celzero
v055l (F-Droid): Connection of Fritz apps interrupts / Unstable WireGuard connection
Since v055l the Fritz app tells me "An error occurred" after opening and the Fritz Fon app always loses the connection (telephony inactive) or tells me it's connected to the guest-wifi, but this is disabled or "Fritzbox not reachable". Sometimes the connection is ok. After opening the Fritzbox configuration page via browser it starts to load and the content is visible, then it stops with message "Error: connection broken", this happens on 2 devices with v055l, no matter if the Fritz apps are tunneled through Wireguard or not. On a device with v055j no problems with the Fritz app and the Fritz configuration page opens normally, but the Fritz Fon app isn't able to find the Fritzbox, even not when typing in the IP address manually, also not in v055l. On a Linux Mint laptop the Fritzbox configuration page also opens normally, the issue is definitely caused by v055l. There where no updates of the Fritz apps in between. All happens in home or mobile network, it seems that the Wireguard connection to the Fritzbox sometimes isn't recognised as a home network connection. I tried to change several DND and network options in RethinkDNS, no solution.
We don't have a Fritz Box. Can you please see if you can email us (mz at celzero dot com) logs exactly as this issue happens? Make sure to put Rethink in Very Verbose from Configure -> Settings -> Log level.
# note the current size; the default is usually 256kb
adb logcat -g
# increase log buffer size to 16mb
adb logcat -G 16M
# see if it switched to 16mb
adb logcat -g
# now, at some later time, when fritz-box does not work, capture logs
# make sure Rethink is at "Very Verbose" in Configure -> Settings -> Log level
# capture logs
# ref: https://www.xda-developers.com/how-to-take-logs-android/
adb logcat > /path/to/file
# compress with gzip
# the command below creates /path/to/file.gz
gzip -k /path/to/file
# email mz at celzero dot com
# and mention this GitHub issue
We don't have a Fritz Box. Can you please see if you can email us (
mzatcelzerodotcom) logs exactly as this issue happens? Make sure to put Rethink in Very Verbose from Configure -> Settings -> Log level.
It's much easier for me to capture logs directly on the device via the Logcat Reader app from F-Droid, wouldn't this be enough for you? Here is a screenshot with the actual settings, should I change something before capturing?
Thank you!
screenshot
img0:
device via the Logcat Reader app from F-Droid, wouldn't this be enough for you
I doubt it can change logcat buffer size to 16mb, though?
Let's try. Hopefully, Logcat Reader is up to its job.
Another user here. I can reproduce the issue with the FritzBox configuration page in the browser. It appeared with the recent update from f-droid v0.5.5l
If the Logcat Reader output doesn't reveal enough for debugging, then please let me know, I can try to retrieve the log via adb as described.
Furthermore I discovered that this issue with the interrupted loading of the config webpage disappears, when I'm in local WiFi + not using the app's WireGuard Proxy + choosing Rethink's "DNS Only" mode (i.e. deactivating the firewall).
Yet, my Rethink firewall had no universal rule, no app specific rules, only a list of IMO unrelated domain rules set up in the firewall. From the latter all were allowing rules, to bypass some RethinkDNS filter blocks, only one is a blocking rule, but for "locationhistory-pa.googleapis.com".
Another user here. I can reproduce the issue with the FritzBox configuration page in the browser.
Ah, thank you, so I am not alone.
Furthermore I discovered that this issue with the interrupted loading of the config webpage disappears, when I'm in local WiFi + not using the app's WireGuard Proxy + choosing Rethink's "DNS Only" mode (i.e. deactivating the firewall).
On my mobile phone the Fritz apps are tunnelled through Wireguard in lockdown mode, on my tablet not, the config page loading interruption and the unspecified "An error occurred" in the Fritz app happen on both devices. The only firewall rule I have set is "Block when DNS is bypassed".
The Fritz Fon App is successfully connected for a while now, but ongoing in between the connection is lost or connected to the imaginary guest network (Wi-Fi). The connection is most stable with the option "Never proxy DNS" set to on.
Remove fritz.box (domain name) from WireGuard config's Peer endpoint if there's an IPv4 address already in the config and see if things work? If there's both IPv6 and IPv4 addresses, then remove the IPv6 address as well (along with the domain name).
- #1483
Remove
fritz.box(domain name) from WireGuard config's Peer endpoint if there's an IPv4 address already in the config and see if things work? If there's both IPv6 and IPv4 addresses, then remove the IPv6 address as well (along with the domain name).
Unfortunately this doesn't help. There is only an IPv4 entry and it doesn't matter if I remove the additional "fritz.box" entry or not. I also tried to switch back the Fritzbox and Rethink to IPv4-only mode and restarted all, problem still persists (and also on devices without Wireguard).
I also tried to switch back the Fritzbox and Rethink to IPv4-only mode and restarted all, problem still persists (and also on devices without Wireguard).
Gotcha. We're working on multiple fixes that seem related to what you're seeing. When the new version is out, hopefully, this issue is also gone.
That said, if you can capture (Configure -> Settings -> Log Level -> Very Verbose) logs from immediately the time this happens, I'd appreciate that as well.
Gotcha. We're working on multiple fixes that seem related to what you're seeing. When the new version is out, hopefully, this issue is also gone.
Great to hear, thank you!
That said, if you can capture (Configure -> Settings -> Log Level -> Very Verbose) logs from immediately the time this happens, I'd appreciate that as well.
Just sent to the known email address.
Meanwhile I went back to v055j. The Fritz app here shows a successful connection to the home network (in WiFi and mobile network via Wireguard), the Fritzbox config page loads fully and without interruption in the browser, but sometimes via (in this case correct) the Fritzbox's home IP (192.168. ...) and sometimes via the personal public address (... .myfritz.net), what should never happen in the home network. I suspect Rethink sometimes doesn't recognise correctly that it is connected to the WiFi home network and this also might be the reason for the connection problems of the Fritz Fon app. Additionally there is the very unstable Wireguard connection and here is an urgent need of a stable option to bypass Wireguard in the home network, I think.
No criticism, just wanted to report my experiences. I'm very patient again. Thanks!
Thanks.
Know that we are working on stability for quite a few versions now. And hopefully, in not so distant future, these investments will pay up.
WireGuard really has not been as easy to support as I first imagined. While hardware/software like Fritz have their own quirks and it isn't always clear why it does what it does (esp, since we don't own one, to be able to test things).
Additionally there is the very unstable Wireguard connection and here is an urgent need of a stable option to bypass Wireguard in the home network, I think.
This requires location permission, but it is something we want to do once we get other important/priority issues out of the way.
Ex:
- #1130
- #1294
Issue still persists in v055n (F-Droid)
Unfortunately, we are shooting in the dark trying to fix this issue with no access to fritzbox. Can you please resend them for v055n? We are going to make sharing debug/verbose logs easier in v055o (ie, adb logcat wouldn't be required).
From the logs you did share before, we did fix the errors we saw in them.
Just wanted to tell.
On my mobile phone I'll stay with v055a, the most reliable version for a stable connection of the Fritz Fon app via Wireguard, on my tablet I'll stay on v055j, the last version with working access to the Fritzbox configuration page via Browser. On another tablet (test device) I try out the latest releases.
I think more logcats wouldn't make sense as they seem to show up no differences to the log just sent?. Maybe in the future the issue is solved "by magic" and if not, no problem for me as I stay with the aforementioned versions.
think more logcats wouldn't make sense as they seem to show up no differences to the log just sent
In each new version we add more debug logs for issues we fix, and change a bunch of things, so the logs do make a difference.
Ah, thank you, that's something I didn't know!
Another still unanswered question, are the logs from the "Logcat Reader" app enough or are logs via ADB more useful?
Another still unanswered question, are the logs from the "Logcat Reader" app
Someone shared logs from LogFox, and it was enough because their phone was either rooted or LogFox used device admin (one of Shizuku / adb) capabilities to read logs of other apps: https://github.com/celzero/rethink-app/issues/1513#issuecomment-2149715248
Hopefully, in v055o this entire business of capturing logs with external tools isn't required for debugging cases like these (using the custom log capture tool we are implementing).
Ok, just recorded a log using Logfox and sent it zipped as an additional attachment to an error report email to hello@... . My Phone isn't rooted and I don't know how this Shizuku stuff works, so recording in Logfox happened only via the internal ADB permission.
From the logs that were sent and additional observation shared over email by @Kamika242 (that Rethink might be re-connecting too soon and that this issue started happening after v055f, a version since which we started refactoring how we handle TCP on port 443 ie HTTPS connections), ~~I think we've found the bug (though we can't be sure until we re-test the next version, v055o due in 2 days or so, with FritzBox): https://github.com/celzero/firestack/commit/f68de7c5f4f0c936fa7c65bedaf197040030b085~~ (edit: on a second though... may be not)...
I too have the issue of a FritzBox config website becoming unusable when trying to access it through the rethinkdns firewalled connection, starting at version 0.5.5k up until the most recent release.
Trying to access the page using curl shows a part of the site coming through before seeing a (56) connection reset by peer error. On version 0.5.5j, the issue does not exist.
Notably, this also affects a TP-Link RE365 WiFi repeater config page, and seemingly also an app called "Baby Tracker" (com.nighp.babytracker_android) which can't sync with its cloud service starting at 0.5.5k.
Are you still interested in logcat output at this time?
and seemingly also an app called "Baby Tracker" (
com.nighp.babytracker_android) which can't sync with its cloud service starting at 0.5.5k.
I had a similar problem with the HEOS app for Denon/Marantz, when RethinkDNS is installed and active, the app doesn't find the Fritz mediaserver and the HEOS speakers in my home network anymore, no solution by whatever I tried. For a long time I thought the problem was the HEOS app itself after an update in the past, but completely without RethinkDNS everything works fine. RethinkDNS also horribly slows down the transmission speed, I only realised this when I wanted to download something from the Fritz.NAS to my tablet. A speedtest told me, that my devices only download with 20mbit and upload with 14mbit, without RethinkDNS my old and beloved Oppo Reno2 phone makes 500mbit/50mbit, the full bandwidth of my internet connection and my Samsung Galaxy Tab A9+ makes 300mbit/50mbit, limited by the devices network adapter and the transmission speed to FRITZ.NAS now is also fine again.
Because of these drastic cuts (additionally to the Fritzbox configuration page problem) I don't use RethinkDNS anymore, unfortunately.
(additionally to the Fritzbox configuration page problem)
Hopefully the fixes in the network engine that we did, must have fixed the problem with FritzBox's configuration webpage. I can't be sure, as I don't have a FritzBox handy to test. If you're okay, I can email you the debug/test v055o version?
my devices only download with 20mbit and upload with 14mbit, without RethinkDNS my old and beloved Oppo Reno2 phone makes 500mbit/50mbit, the full bandwidth of my internet connection and my Samsung Galaxy Tab A9+ makes 300mbit/50mbit
I am not surprised that adding a software firewall like Rethink reduces Rx/Tx (receive/transmit) bandwidth. Not sure what's going on your network, but Rethink on my Android can hit 80mbps up/down, which I think is decent (: Note that, on more powerful Androids, Rethink may be able to do much more than 80mbps (as the "software firewall" may run faster than it does on lesser Androids).
If you're okay, I can email you the debug/test
v055oversion?
This would be great, do yo still have my email address? I won't publish it here for public.
I am not surprised that adding a software firewall like Rethink reduces Rx/Tx (receive/transmit) bandwidth.
That's clear and I would deal with 100mbit less of 500mbit, but not a reduction from 500mbit to 20mbit. As an example, the upload speed of the Signal messenger database via Foldersync to my NAS is 7MB/s under RethinkDNS and 65MB/s without RethinkDNS, thats a huge difference and I don't believe that my Oppo is simply too weak to handle RethinkDNS.
And there is an urgent need of changing RethinkDNSs behaviour in the home network, so that apps like HEOS work flawless.
Hopefully the fixes in the network engine that we did, must have fixed the problem with FritzBox's configuration webpage. I can't be sure, as I don't have a FritzBox handy to test. If you're okay, I can email you the debug/test
v055oversion?
@ignoramous As I have a FritzBox, plus other services and (seemingly) an app that are affected, I'd be happy to test as well, in case it could be helpful. I'm familiar with ADB.
You can find contact info on the webpage linked on my profile.
This would be great, do yo still have my email address? I won't publish it here for public. You can find contact info on the webpage linked on my profile.
Thanks, both of you. The current version us developers are using has paid feature integration which we need to remove before we can send it across(or you folks would get access to paid features for free ;). Give us a few more days while we clean all that up, please.
@Kamika242, @@crhbetz You can download the debug build from the link below to test.
Let us know if this fixes the issue.
You can download the debug build from the link below to test.
A word of caution: You'll have to uninstall the current version (and backup+restore also may not work). And you'll not be able to update from this debug variant ever. And so, it is better to install in a secondary user or work profile (if using Shelter/Island etc) or private space (if you're on Android 15+) or another Android device altogether.
With the debug build, I can use the FritzBox web interface etc. again through the rethink vpn. The issue seems to be fixed.
Note: I'm unable to use my valid wireguard profile in the debug build, but the issue in the latest official version exists regardless of wireguard connection, so this should not be relevant.
With the debug build, I can use the FritzBox web interface etc. again through the rethink vpn.
Relief. Thanks for confirming.
I'm unable to use my valid wireguard profile
Is there another open bug on this? If not, if you can share the config (don't forget to remove your private key), we can see what's going wrong.
I'm unable to use my valid wireguard profile
Is there another open bug on this? If not, if you can share the config (don't forget to remove your private key), we can see what's going wrong.
No, this is exclusive to the debug build. I guess there's something wrong there. It has two wireguard configs pre-set which are unusable but also can't be deleted and my valid one (working in all releases I tried) does not connect.
I don't have access to my test phone right now, I'll get more info on it when I can.
Update: There are two configs "WARP" and "SEC_WARP". They can't be activated, when I click on them a popup "Wireguard - invalid WireGuard configuration" apprears, with the buttons "delete" and "ok". Neither does anything, I can't edit or delete them. When I add my own, it does not connect.
To me this kinda looks like some sort of leftover from your development process? I don't think this is an actual issue. I just wanted to say: I can't confirm FritzBox etc also work with an active Wireguard tunnel because I can't activate mine.