celzero
Error: "proxy: hop mtu insufficient"
Hi have a nice day!
Excuse me but I dont know a lot about this. On rethinkDNS app F-droid version 0.5.5o I'm trying to add a Wireguard over other Wireguard with the "add relay" option.
I get "proxy: hop mtu insufficient" .
Ive tried leaving it empty and configure it from 1500 to 1200, used (auto) option (empty), used ridiculously high ones, and some really low. Tried it on both of them and tried in every combination.
I have no idea what's going on but maybe you would find the logs useful.
1756111406341,I ConnectivityEvents: process message MESSAGE_AVAILABLE_NETWORK, newNws: [NetworkProperties(network=118, capabilities=[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&VALIDATED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=13918Kbps LinkDnBandwidth>=88340Kbps TransportInfo: <SSID: <unknown ssid>, BSSID: 02:00:00:00:00:00, MAC: 02:00:00:00:00:00, IP: /192.168.1.7, Security type: 2, Supplicant state: COMPLETED, Wi-Fi standard: 5, RSSI: -56, Link speed: 390Mbps, Tx Link speed: 390Mbps, Max Supported Tx Link speed: 433Mbps, Rx Link speed: 390Mbps, Max Supported Rx Link speed: 433Mbps, Frequency: 5745MHz, Net ID: -1, Metered hint: false, score: 60, isUsable: true, CarrierMerged: false, SubscriptionId: -1, IsPrimary: -1, Trusted: true, Restricted: false, Ephemeral: false, OEM paid: false, OEM private: false, OSU AP: false, FQDN: <none>, Provider friendly name: <none>, Requesting package name: <none><none>MLO Information: , AP MLD Address: <none>, AP MLO Link Id: <none>, AP MLO Affiliated links: <none>> SignalStrength: -56 UnderlyingNetworks: Null], linkProperties={InterfaceName: wlan0 LinkAddresses: [ xxx redacted xxx] DnsAddresses: [ /xxx redacted xxx] Domains: null MTU: 0 ServerAddress: /192.168.1.1 TcpBufferSizes: 524288,1048576,16777216,262144,524288,16777216 Routes: [ fe80::/64 -> :: wlan0 mtu 0,192.168.1.0/24 -> 0.0.0.0 wlan0 mtu 0,0.0.0.0/0 -> 192.168.1.1 wlan0 mtu 0 ]}, networkType=WiFi, NotMetered?true)]
; new? false, force? false, test? false, cellular? false, metered? false
1756111406341,D ConnectivityEvents: onCapabilitiesChanged, 488737001485, netid: 113, 113
1756111406341,D ConnectivityEvents: onCapabilitiesChanged, 505916870669, netid: 117, 117
1756111407356,V GoLog: V wgconn.go:374: wg: bind: wg3 recvFrom(<nil>): 0 / ov? false<=false / err? read udp6 [::]:48227: i/o timeout
1756111407357,V GoLog: V receive.go:116: wg:wg3 Failed to receive makeReceiveFn packet: read udp6 [::]:48227: i/o timeout
1756111407727,V GoLog: V wgconn.go:374: wg: bind: wg3 recvFrom(<nil>): 0 / ov? false<=false / err? read udp4 0.0.0.0:48227: i/o timeout
1756111407728,V GoLog: V receive.go:116: wg:wg3 Failed to receive makeReceiveFn packet: read udp4 0.0.0.0:48227: i/o timeout
1756111407844,D GoLog: D _cgo_gotypes.go:8352>wgproxy.go:1470: wg: wg3 proxy: hopping wg2; mtu(needed: 1200 / net: 1280); hopmtu(avail: 1200 / tot: 1280)
1756111407844,W GoLog: W proxies.go:729>proxies.go:789>wgproxy.go:1268>wgproxy.go:1480: wg: wg3 proxy: not hopping wg2; needs 1200; mtu(1280) < min(%!d(MISSING))
1756111407844,I GoLog: I proxies.go:729>proxies.go:790>proxies.go:809: proxy: mapHop: wg2 => wg3; remaining origins: [wg3]
1756111407845,W RethinkDnsVpn: TunAdapter; err testing hop: wg3 -> wg2; proxy: hop mtu insufficient
1756111408353,D ConnectivityEvents: networkSet size: 3
1756111408369,I ConnectivityEvents: process message MESSAGE_AVAILABLE_NETWORK, currNws: [NetworkProperties(network=118, capabilities=[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&VALIDATED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=13918Kbps LinkDnBandwidth>=88340Kbps TransportInfo: <SSID: <unknown ssid>, BSSID: 02:00:00:00:00:00, MAC: 02:00:00:00:00:00, IP: /192.168.1.7, Security type: 2, Supplicant state: COMPLETED, Wi-Fi standard: 5, RSSI: -56, Link speed: 433Mbps, Tx Link speed: 433Mbps, Max Supported Tx Link speed: 433Mbps, Rx Link speed: 390Mbps, Max Supported Rx Link speed: 433Mbps, Frequency: 5745MHz, Net ID: -1, Metered hint: false, score: 60, isUsable: true, CarrierMerged: false, SubscriptionId: -1, IsPrimary: -1, Trusted: true, Restricted: false, Ephemeral: false, OEM paid: false, OEM private: false, OSU AP: false, FQDN: <none>, Provider friendly name: <none>, Requesting package name: <none><none>MLO Information: , AP MLD Address: <none>, AP MLO Link Id: <none>, AP MLO Affiliated links: <none>> SignalStrength: -56 UnderlyingNetworks: Null], linkProperties={InterfaceName: wlan0 LinkAddresses: [ xxx redacted xxx ] DnsAddresses: [ /xxx redacted xxx ] Domains: null MTU: 0 ServerAddress: /192.168.1.1 TcpBufferSizes: 524288,1048576,16777216,262144,524288,16777216 Routes: [ fe80::/64 -> :: wlan0 mtu 0,192.168.1.0/24 -> 0.0.0.0 wlan0 mtu 0,0.0.0.0/0 -> 192.168.1.1 wlan0 mtu 0 ]}, networkType=WiFi, NotMetered?true)] ; new? false, force? false, test? false, cellular? false, metered? false
1756111408370,I ConnectivityEvents: process message MESSAGE_AVAILABLE_NETWORK, newNws: [NetworkProperties(network=118, capabilities=[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&VALIDATED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=13918Kbps LinkDnBandwidth>=88340Kbps TransportInfo: <SSID: <unknown ssid>, BSSID: 02:00:00:00:00:00, MAC: 02:00:00:00:00:00, IP: /192.168.1.7, Security type: 2, Supplicant state: COMPLETED, Wi-Fi standard: 5, RSSI: -56, Link speed: 390Mbps, Tx Link speed: 390Mbps, Max Supported Tx Link speed: 433Mbps, Rx Link speed: 390Mbps, Max Supported Rx Link speed: 433Mbps, Frequency: 5745MHz, Net ID: -1, Metered hint: false, score: 60, isUsable: true, CarrierMerged: false, SubscriptionId: -1, IsPrimary: -1, Trusted: true, Restricted: false, Ephemeral: false, OEM paid: false, OEM private: false, OSU AP: false, FQDN: <none>, Provider friendly name: <none>, Requesting package name: <none><none>MLO Information: , AP MLD Address: <none>, AP MLO Link Id: <none>, AP MLO Affiliated links: <none>> SignalStrength: -56 UnderlyingNetworks: Null], linkProperties={InterfaceName: wlan0 LinkAddresses: [ fe80::8c45:24ff:fe88:3d3c/64,192.168.1.7/24 ] DnsAddresses: [ /200.21.200.80,/200.21.200.10 ] Domains: null MTU: 0 ServerAddress: /192.168.1.1 TcpBufferSizes: 524288,1048576,16777216,262144,524288,16777216 Routes: [ fe80::/64 -> :: wlan0 mtu 0,192.168.1.0/24 -> 0.0.0.0 wlan0 mtu 0,0.0.0.0/0 -> 192.168.1.1 wlan0 mtu 0 ]}, networkType=WiFi, NotMetered?true)]
; new? false, force? false, test? false, cellular? false, metered? false
1756111408795,D RethinkUI: HopDlg; dismiss hop dialog
1756111409391,D ConnectivityEvents: onCapabilitiesChanged, 510211837965, netid: 118, 118
1756111409403,D ConnectivityEvents: onCapabilitiesChanged, 488737001485, netid: 113, 113
1756111409416,D ConnectivityEvents: onCapabilitiesChanged, 505916870669, netid: 117, 117
1756111410143,V RethinkUI: ConnTrackFrag, view created from univ? false, from wg? true
1756111410372,D ConnectivityEvents: networkSet size: 3
1756111410375,I ConnectivityEvents: process message MESSAGE_AVAILABLE_NETWORK, currNws: [NetworkProperties(network=118, capabilities=[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&VALIDATED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=13918Kbps LinkDnBandwidth>=88340Kbps TransportInfo: <SSID: <unknown ssid>, BSSID: 02:00:00:00:00:00, MAC: 02:00:00:00:00:00, IP: /192.168.1.7, Security type: 2, Supplicant state: COMPLETED, Wi-Fi standard: 5, RSSI: -56, Link speed: 433Mbps, Tx Link speed: 433Mbps, Max Supported Tx Link speed: 433Mbps, Rx Link speed: 390Mbps, Max Supported Rx Link speed: 433Mbps, Frequency: 5745MHz, Net ID: -1, Metered hint: false, score: 60, isUsable: true, CarrierMerged: false, SubscriptionId: -1, IsPrimary: -1, Trusted: true, Restricted: false, Ephemeral: false, OEM paid: false, OEM private: false, OSU AP: false, FQDN: <none>, Provider friendly name: <none>, Requesting package name: <none><none>MLO Information: , AP MLD Address: <none>, AP MLO Link Id: <none>, AP MLO Affiliated links: <none>> SignalStrength: -56 UnderlyingNetworks: Null], linkProperties={InterfaceName: wlan0 LinkAddresses: [ fe80::8c45:24ff:fe88:3d3c/64,192.168.1.7/24 ] DnsAddresses: [ /200.21.200.80,/200.21.200.10 ] Domains: null MTU: 0 ServerAddress: /192.168.1.1 TcpBufferSizes: 524288,1048576,16777216,262144,524288,16777216 Routes: [ fe80::/64 -> :: wlan0 mtu 0,192.168.1.0/24 -> 0.0.0.0 wlan0 mtu 0,0.0.0.0/0 -> 192.168.1.1 wlan0 mtu 0 ]}, networkType=WiFi, NotMetered?true)] ; new? false, force? false, test? false, cellular? false, metered? false
I hope it helps.
And if you know how to help me out I'd really appreciate it. (I think this issue belongs here more than on rethinkDNS but maybe I'm wrong.
Thanks for everything
Leave both the WireGuards to "auto" if they support it.
What the error is telling you is, the WireGuard doing the relay (let's call it, wgR) doesn't have enough MTU to relay the WireGuard you're wanting to hop (let's call it, wgH).
That is, MTU supported by wgR (relay) must be 80 bytes more than MTU of wgH (being relayed).
If wgH is 1280, then wgR must at least be 1280+80 => 1360. Leaving relays to Auto also works.
Keep in mind that the underlying networks (usually, wifi and mobile) must also have the MTU of at least 1360, or wgR won't be able to reach its destination/peer, which means, wgH also won't have connectivity since it is being hopped over wgR.
F-Droid has published v055r, so please use that version, if you can.
Thanks so much for the reply! And for rhe explanation! I i checked my router mtu and it's 1500. A single wg (no matter which) works with 1420.
I tried leaving both on auto and dont work (same error). Tried wit 1420 and 1280 (both combinations so if i was doing it the other way around some connection would have to go trough isn't it) and didn't work. Tried specifically with 1280 and 1360 (i think that's the lowest case scenario) and got exactly same error.
Logs are kinda confusing (and new feature) and by setting them to debug they have too much private data to publish all of them publicly but i could send them to your mail if you find them useful.
I saw the other day that just by using rethinkDNS without proxythey give a MTU of 1280 with tracepath. Not aure why thou π€·π»ββοΈ maybe it's something of my current rethink config on current version. Idk what else to do. Maybe I'm doing some really dumb thing.
Not aure why thou π€·π»ββοΈ maybe it's something of my current rethink config on current version. Idk what else to do.
It could be a bug in the app, too...
Make sure that, WireGuard that is hopping another WireGuard has +80 bytes more as its MTU.
That is, if I go to wgH (say, has MTU set to 1280) and tap on "Add / Remove Relay" button to select wgR, it is wgR that must have MTU = mtu(wgH) + 80 bytes (that is, wgR's MTU must be at least 1360). If this isn't working, then it is a bug in the app.
I i checked my router mtu and it's 1500
Check the footer of the bottomsheet that comes up when you tap on the downward arrow next to the STOP / START button in Rethink's homescreen. It should show the current MTU for the underlying network.
I believe, if you remove IPv6 interface addresses, if any, from your WireGuard configuration, the hops might work. For IPv6, the min MTU has to be 1280. And if the underlying network (mobile or wifi) is also setup at 1280 (the value of which the bottomsheet should show us), then hops can't be set. We're making changes to error messages to be more detailed in the upcoming version.
Ohh thanks very much!
I had no idea that the MTU was shown there! Rethink has so many cool things and is the most awesome app I've seen and I love it! but its lagging behind a bit on documentation for the user and unless you dig on it a lot over here and not everyone can dig around on the code (well i barely can and just thanks to the new app log feature I could half-understand what was going on π€ and where to ask π).
So it's confirmed that wifi mtu is 1500 that way (and it seems mobile network too :p)
So removing the IPv6 did work but not on (auto). On (auto) it detects 1500 as the MTU and set one to 1420 and the other to 1340 as expected. (18:40 on the screenshot)
However when I only set up any of those wireguard MTU (but just one of them to work) it gets set to 1280 (as the arrow says). (18:47 on the screenshot)
So I manually set up one MTU to 1280 and the other to 1200 and it does work! Thank you very much! ππ»
With this setup I even managed to use Warp over Warp :D (not saying that anyone should use Warp this way just that you could ;) )
It seems it's the intended behavior but when you try disabling both of them you have to remove manually relay set up and then disable the relay to be able to turn it off. Not a serious thing or a priority but would be nice to be able to turn off the relay directly just by turning it off without needing to remove it from the relay setup)
(BTW I forgot to say on my previous post I was already running F-droid 0.5.5r)
screenshot
Ok. It seems The auto option problem is not global. It works well with cloudflare warp as a relay and a wg like protonvpn both on auto. The problem is limited to certain things like warp over warp usually use 1280 MTU (Although it is possible to use 1420 it is usually uses 1280. I guess that is some specific MTU limitation on the wg). I think is very limited to a certain things.
On this screenshot wg2 is warp and wg8 is protonvpn. It all worked fine as you can see. But if you try doing warp over warp you need to set up the MTU manually to 1200 and 1280.
screenshot
auto option problem is not global. It works well with cloudflare warp as a relay and a wg like protonvpn both on auto
The (auto) option for WireGuard MTU should also work in your case since the underlying networks have a comfortable 1500. I'll take a look to see why it doesn't for ALL WireGuards (WARP or not).
But if you try doing warp over warp you need to set up the MTU manually to 1200 and 1280.
Don't think the MTU related restrictions would be so limiting on WARP unless WARP servers run by Clouflare don't work with higher MTUs (which to me, sounds unlikely). Sounds like there's a bug in Rethink, though I'm not sure what it could be.
would be nice to be able to turn off the relay directly just by turning it off without needing to remove it from the relay setup
This is a deliberate UX choice, as the user, who sets up the relay, must be aware enough to explicitly remove it. If Rethink auto-removed the relay (and there are more than one edge case where it could, but doesn't, and instead prompts the user) for any reason, it'd end up surprising the user.
lagging behind a bit on documentation
Yeah, but we do not have the time to invest in this just for power users (for example, Rethink introduced App logs in v055o+ just so power users can help us debug and yet I don't see them share logs with us, probably because the logs are sensitive but then again... they were asking for it), and so we leave it upto the community to figure it out.
(PS: sorry this turned out into a long letter. My intention is to be supportive and thank you, say some opinions and issues, share ideas and try to help to contribute however I can. My first language is Spanish so forgive me if it's not perfectly written or a little messy or disorganized.)
Thanks! I've already shared some crash logs with logs addressed and I don't mind sharing more. Some things are indeed sensitive but I'm okay sharing them with you. I've just received no confirmation that my logs were read at all so i thought you are just busy or flooded on logs. I didn't want to be pressuring you with logs that I don't really understand (whenever I'm able to catch the problems with debug or verbose level that are needed for some things). I'm not a programmer (or a professional one) and I just plainly don't understand. I just want to help as much as i can and contribute my best to help make better rethink β€οΈ. But i dont want to asphyxiate you. Also if I'd truly understand logs I'd be way more useful for you but then we go back to documentation.
I think the problem is that it is a very recent thing. When you try to do logs you can set up a level of logs but its not constantly logging. Only when you open app logs it starts logging on other levels besides "error" and it's empty (maybe it's a bug). Whatever happened before is just lost, so by the moment you noticed something went wrong or changed they are empty and lost (the most useful ones).
I've spotted many problems since the update to 055o (many, many problems with falling back to DNS), DNScrypt problems, crashes, inability to capture data packets, unknown apps that get excluded from all proxies, apps that get excluded from all proxies but don't get bypassed, backup problems, serious ODoH problems that I managed to issue on @celzero/rethink after wasting several weeks and wasting all my Copilot tokens of the month. You already self-assigned it (for what I'm glad and happy about that) and issues they are not new and have been at least since 055n (when I installed app) and are a big deal as you may have noticed already. Many WireGuard connections that are intermittent or fail, DNScrypt constantly failing leaving it to fallback DNS, DNScrypt getting "stuck" for minutes when initializing sometimes and of course fallback gets used. How do I know why WireGuard crashes all the time even with a good keepalive setup?
I've got too many things resolved by fallback DNS since 055o. A basic example that can't be understood without analyzing the code are the symbols (that should provide clear information on network and DNS logs) are the "symbol_*". What's the π¦πποΈ π ππ’ etc and what's the criteria? I even got able to figure out what the hell π¦ meant haha... or that's what I think it means at least. A legend on those symbols would be really appreciated too! I think π is for ODoH, π is for fast resolution it seems <20 ms, I guess π is for "heavy" things but the criteria is not really clear, and I think ποΈ is for proxies like WireGuard. I don't think DNScrypt with a relay has a symbol but would love to have one as I've been having weird results on dnsleaktest on certain DNScrypt setups with relays. Some info on what relay was used would be awesome and also info on DNS speed so you could compare different DNS setups (and the relays) so you know your real performance on the setup on your current network. Being able to benchmark your specific DNS setup on your current network and location and setup (especially with relays/proxies involved) would be awesome!
I'd totally love an option to block all traffic if DNS set up by the user is not working. A switch to completely block DNS if it failed (besides internally needed Rethink traffic like searching and connecting to the Rethink site in the cases that a bootstrap DNS resolver is needed to fetch important things) because this way unless I'm continuously watching network/DNS logs for the duck symbol it's impossible to know when fallback happened or how long or when or how bad is it or why so some optional notification on that would be awesome! I'd still use it after all bugs are resolved probably. A leaking is not a really bad thing for me but for some it might be critical. WireGuard also sometimes falls and you don't know until you have no internet connection. Some problems I've been having (many DNScrypt related even when set up with only one relay) happen for several minutes or hours without noticing and no matter what I do, the only way to fix it (sometimes) is to stop the RethinkDNS service and restart (leaking involved meanwhile). I tried using firewall to block all on port 53 and use loopback to block DNS53 and set it up on systems DNS but it didn't work. But even with loopback you can't force firewall rules on the rethinkDNS app so I think it just can't be done with any trick but let me know if it's doable.
Also, I would love to be able to choose a user-defined DNS option as a fallback (or a list of them in priority order if fallback is needed). I hate to be forced to use Cloudflare, Google or system DNS. Rethink's DNS one is ok as it uses DoH or DNS53 but I'd still would love to set up my own fallback specially if able to select the protocol used. If it has to be DoH I'd like to use my own, to be honest. An option to filter by DNS protocol on the log would be awesome too! And to be able to filter out the things resolved by fallback would be awesome too.
For example the ODoH issue and many other things are impossible to know without checking code and as much as I'd love to help I just could pinpoint it and be sure it was not just ignorance on how it works (I can barely read code on a project so big as this one and complex with lots of effort).
Also already implemented new features are important to understand and that need a bit of explanation (what each option does?). Anti-censorship and anything new is a new important thing and it's not documented as far as I know. Nor are app logs and I think if we could filter and understand correctly we could help more. It's too technical and without proper inside understanding of app its pretty hard to know if you are sending something useful or not.
It's important as many people (probably most) don't have idea how advanced the app is or how to configure it or how wonderful and full of features it is. Maybe I could try to help but i just don't fully understand them and also translate them to spanish. There are no forums and the best official info is found here but I for example just am learning to use it to help with this only project. It's a little overwhelming for people (common people) that don't understand app well and probably many things would be resolved by community itself. It's a bit scary to post an issue on GitHub (specially if you don't understand GitHub or the issue fully and you think you'd be being stupid). Forums (that get revised by devs/mods) would probably work for common issues and new features and official documentation could be extracted from forums. Advanced users could help better each others and bugs and issues and maybe even community opinion and feedback could help a lot to you as devs.
Reddit for example has answers that are just incorrect or just "i dont know but I don't think you'll get an answer because devs have posted a lot already" (real example). But not everyone has always the same bugs, issues or questions. And on Reddit old posts get "buried" fast by others. I tried Matrix to contact you but it didn't work (says it doesn't exist). Telegram is kinda limited for me, not privacy friendly in groups and has your real number and your contacts can start annoying you.
I think that after critical errors have been fixed documentation would be really useful (or forums for an organized community). Whether you intended to do it that way or not rethinkDNS is extremely good for advanced users (not even comparable to NetGuard thats a little too specific and i had the paid version and changed to rethinkDNS). You allow many many many things in 1 app (very advanced too). The way things are only experts can help you. If you had some organized community that could help each other, important real thing and scalable things could reach to you in an efficient manner. You could poll users for features, requests and all that. You can also could do a good Discord server that allows many things including "forums with threads", roles, mods, uploads, channels, bots and you don't need to post irl info like your phone or mail. Discord it is pretty popular lately for all that among devs and community. I'm sure there are many many things that could be fixed before you would have to waste your time reading useless posts or with features requests (that end being downvoted), or redirecting people to the right place.
I'd be happy and honored to help with anything I know and I can do but I just don't understand many things to write documentation or to understand issues and send the right logs. But if you want I'll try to do all I can as well as I can manage to. I love your project and have many, many ideas and want to really help but I just don't know how 90% of the time (or where to ask to begin at).
My first language is Spanish so forgive me
That's okay. You don't have to apologise.
I've just received no confirmation that my logs were read at all so i thought you are just busy or flooded on logs
Can you send an email from the same address (empty email body is fine) with this github issue in the subject field; that'll help me find the other email with logs? My inbox is an unmitigated disaster, yes.
But i dont want to asphyxiate you.
You're not. I welcome productive engagement. Especially, when it is about making the app run free of bugs and crashes. Bug free and stability are the absolute priority for us, at this stage.
Also if I'd truly understand logs I'd be way more useful for you but then we go back to documentation.
I know. Btw, you could try experimenting by feeding the logs to your favourite LLM tool.
Only when you open app logs it starts logging on other levels besides "error" and it's empty (maybe it's a bug).
The app logs switch back to "Error" level after ~3 hours, because the amount of work done in capturing other levels ("Debug" / "Verbose" / "Very verbose") will absolutely eat up your battery.
Whatever happened before is just lost, so by the moment you noticed something went wrong or changed they are empty and lost (the most useful ones).
That's on purpose, as the logs (shown in Configure -> Settings -> App logs) are quite sensitive, and so, I believe they are auto-deleted after ~3 hours.
How do I know why WireGuard crashes all the time even with a good keepalive setup?
When you say "WireGuard crashes", what do you mean? Does the app itself crash or the WireGuard tunnel turn itself OFF or are you detecting leaks?
π¦πποΈ π ππ’
In Configure -> Logs -> DNS, these mean:
- π¦ - resolved by System DNS.
- π - resolved over an ODoH proxy or WireGuard/SOCKS5/HTTP proxy or DNSCrypt relay.
- ποΈ - not shown, I think.
- π - More than 5 (?) answers were returned for a single query.
- π - resolved under 10 milliseconds.
- π’ - answer has a very high time-to-live (can be cached for longer, I believe 10 minutes+).
Being able to benchmark your specific DNS setup on your current network and location and setup (especially with relays/proxies involved) would be awesome!
- https://github.com/celzero/rethink-app/issues/2161
Some info on what relay was used would be awesome
- https://github.com/celzero/rethink-app/issues/2199
so you know your real performance on the setup on your current network
May not have all the information you need, but About -> Stats shows quite a bit of internal state of proxies, connections, DNS resolvers, the VPN tunnel, etc.
I'd totally love an option to block all traffic if DNS set up by the user is not working. A switch to completely block DNS if it failed
"Fallback DNS" is not used for any other DNS resolver except DNSCrypt, and Rethink should indeed throw a notification when this happens. If Rethink isn't, then that's probably a recently introduced bug which we'd need to fix.
Other than DNSCrypt, "Fallback DNS" is only meant to be used by Rethink itself and if Configure -> Network -> Loopback is turned ON, then in place of "System DNS", if it goes missing.
the only way to fix it (sometimes) is to stop the RethinkDNS service and restart (leaking involved meanwhile)
Of course, we don't want users to resort to this. That said, if you're worried about connection leaks outside of the VPN tunnel Rethink sets up, you can turn ON "Block connections without VPN" (available on Android 10+ Settings page), if you don't have a use for Configure -> Network -> Do not route Private IPs and for Exclude in Configure -> Apps).
I tried using firewall to block all on port 53 and use loopback to block DNS53 and set it up on systems DNS but it didn't work
You can turn ON Configure -> DNS -> Prevent DNS leaks to instruct Rethink to trap all port 53 UDP and TCP connections and redirect them to user-set DNS upstream.
But even with loopback you can't force firewall rules on the rethinkDNS app so I think it just can't be done with any trick but let me know if it's doable.
Don't think so. Btw, blocking Rethink's traffic with Loopback is something we will eventually implement. All the pieces are there, but we need to get the UI right.
Also, I would love to be able to choose a user-defined DNS option as a fallback (or a list of them in priority order if fallback is needed).
We don't allow it because an unreachable "Fallback DNS" means a LOT of stuff simply won't work and the resulting errors won't make it obvious either. We'll have to build an elaborate UX around it, and that'll take time which we'd rather spend building other important features / solving bugs. I'd say, folks are better off leaving Configure -> Network -> Fallback DNS to "None" (called "System" in versions post v055o).
It's important as many people (probably most) don't have idea how advanced the app is or how to configure it or how wonderful and full of features it is ...
All valid points, but to be honest, we simply do not have the time to engage, and so, we answer questions and talk about features (here and on our subreddit as they arise.
"i dont know but I don't think you'll get an answer because devs have posted a lot already" (real example).
True, but I almost always leave an answer on every thread on our subreddit. May be I miss a few here and there.
The way things are only experts can help you. If you had some organized community that could help each other, important real thing and scalable things could reach to you in an efficient manner. You could poll users for features, requests and all that.
Valid. Only if we had enough time (personal reasons) ... (: For instance, we do not even have the resources to manage official translations for the app, let alone organize discord and write docs. May be, in 6 months from now, we're relatively free to do those things. I'll keep in mind.
The way things are only experts can help you.
I make it a point to answer on GitHub and subreddit because all mainstream LLMs scrap these. And to my surprise, the recent iterations of Gemini / Chat / Claude / Perplexity are all pretty good at answering Rethink specific questions, especially with web search turned ON.
I love your project and have many, many ideas and want to really help but I just don't know how 90% of the time (or where to ask to begin at).
GitHub and subreddit are 2 places I check almost every day, if not every hour. I check emails too, but as mentioned above, the inbox has been quite unmanageable, for a long while now.
Thanks!
El mar, 2 de sept de 2025, 11:38 p. m., ignoramous @.***> escribiΓ³:
ignoramous left a comment (celzero/firestack#184) https://github.com/celzero/firestack/issues/184#issuecomment-3247657850
My first language is Spanish so forgive me
That's okay. You don't have to apologise.
I've just received no confirmation that my logs were read at all so i thought you are just busy or flooded on logs
Can you send an email from the same address (empty email body is fine) with this github issue in the subject field; that'll help me find the other email with logs? My inbox is an unmitigated disaster, yes.
But i dont want to asphyxiate you.
You're not. I welcome productive engagement. Especially, when it is about making the app run free of bugs and crashes. Bug free and stability are the absolute priority for us, at this stage.
Also if I'd truly understand logs I'd be way more useful for you but then we go back to documentation.
I know. Btw, you could try experimenting by feeding the logs to your favourite LLM tool.
Only when you open app logs it starts logging on other levels besides "error" and it's empty (maybe it's a bug).
The app logs switch back to "Error" level after ~3 hours, because the amount of work done in capturing other levels ("Debug" / "Verbose" / "Very verbose") will absolutely eat up your battery.
Whatever happened before is just lost, so by the moment you noticed something went wrong or changed they are empty and lost (the most useful ones).
That's on purpose, as the logs (shown in Configure -> Settings -> App logs) are quite sensitive, and so, I believe they are auto-deleted after ~3 hours.
How do I know why WireGuard crashes all the time even with a good keepalive setup?
When you say "WireGuard crashes", what do you mean? Does the app itself crash or the WireGuard tunnel turn itself OFF or are you detecting leaks?
π¦πποΈ π ππ’
In Configure -> Logs -> DNS, these mean:
- π¦ - resolved by System DNS.
- π - resolved over an ODoH proxy or WireGuard/SOCKS5/HTTP proxy or DNSCrypt relay.
- ποΈ - not shown, I think.
- π - More than 5 (?) answers were returned for a single query.
- π - resolved under 10 milliseconds.
- π’ - answer has a very high time-to-live (can be cached for longer, I believe 10 minutes+).
Being able to benchmark your specific DNS setup on your current network and location and setup (especially with relays/proxies involved) would be awesome!
- celzero/rethink-app#2161 https://github.com/celzero/rethink-app/issues/2161
Some info on what relay was used would be awesome
- celzero/rethink-app#2199 https://github.com/celzero/rethink-app/issues/2199
so you know your real performance on the setup on your current network
May not have all the information you need, but About -> Stats shows quite a bit of internal state of proxies, connections, DNS resolvers, the VPN tunnel, etc.
I'd totally love an option to block all traffic if DNS set up by the user is not working. A switch to completely block DNS if it failed
"Fallback DNS" is not used for any other DNS resolver except DNSCrypt, and Rethink should indeed throw a notification when this happens. If Rethink isn't, then that's probably a recently introduced bug which we'd need to fix.
Other than DNSCrypt, "Fallback DNS" is only meant to be used by Rethink itself and if Configure -> Network -> Loopback is turned ON, then in place of "System DNS", if it goes missing.
the only way to fix it (sometimes) is to stop the RethinkDNS service and restart (leaking involved meanwhile)
Of course, we don't want users to resort to this. That said, if you're worried about connection leaks outside of the VPN tunnel Rethink sets up, you can turn ON "Block connections without VPN" (available on Android 10+ Settings page), if you don't have a use for Configure -> Network -> Do not route Private IPs and for Exclude in Configure -> Apps).
I tried using firewall to block all on port 53 and use loopback to block DNS53 and set it up on systems DNS but it didn't work
You can turn ON Configure -> DNS -> Prevent DNS leaks to instruct Rethink to trap all port 53 UDP and TCP connections and redirect them to user-set DNS upstream.
But even with loopback you can't force firewall rules on the rethinkDNS app so I think it just can't be done with any trick but let me know if it's doable.
Don't think so. Btw, blocking Rethink's traffic with Loopback is something we will eventually implement. All the pieces are there, but we need to get the UI right.
Also, I would love to be able to choose a user-defined DNS option as a fallback (or a list of them in priority order if fallback is needed).
We don't allow it because an unreachable "Fallback DNS" means a LOT of stuff simply won't work and the resulting errors won't make it obvious either. We'll have to build an elaborate UX around it, and that'll take time which we'd rather spend building other important features / solving bugs. I'd say, folks are better off leaving Configure -> Network -> Fallback DNS to "None" (called "System" in versions post v055o).
It's important as many people (probably most) don't have idea how advanced the app is or how to configure it or how wonderful and full of features it is ...
All valid points, but to be honest, we simply do not have the time to engage, and so, we answer questions and talk about features (here and on our subreddit https://reddit.com/r/rethinkdns as they arise.
"i dont know but I don't think you'll get an answer because devs have posted a lot already" (real example).
True, but I almost always leave an answer on every thread on our subreddit. May be I miss a few here and there.
The way things are only experts can help you. If you had some organized community that could help each other, important real thing and scalable things could reach to you in an efficient manner. You could poll users for features, requests and all that.
Valid. Only if we had enough time (personal reasons) ... (: For instance, we do not even have the resources to manage official translations for the app, let alone organize discord and write docs. May be, in 6 months from now, we're relatively free to do those things. I'll keep in mind.
The way things are only experts can help you.
I make it a point to answer on GitHub and subreddit because all mainstream LLMs scrap these. And to my surprise, the recent iterations of Gemini / Chat / Claude / Perplexity are all pretty good at answering Rethink specific questions, especially with web search turned ON.
I love your project and have many, many ideas and want to really help but I just don't know how 90% of the time (or where to ask to begin at).
GitHub and subreddit are 2 places I check almost every day, if not every hour. I check emails too, but as mentioned above, the inbox has been quite unmanageable, for a long while now.
Thanks!
β Reply to this email directly, view it on GitHub https://github.com/celzero/firestack/issues/184#issuecomment-3247657850, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIK3IMF5UQ5NXEGOSPBLWE33QZWENAVCNFSM6AAAAACEXIU4R2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENBXGY2TOOBVGA . You are receiving this because you authored the thread.Message ID: @.***>