Integrate Wireguard

[ignoramous]

Blokada integrates with Cloudflare's BoringTun and that looks pretty straight-forward.

Wireguard's official cross-platform implementation is in golang (being rewritten in Rust?) and so the integration could be relatively simpler than with BoringTun.

The traffic would probably go from app -> vpn-tun -> tun2socks -> wireguard. Wasteful?

May be, the entire firewall and DoH implementation can be moved into wireguard instead?

See also: #45 and #37

[ignoramous]

WireGuard userspace proxy impl ref: https://github.com/database64128/swgp-go

[MasterKia]

I just wanted to say that a proper Wireguard integration will really help the Iranian people to circumvent the current internet censorship while maintaining their privacy by blocking Internet access of the apps and thus fulfilling one of Rethink's stated goals to bypass censorship.

What I mean by "proper integration" is that currently SagerNet/Matsuri's SOCKS5 for Wireguard doesn't work correctly in combination with Rethink's SOCKS5 in latest version, I don't know whether it's worth reporting when a Wireguard integration is in the works already.

[ignoramous]

SagerNet/Matsuri's SOCKS5 for Wireguard doesn't work correctly in combination with Rethink's SOCKS5 in latest version

Thanks for the bug report.

Strange. I haven't tested it myself, but I'd have thought it works because SOCKS5 is a super non-intrusive mechanism to proxy sockets (even if UDP support is tricky)... It could be the SOCKS5 library we use has flaky UDP support, I haven't tested it as thoroughly.

Re: WireGuard integration: We're stuck with releasing v054 first (WireGuard is v055) which is taking forever to get out the door (1.5 years and counting!) as something or the other gets in the way.

[MasterKia]

I don't know if you use Telegram but the following combinations actually work:

Matsuri (SagetNet fork) on Proxy mode + Wireguard => Telegram built-in SOCKS5 connected to 127.0.0.1 => It works

Matsuri on Proxy mode + Wireguard => Rethink covering the whole phone using SagerNet's SOCKS5 => Telegram still works (with its built-in proxy disabled)

But when I test in browser, nothing loads.
Even tried disabling the Rethink DNS mode and only use the firewall mode, but to no avail.

[ignoramous]

I don't know if you use Telegram but the following combinations actually work:

Not the days I am coding up bigger features (which I have been, of late for serverless-dns/blocklists). But I do see Telegram once or twice a week.

But when I test in browser, nothing loads.

You'd have to forward DNS queries through to SagerNet/Matsuri, too (provided they expose DNS ports too)? You'd use the DNS Proxy mode in Rethink to forward DNS packets to SagerNet/Matsuri listening on some port on localhost.

Alternatively, test loading 1.1.1.1?

[MasterKia]

Screenshots from Matsuri

[MasterKia]

You'd use the DNS Proxy mode in Rethink to forward DNS packets

I'm unable to find that option.
There's only an option to add DoH/DnsCrypt.

Alternatively, test loading 1.1.1.1?

Actually it loads fine and opens the Cloudflare page, but when I try to load "Google.com", I can see logs for "8.8.8.8" in Rethink firewall.

So I think there's a problem with the handling of DNS response?

[MasterKia]

Well I digress, even Matsuri on VPN mode doesn't work meaning the browser returns "DNS not found" error.

But even in VPN mode, Telegram still works under Matsuri, weird.

[ignoramous]

So I think there's a problem with the handling of DNS response?

Yes, most likely (or, DNS querying is blocked, check the DNS logs in Rethink). And the reason Telegram works is it doesn't use DNS, and hits IPs directly (like you did when you hit 1.1.1.1 from a web browser).

There's only an option to add DoH/DnsCrypt.

Other DNS -> Swipe to the third Tab, Dns Proxy. You'd forward it to whatever port Matsuri is listening on (if it is). Orbot does (the default port it uses is 5400).

[ignoramous]

Just saw the screenshots you shared, the port Matsuri is listening DNS for is 6450 (3rd screenshot).

Btw, Matsuri is set to use 8.8.8.8 over DoH as upstream which is likely blocked in Iran (screenshot 1).

[ignoramous]

WireGuard integration is a go. Only UI work pending. To Hussain.

[ignoramous]

UI work is done. Rudimentary testing has come out good.

DNS won't work; ICMP won't work. The effort required is too high, unfortunately.

Split-tunnelling (multiple WireGuard upstreams) has been implemented, as well.

Next stop: Release.

[iulko]

By DNS and ICMP not working, you mean that you cant reach DNS servers inside wireguard tunnel? Please be more specific.

Thanks for hard work on implementation

[ignoramous]

By DNS and ICMP not working, you mean that you cant reach DNS servers inside wireguard tunnel? Please be more specific.

Sorry, I can see how that can be confusing. To be clear, ICMP and DNS won't be tunneled sent to WireGuard upstreams. DNS queries will be resolved by the DoH / DNSCrypt server setup in the app, and ICMP (echo) would be sent to the local network (rest dropped).

[iulko]

any ETA?

[michaelblyons]

any ETA?

This is not exactly an answer, but you can follow #903.

[ignoramous]

After a 1000 days, this finally shipped yesterday.

[iulko]

After a 1000 days, this finally shipped yesterday.

Guys, thank you very much, this is the only complete firewall on android right now!

[outusuke]

Ipv6 doesn't work with wireguard tunnel

[ignoramous]

@outusuke is IPv6 configuration rejected (as in, unable to add such configurations), or the tunnel is unable to connect (seeing the "failing" status instead of "connected" for that WireGuard interface), or unable to even switch ON that WireGuard interface?

Can you please report more here? #1002

Thanks.

[ignoramous]

Tailscale: #1047 perhaps in 1000 days hence ;)