rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

multiple tunneling blocks internet connection

Open pixincreate opened this issue 1 year ago • 9 comments

coming from https://github.com/celzero/rethink-app/issues/1687

device info:
  - bluejay
  - grapheneos
  - exploit protection compatibility disabled for the app

dns:
  - system dns
  - nextdns from system settings
  - dns booster
  - prevent dns leaks

firewall blocked for:
  - unknown source
  - new apps
  - http
  - domain rules:
    - nextdns domain whitelisted

proxy (wireguard):
  - configs downloaded from protonvpn
  - advanced proxy
  - ipv4
  - 4 tunnels
    - lockdown enabled for 1 tunnel that has 14 apps listed
    - 25 apps
    - 4 apps
    - 5 apps
  - all tunnels have dns servers set to 10.2.0.1 and addresses set to 10.2.0.2/32

network:
  - do not route private ips
  - use all available networks
  - loopback (enabled few mins back)

after few mins of sleep, device cannot access internet and i always get conn_refused. logs did not help.

pixincreate avatar Sep 11 '24 14:09 pixincreate

loopback (enabled a few mins back)

Turn it off, for now. It won't improve connectivity problems. In the upcoming version, v055o, we've improved Loopback's implementation and made it more robust.

device cannot access internet

All apps or just the ones routed through the WireGuard VPN?

logs did not help

Checking if you had Very Verbose set in Configure -> Settings -> Log Level?

conn_refused

Where do you see "conn_refused"? At the footer of the bottomsheet that comes up when you tap on entries in Network Log? If so, what's the full message that's shown?

Can you check what the statues of active WireGuards are (should be one among: Idle / Failing / Active / Waiting)?

NextDNS from system settings

You mean, Private DNS? Can you turn ON Never proxy DNS in Configure -> DNS and see if things improve?

ignoramous avatar Sep 11 '24 18:09 ignoramous

Turn it off,

Done.

All apps or just the ones routed through the WireGuard VPN?

All apps seems to be getting affected even though limited number of apps are rooted through the tunnel. I need to confirm that again.

Checking if you had Very Verbose set in Configure -> Settings -> Log Level?

I can only see Verbose option. Where are logs stored? Or is just that the connection of logs is now verbose and I need to use adb logcat?

Where do you see "conn_refused"? At the footer of the bottomsheet that comes up when you tap on entries in Network Log? If so, what's the full message that's shown?

Can you check what the statues of active WireGuards are (should be one among: Idle / Failing / Active / Waiting)?

Not exactly "conn_refused", most the apps that I open just do not work (chat apps). Other than that, webapps and browser straight away throw connection refused or timed out error. Wireguard usually shows Failing for Proxy. Refreshing the page just changes the status to Active.

In addition to that, during multi-tunneling, app usually says that wireguard is not working (I do jot exactly remember the error message).

You mean, Private DNS? Can you turn ON Never proxy DNS in Configure -> DNS and see if things improve?

Yes, it's turned on. Not helping either.

At the moment of me writing this, I've turned off multi tunneling and using only 1 end point for that.

pixincreate avatar Sep 12 '24 02:09 pixincreate

I can only see Verbose option.

In v055n, Configure -> Settings -> Log level must show Very verbose.

Where are logs stored? Or is just that the connection of logs is now verbose and I need to use adb logcat?

Yes, these are standard logs (not stored anywhere except in Kernel's ringbuffer); should show up in logcat. These logs may prove helpful in debugging what you're seeing. I tested with multi-WireGuard (2 Proton tunnels) on my Android and unfortunately don't see the issue you're seeing (but I am also on top-of-the-tree build and not v055n) to debug further.

ignoramous avatar Sep 12 '24 07:09 ignoramous

In v055n, Configure -> Settings -> Log level must show Very verbose.

Oh wait, I re-installed the app yesterday from GitHub releases (no idea about how di i end up installing an older version), just checked the version, it showed 0.5.5e, now downloaded again and re-updated the app, it now shows 0.5.5n-1-gc4a7ae1..🤦‍♂️

Will try today, and if issue persist, will get logcat and update it here.

pixincreate avatar Sep 12 '24 09:09 pixincreate

cmd:

adb logcat | grep "GoLog" > log.txt

I'm still able to reproduce the issue on 0.5.5n-1-gc4a7ae1. It says the address port is invalid(?):

09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg5 recvFrom(invalid AddrPort): 0 / err? read udp6 [::]:56427: i/o timeout
09-14 11:40:51.749 28825 28909 I GoLog   : receive.go:116: V wg:wg5 Failed to receive makeReceiveFn packet: read udp6 [::]:56427: i/o timeout
09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg3 recvFrom(invalid AddrPort): 0 / err? read udp4 0.0.0.0:52931: i/o timeout
09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg4 recvFrom(invalid AddrPort): 0 / err? read udp4 0.0.0.0:42859: i/o timeout
09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg4 recvFrom(invalid AddrPort): 0 / err? read udp6 [::]:42859: i/o timeout
09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg3 recvFrom(invalid AddrPort): 0 / err? read udp6 [::]:52931: i/o timeout
09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg6 recvFrom(invalid AddrPort): 0 / err? read udp4 0.0.0.0:49453: i/o timeout
09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg6 recvFrom(invalid AddrPort): 0 / err? read udp6 [::]:49453: i/o timeout
09-14 11:40:51.749 28825 28909 I GoLog   : receive.go:116: V wg:wg4 Failed to receive makeReceiveFn packet: read udp4 0.0.0.0:42859: i/o timeout
09-14 11:40:51.749 28825 28909 I GoLog   : receive.go:116: V wg:wg4 Failed to receive makeReceiveFn packet: read udp6 [::]:42859: i/o timeout
09-14 11:40:51.750 28825 28909 I GoLog   : receive.go:116: V wg:wg3 Failed to receive makeReceiveFn packet: read udp4 0.0.0.0:52931: i/o timeout
09-14 11:40:51.750 28825 28909 I GoLog   : receive.go:116: V wg:wg6 Failed to receive makeReceiveFn packet: read udp4 0.0.0.0:49453: i/o timeout
09-14 11:40:51.750 28825 28909 I GoLog   : receive.go:116: V wg:wg3 Failed to receive makeReceiveFn packet: read udp6 [::]:52931: i/o timeout
09-14 11:40:51.750 28825 28909 I GoLog   : receive.go:116: V wg:wg6 Failed to receive makeReceiveFn packet: read udp6 [::]:49453: i/o timeout

Logs: log.txt

Not sure if there's any info that is deemed to be senstive (or PII), please redact it if exist as I'm not that good of a person when it comes to networking concepts.

I've in fact, downloaded 4 configuration files from my VPN provider and routed the apps between these 4 configuration files by splitting them.

And I also have to reboot the device to get the network back in single tunnel (probably dns cache, not sure).

pixincreate avatar Sep 14 '24 06:09 pixincreate 

09-14 11:40:51.749 28825 28914 E GoLog   : wgconn.go:418: W wg: bind: wg5 recvFrom(invalid AddrPort): 0 / err? read udp6 [::]:56427: i/o timeout

These timeouts are okay and even expected (the WireGuard UDP socket is bound but not connected). Not indicative of any grave failure.

Thanks for the logs. They show that the remote WireGuard Peer (endpoint) is refusing connections forwarded to it. If you're on a free plan, perhaps it expired? If not, check if those configs work in the official WireGuard app?

Also, unrelated but similarly curious issue is that when running multiple WireGuards (Advanced mode) in Rethink, when Peers have 10.x.y.z in their Allowed IPs section, the connections (through the WireGuard tunnel) are slow or drop often: #1700

ignoramous avatar Sep 18 '24 21:09 ignoramous

i'm on free plan, yes. it was created recently and is known to expire after an year. i'll check this once with wrieguard and confirm if it is my vpn provider who's restricting me from having in multiple tunnels.

Also, unrelated but similarly curious issue is that when running multiple WireGuards (Advanced mode) in Rethink, when Peers have 10.x.y.z in their Allowed IPs section, the connections (through the WireGuard tunnel) are slow or drop often: https://github.com/celzero/rethink-app/issues/1700

thanks for notifying me about this.

will revert back in some time.

pixincreate avatar Sep 19 '24 06:09 pixincreate

Screenshot_20240920-101106

I guess it is Wireguard restriction that I can only enable 1 at a time. On RDNS, I need to modify the VPN proxy to remove other tunnels and instead have their peers set into only one of the tunnels?

I'm sorry if my questions are too dumb, I'm just unable to understand what's going wrong here.

pixincreate avatar Sep 20 '24 04:09 pixincreate

I guess it is Wireguard restriction that I can only enable 1 at a time.

On Rethink, in Advanced mode, two WireGuards must be able to work just fine. I am guessing Proton may be blocking multiple free VPN connections from the same IP, I can't be sure.

On RDNS, I need to modify the VPN proxy to remove other tunnels and instead have their peers set into only one of the tunnels?

I don't think changing this would do what you expect it to do, given if it even works in the first place (as WireGuard is pretty strict about routing to/from its Peers).

I'm just unable to understand what's going wrong here.

It could be a matter of the recent "credential-less auth" changes by Proton or it could be a bug with Rethink (but I can confirm that for testing, I've used more than 1 Proton configurations and it had always worked, but now it doesn't or hasn't for the past few weeks).

ignoramous avatar Oct 01 '24 20:10 ignoramous