mm7R
> -----END PGP SIGNATURE-----
> 
> 