Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate Wireguard #52

Closed
ignoramous opened this issue Aug 23, 2020 · 21 comments
Closed

Integrate Wireguard #52

ignoramous opened this issue Aug 23, 2020 · 21 comments
Assignees
Labels
P0 Priority: 0 (urgent and important)
Milestone

Comments

@ignoramous
Copy link
Collaborator

ignoramous commented Aug 23, 2020

Blokada integrates with Cloudflare's BoringTun and that looks pretty straight-forward.

Wireguard's official cross-platform implementation is in golang (being rewritten in Rust?) and so the integration could be relatively simpler than with BoringTun.

The traffic would probably go from app -> vpn-tun -> tun2socks -> wireguard. Wasteful?

May be, the entire firewall and DoH implementation can be moved into wireguard instead?

See also: #45 and #37

@ignoramous
Copy link
Collaborator Author

WireGuard userspace proxy impl ref: https://github.com/database64128/swgp-go

@MasterKia
Copy link

I just wanted to say that a proper Wireguard integration will really help the Iranian people to circumvent the current internet censorship while maintaining their privacy by blocking Internet access of the apps and thus fulfilling one of Rethink's stated goals to bypass censorship.

What I mean by "proper integration" is that currently SagerNet/Matsuri's SOCKS5 for Wireguard doesn't work correctly in combination with Rethink's SOCKS5 in latest version, I don't know whether it's worth reporting when a Wireguard integration is in the works already.

@ignoramous
Copy link
Collaborator Author

ignoramous commented Oct 6, 2022

SagerNet/Matsuri's SOCKS5 for Wireguard doesn't work correctly in combination with Rethink's SOCKS5 in latest version

Thanks for the bug report.

Strange. I haven't tested it myself, but I'd have thought it works because SOCKS5 is a super non-intrusive mechanism to proxy sockets (even if UDP support is tricky)... It could be the SOCKS5 library we use has flaky UDP support, I haven't tested it as thoroughly.

Re: WireGuard integration: We're stuck with releasing v054 first (WireGuard is v055) which is taking forever to get out the door (1.5 years and counting!) as something or the other gets in the way.

@MasterKia
Copy link

MasterKia commented Oct 6, 2022

I don't know if you use Telegram but the following combinations actually work:

Matsuri (SagetNet fork) on Proxy mode + Wireguard => Telegram built-in SOCKS5 connected to 127.0.0.1 => It works

Matsuri on Proxy mode + Wireguard => Rethink covering the whole phone using SagerNet's SOCKS5 => Telegram still works (with its built-in proxy disabled)

But when I test in browser, nothing loads.
Even tried disabling the Rethink DNS mode and only use the firewall mode, but to no avail.

@ignoramous
Copy link
Collaborator Author

ignoramous commented Oct 6, 2022

I don't know if you use Telegram but the following combinations actually work:

Not the days I am coding up bigger features (which I have been, of late for serverless-dns/blocklists). But I do see Telegram once or twice a week.

But when I test in browser, nothing loads.

You'd have to forward DNS queries through to SagerNet/Matsuri, too (provided they expose DNS ports too)? You'd use the DNS Proxy mode in Rethink to forward DNS packets to SagerNet/Matsuri listening on some port on localhost.

Alternatively, test loading 1.1.1.1?

@MasterKia
Copy link

Screenshots from Matsuri

IMG_20221006_200344
IMG_20221006_200359

IMG_20221006_194949
IMG_20221006_195041
IMG_20221006_195058

@MasterKia
Copy link

MasterKia commented Oct 6, 2022

You'd use the DNS Proxy mode in Rethink to forward DNS packets

I'm unable to find that option.
There's only an option to add DoH/DnsCrypt.

Alternatively, test loading 1.1.1.1?

Actually it loads fine and opens the Cloudflare page, but when I try to load "Google.com", I can see logs for "8.8.8.8" in Rethink firewall.

So I think there's a problem with the handling of DNS response?

@MasterKia
Copy link

Well I digress, even Matsuri on VPN mode doesn't work meaning the browser returns "DNS not found" error.

But even in VPN mode, Telegram still works under Matsuri, weird.

@ignoramous
Copy link
Collaborator Author

So I think there's a problem with the handling of DNS response?

Yes, most likely (or, DNS querying is blocked, check the DNS logs in Rethink). And the reason Telegram works is it doesn't use DNS, and hits IPs directly (like you did when you hit 1.1.1.1 from a web browser).

There's only an option to add DoH/DnsCrypt.

Other DNS -> Swipe to the third Tab, Dns Proxy. You'd forward it to whatever port Matsuri is listening on (if it is). Orbot does (the default port it uses is 5400).

@ignoramous
Copy link
Collaborator Author

Just saw the screenshots you shared, the port Matsuri is listening DNS for is 6450 (3rd screenshot).

Btw, Matsuri is set to use 8.8.8.8 over DoH as upstream which is likely blocked in Iran (screenshot 1).

@ignoramous
Copy link
Collaborator Author

WireGuard integration is a go. Only UI work pending. To Hussain.

@ignoramous
Copy link
Collaborator Author

UI work is done. Rudimentary testing has come out good.

DNS won't work; ICMP won't work. The effort required is too high, unfortunately.

Split-tunnelling (multiple WireGuard upstreams) has been implemented, as well.

Next stop: Release.

@iulko
Copy link

iulko commented Jul 14, 2023

By DNS and ICMP not working, you mean that you cant reach DNS servers inside wireguard tunnel? Please be more specific.

Thanks for hard work on implementation

@ignoramous
Copy link
Collaborator Author

By DNS and ICMP not working, you mean that you cant reach DNS servers inside wireguard tunnel? Please be more specific.

Sorry, I can see how that can be confusing. To be clear, ICMP and DNS won't be tunneled sent to WireGuard upstreams. DNS queries will be resolved by the DoH / DNSCrypt server setup in the app, and ICMP (echo) would be sent to the local network (rest dropped).

@iulko
Copy link

iulko commented Aug 2, 2023

any ETA?

@michaelblyons
Copy link

any ETA?

This is not exactly an answer, but you can follow #903.

@ignoramous
Copy link
Collaborator Author

After a 1000 days, this finally shipped yesterday.

@iulko
Copy link

iulko commented Aug 15, 2023

After a 1000 days, this finally shipped yesterday.

Guys, thank you very much, this is the only complete firewall on android right now!

@outusuke
Copy link

Ipv6 doesn't work with wireguard tunnel

@ignoramous
Copy link
Collaborator Author

ignoramous commented Aug 19, 2023

@outusuke is IPv6 configuration rejected (as in, unable to add such configurations), or the tunnel is unable to connect (seeing the "failing" status instead of "connected" for that WireGuard interface), or unable to even switch ON that WireGuard interface?

Can you please report more here? #1002

Thanks.

@ignoramous ignoramous unpinned this issue Sep 8, 2023
@ignoramous
Copy link
Collaborator Author

Tailscale: #1047 perhaps in 1000 days hence ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
P0 Priority: 0 (urgent and important)
Projects
None yet
Development

No branches or pull requests

6 participants