Nathan of Guardian <[email protected]> writes: > On 10/13/19 1:46 PM, Greg Troxel wrote: >> I found an interesting bug -- not clear where -- and am writing in the >> hopes that someon who already really understands this might comment. >> >> Phone is running lineage 15.1, and all apps are from f-droid (main repo, >> guardianproject repo). >> >> Orbot is configured in VPN mode for selected apps. One app is chosen to >> be sent over tor. The chosen app works, and the other apps work. >> >> I installed baresip and tried to configure it for an on-LAN asterisk >> PBX. Let's say asterisk is at 10.2.3.1/24 (which is also the router). >> This is normal UDP SIP with user/password, no encryption -- the first >> step in getting running and then turning up security to adequate. >> >> I then saw packets heading to my asterisk server with source address >> 192.168.200.1. Looking at logcat on the phone, I realize this is the >> address on tun0 which is I am 99% sure used by Orbot to get access to >> the to-be-torified traffic. >> >> If I exit Orbot, then I start seeing the normal on-wifi IP address (and >> then baresip runs into a different problem, but the address part is >> fine). > > Thanks for the report. That is indeed the address we use for our Orbot > VPN settings. > > First, any UDP packets that go through the Orbot VPN should just get > dropped. Tor doesn't handle UDP. If those are somehow getting through, > then that is a bug. > > Second, are you saying baresip is NOT selected as an app for Orbot VPN, > but somehow its packets are getting mangled?
The only app set for Orbot VPN is Andstatus. baresip (a minimalistic sip client, very much free software and pro privacy) is running normally. The packets with the 192.168.200.1 source address were observed arriving at my LAN gateway (which is also the asterisk server), and the destination address was the gateways RFC1918 LAN address. So I think the problem is that baresip is doing something to choose an interface, and this is resulting in a bound source address, even though the packets are not actually sent over tun0. Does Orbot set some kind of per-app routes that change the default route from the normal interface's gateway to some synthetic address behind tun0, in order to cause that app's traffic to enter orbot's control? _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
