shadowsocks-iOS
shadowsocks-iOS copied to clipboard
shadowsocks
Use iOS VPN API
Since iOS 4.2, an VPN API is added. Such API is used by Cisco AnyConnect and some other apps from big companies. A few years later, OpenVPN added such support. This API can be easily reversed. Actually I had created an OpenVPN client before the official client going to AppStore, I didn't submit it to AppStore because I do not think Apple would allow me to use this private API. To use this API, you will have to create a vpnplugin, iOS will create a sandbox env for this bundle, you app can still talk to the plugin to pass configurations to it. When user is turn on VPN of your kind in Preferences, the bundle will be launched to provide VPN service. You bundle can keep running all time unless the user disconnect it. By the way, this API is IP packet based.
If using this API won't let Apple approve this app, it makes no difference.
Why not have a try? shadowsocks is an VPN app, no diff with AnyConnect or OpenVPN.
OpenVPN thought they can not get such API detail from Apple. Now their app is on AppStore.
Best regards, Eric
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南: http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Sun, Feb 16, 2014 at 9:03 AM, clowwindy [email protected] wrote:
If using this API won't let Apple approve this app, it makes no difference.
Reply to this email directly or view it on GitHub: https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-35174063
Shadowsocks is a socks5 proxy. We have to create a VPN adapter first. Since you're familiar with the private VPN API, maybe you can send me a pull request?
So are you going to implement this packet based vpn layer in shadowsocks or only in the iOS app?
Thanks, Eric Day
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
AirBlue Sharing 支付宝购买方法: http://www.if0rce.com/2012/02/29/airblue-sharing-%e6%94%af%e4%bb%98%e5%ae%9d%e8%b4%ad%e4%b9%b0%e6%96%b9%e6%b3%95/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南:
http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
iBluever 支付宝购买流程: http://www.if0rce.com/2011/05/22/ibluever-alipay/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Monday, February 17, 2014 at 11:53 AM, clowwindy wrote:
Shadowsocks is a socks5 proxy. We have to create a VPN adapter first. Since you're familiar with the private VPN API, maybe you can send me a pull request?
— Reply to this email directly or view it on GitHub (https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-35227132).
@Smartype We're using VPNService and tun2socks (badvpn) to implement the VPN mode of shadowsocks-android. You can get more details from here https://github.com/shadowsocks/shadowsocks-android/tree/master/src/main/jni/badvpn/tun2socks
hello i read here : https://github.com/shadowsocks/shadowsocks-iOS/wiki/Help that there is some commented code in the source code of shadowsocks-iOS app. Thus the app can keep running all the time. But this prevents us from getting approved on the App Store. You have to build the app for yourself, and use the app yourself.
could anybody help me about how i could edit this app to user is unlimited for my self ? i need if very very much , thanks
It seems that only after signing an NDA, Apple will approve an app using the vpnlugin API. https://forums.openvpn.net/topic12800.html
I thought openvpn is GPL licensed, which does not allow add AppStore protection. So I did not submit it to AppStore. Even if now OpenVPN is in AppStore. It still looks illegal.
- open source license requires the source to be open
- Apple NDA does not allow
It does not worth the effort implement the vpnplugin in shadow socks. And I don't like the badvpn implementation personally.
Ok, I guess I will submit the vpnplugin API to GitHub. If someone interests in this and does not hate badvpn, he/she can implement this.
As I reversed the interface, it is not limited by the silly NDA, right? :)
Have a good day!
Best regards, Eric
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南: http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Sat, Mar 1, 2014 at 3:21 AM, clowwindy [email protected] wrote:
It seems that only after signing an NDA, Apple will approve an app using the vpnlugin API.
https://forums.openvpn.net/topic12800.html
Reply to this email directly or view it on GitHub: https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-36384951
While we can't distribute this app via App Store, we can still build the app for our own devices. I still want to have a try.
Thanks for the effort you made for reversing the API.
Here it is https://github.com/Smartype/iOS_VPNPlugIn
Thanks, Eric Day
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
AirBlue Sharing 支付宝购买方法: http://www.if0rce.com/2012/02/29/airblue-sharing-%e6%94%af%e4%bb%98%e5%ae%9d%e8%b4%ad%e4%b9%b0%e6%96%b9%e6%b3%95/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南:
http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
iBluever 支付宝购买流程: http://www.if0rce.com/2011/05/22/ibluever-alipay/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Sunday, March 2, 2014 at 11:25 AM, clowwindy wrote:
While we can't distribute this app via App Store, we can still build the app for our own devices. I still want to have a try. Thanks for the effort you made for reversing the API.
— Reply to this email directly or view it on GitHub (https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-36444866).
There are two known implementations to look at (for reverse engineering purposes). Cisco AnyConnect and OpenVPN Connect.
To quote a post on the OpenVPN forums:
the open-source of the OpenVPN Connect sourcecode can be found on the internet (code.google.com) ; there is also a closed-source portion that is NOT freely available. This is the interesting part, of course, for which OpenVPN Inc had to sign an NDA.
OpenVPN is not bound to the GPL - the community edition of the software is, but this is a completely new implementation in C++ that is NOT bound to the GPL per se.
The vpnplugin bundle sits in the same directory as the app, which is the Payload directory in an IPA. The app requires the com.apple.networking.vpn.configuration entitlement to use the VPN configuration functions. I want to begin an open source implementation to get Tor support on unjailbroken devices. Right now I am working on getting Xcode to bundle the vpnplugin so that I can click Build & Run and install on my device.
Updates:
- The entitlement requirement kills any hope of installing these IPA packages on an un-jailbroken device, even with an enterprise certificate. Installing "AppSync" or similar from Cydia patches
installdto allow anything to be installed. - Overriding
CODE_SIGNING_ALLOWEDandRESOURCE_RULES_REQUIREDtoYESin an Xcode bundle target will tell Xcode to codesign the bundle for you. - The iOS SDK utility
PackageApplicationsupports a-pluginargument, allowing you to add avpnpluginbundle into an IPA. You cannot "Build & Run" from Xcode, but you can compile both, package them up, and install the IPA through Xcode Organizer pretty fast.
I now have a plugin bundle loading and "working" (setting status to enabled), but I have not been able to redirect traffic just yet.
If you still want to get this working, I can add more comments for you. It is really straightforward. I had ever created a fully working openvpn client.
This won't get shadowsocks approval led by Apple. But this is much better than "playing silent audio", which is really dirty hack.
Best regards, Eric
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南: http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Tue, May 13, 2014 at 5:04 AM, Conrad Kramer [email protected] wrote:
Updates:
- The entitlement requirement kills any hope of installing these IPA packages on an un-jailbroken device, even with an enterprise certificate. Installing "AppSync" or similar from Cydia patches
installdto allow anything to be installed.- Overriding
CODE_SIGNING_ALLOWEDandRESOURCE_RULES_REQUIREDtoYESin an Xcode bundle target will tell Xcode to codesign the bundle for you.The iOS SDK utility
Reply to this email directly or view it on GitHub: https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-42887955PackageApplicationsupports a-pluginargument, allowing you to add avpnpluginbundle into an IPA. You cannot "Build & Run" from Xcode, but you can compile both, package them up, and install the IPA through Xcode Organizer pretty fast. I now have a plugin bundle loading and "working" (setting status to enabled), but I have not been able to redirect traffic just yet.
I understand the configuration and loading process (most of the functions), just not the actual traffic redirection part.
Would you be able to post the old OpenVPN client for sample code? I'd love to see a sample implementation of the exported APIs.
When your plugin is launched by the vpnagent, Plugin_VPNTunnelInit will be called. The settings dict includes TunnelSocket, this is the socket fd created for you. Read it to get ipv4 packets from apps. Then write ipv4 packets from vpn to this fd.
Even if it only keep the app running in background, can be really awesome
Don't use 99$ developer license, use 299$ iOS Development Enterprise Program this license don't need submit to app store,through web download and install.
Which framework provides the implementations for the files in the iOSVPNPlugin.h header?
I guess it is SystemConfiguration.
I suggest you grep the functions in Frameworks and PrivateFrameworks.
Best regards, Eric
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南: http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Fri, May 16, 2014 at 11:46 PM, Jeff Wofford [email protected] wrote:
Which framework provides the implementations for the files in the iOSVPNPlugin.h header?
Reply to this email directly or view it on GitHub: https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-43346814
@fudingyu, you cannot install a custom VPN plugin even with an enterprise license. The entitlement requirement makes this require a jailbreak.
@Smartype, the example you posted doesn't do anything with the tunnel FD. Do you have to wait for and accept new connections on it?
It is an fd to an utun device. Try ifconfig and you will see it.
Before you can see any data on that device. You will have to publish a network service which overwrite the default route. My examples should have implemented such functions, just call them when you have successfully established the VPN tunnel.
Then try select/cfsocket/kevent on it to see if any datagram. You will found that they are ipv4 packets, forward them with your VPN connection.
You can play with openvpn or something else first to understand the tun device and VPN details.
iOS VPN plug provides the utun interface and other API for you to override default route. What you have to do is encrypting ip packets and transferring them between the VPN server.
Best regards, Eric
AirBlue Sharing Frequently asked questions: http://www.if0rce.com/en/2011/11/06/airsharing-f-a-q/
iBluever Frequently asked questions: http://www.if0rce.com/en/2010/12/29/ibluever-f-a-q/
iBluever W/ OnDemand Configuration Guide Lines: http://www.if0rce.com/en/2011/06/05/ibluever-w-ondemand-configuration-guide-lines/
AirBlue Sharing 常见问题: http://www.if0rce.com/2011/10/26/airblue-sharing-使用方法及常见问题/
iBluever 常见问题: http://www.if0rce.com/2010/12/29/有关-ibluever-的常见问题/
iBluever W/ OnDemand 配置指南: http://www.if0rce.com/2011/06/02/ibluever-w-ondemand-配置指导/
Cydia Store 银联卡支付教程: http://jbguide.me/2012/04/09/buy-tweaks-via-yinlian-for-video/
On Mon, May 19, 2014 at 12:41 AM, Conrad Kramer [email protected] wrote:
@fudingyu, you cannot install a custom VPN plugin even with an enterprise license. The entitlement requirement makes this require a jailbreak.
@Smartype, the example you posted doesn't do anything with the tunnel FD. Do you have to wait for and accept new connections on it?
Reply to this email directly or view it on GitHub: https://github.com/shadowsocks/shadowsocks-iOS/issues/23#issuecomment-43444534
@Smartype Thanks for providing the example code. I've been working with it to build a VPN Plugin, and I find that something is missing (or I'm missing something). I'm able to package the vpn plugin bundle along with an app in an IPA, and I believe I'm setting the correct entitlements because the vpn plugin is being installed with the app. But calling VPNConfigurationConnectionStart() only gives the console output: VPNConfigurationConnectionStart() failed: The operation couldn’t be completed. (com.apple.SystemConfiguration error 5001 - Network service for connection not available. Any thoughts on what I might have missed?
can anyone tell me how to use opnvpn Plugin in ios project..i downloaded the repo but no xcodeconfig file present .any guide lines how to compile it please ..few files are missing i guess
@Smartype Would you please share more detail about iOS_VPNPlugin? Seems there're some missing required files like VPNPluginMsgTypes.h. If no detail or missing files provided, it will be pretty hard to implement.
Ignore it. That’s where you define your app msg.
enum { AppleVPN_MessageType_Invalid = 0, AppleVPN_MessageType_Syn, AppleVPN_MessageType_Ack, AppleVPN_MessageType_CreateFile, AppleVPN_MessageType_CreateFileDone, AppleVPN_MessageType_Option, AppleVPN_MessageType_OpenVPN_Log, };
typedef int32_t AppleVPN_MessageType;
On Jul 7, 2014, at 7:44 PM, Kun [email protected] wrote:
VPNPluginMsgTypes.h