ukanth
LAN and Tor
Please separate LAN/VPN and Tor control for apps. If LAN/VPN and Tor is allowed for app and Orbot is down then no access to devices over LAN/VPN.
This is intentional so Tor won't leak traffic from/to your local network. Every Tor application I've used denies access to your local network. Is there a use case where this should be changed?
This is intentional so Tor won't leak traffic from/to your local network.
But the same can be said for VPN. But all remained still for VPN interface. Earlier the checkboxes for all network interfaces have been divided. Why invent other behavior?
It is inconsistent, yes. I did it this way is because I don't know much about Android GUI design and didn't want to over complicate the feature addition.
It is inconsistent, yes
This behavior needs to change. Let each checkbox control its network interface separately.
How would the user indicate they want all traffic to be Torified?
If only Tor checkbox is enabled then traffic goes only through Tor. Just like with VPN. If Tor and other chechboxes are enabled then traffic goes through Tor when Tor client is enabled or through other active enabled network interfaces when Tor client is disabled.
How do we tell if the Tor client is enabled or disabled?
Add the option to define Tor client address. By default 127.0.0.1:9040 or 127.0.0.1:9050.
Does Orbot give a notification?
Why get attached to Orbot? Tor client may be a binary file tor. The main thing is a binding address of tor client.
AFWall has to get notified that Tor is up or down from somewhere
By checking the binding address.
You don't have to add a new checking necessary. How is it checked now? For now you'll just separate checkboxes.
Then don't check anything :) If only Tor checkbox is enabled then traffic goes only through Tor.
But then won't that mean if you check LAN and Tor, traffic won't be redirected to Tor? That sounds dangerous if you expect the Tor checkbox to always redirect.
Ignoring the Tor checkbox, AFWall lists destinations that traffic can go. Destinations checked are allowed through, destinations unchecked are blocked. The Tor checkbox redirects the allowed traffic. So right now you would let an application go through WiFi and Tor to have it Tor traffic on WiFi and block everything else.
Changing this so that if Tor isn't running the application will mean people's firewalls will now open if Tor is disabled rather than block connections. Adding an option in the settings to let traffic through when Tor is down would work and preserve existing behavior.
For extra safety I'd like this to somehow be tied to how Orbot is configured- not just if Tor is down but whether it's disabled or enabled. That way if a bad guy somehow kills Tor connections it won't bypass while Orbot is reconnecting.
@ukanth: Any thoughts? I could be up for implementing this.
But then won't that mean if you check LAN and Tor, traffic won't be redirected to Tor?
Well. If Tor checkbox is enabled then traffic is redirected to Tor always. Until you can add the necessary checks.
Now we have to check a few checkboxes for Tor. And if Tor checkbox was disabled then we can forget to remove other checkboxes and traffic redirects through other network interfaces. This is dangerous too.
That way if a bad guy somehow kills Tor connections it won't bypass while Orbot is reconnecting.
The same can be said about VPN too. But if VPN is reconnecting and other network interfaces are enabled for app then app traffic would be redirected to other enabled network interfaces.