New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Thread] dnscrypt-proxy on iOS #42

Open
jedisct1 opened this Issue Jan 27, 2018 · 61 comments

Comments

Projects
None yet
@jedisct1
Copy link
Owner

jedisct1 commented Jan 27, 2018

DNSCloak takes advantage of the DNS proxy provider system introduced in iOS 11 to bring the DNSCrypt protocol to Apple devices. Devices don't have to be jailbroken to install this software.

This is great, but it apparently uses code from dnscrypt-proxy v1, it is not opensource and lacks interesting features such as logging and filtering.

A similar, opensource application for iOS would be terrific!

@s-s

This comment has been minimized.

Copy link

s-s commented Jan 27, 2018

>>> TestFlight <<<

Have already ported v2 to iOS (since first betas), with filtering and logging. Waiting for stable version to release it. Also requires some testing - if anybody interested, I may release it under TestFlight.

PS: Lack of features are the dynamic nature of plugins loading in v1.

@s-s

This comment has been minimized.

Copy link

s-s commented Jan 27, 2018

BTW it is not a DNS proxy provider (due to it is limited to supervised devices), but a generic packet tunnel. So, it would run on iOS 10 as well, and may be on iOS 9 (there is triple less memory available for network extensions comparing to iOS 10).

@Snapy

This comment has been minimized.

Copy link

Snapy commented Jan 27, 2018

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Jan 27, 2018

@s-s So, this is using NEKit? This is even better!

I'd love to testflight it.

@s-s

This comment has been minimized.

Copy link

s-s commented Jan 27, 2018

@jedisct1, no, it is a simple NEPacketTunnelProvider (it is required to run client code in background + setup iOS DNS resolver to that client) + thread wrapper for client + client built as static libs (v1) / framework built with gomobile (v2). I’ll release v2 framework build environment later, so someone may use it for macOS / opensource iOS client.

I’ll try to put v2 into TestFlight tomorrow.

PS: NEKit is great by itself (it is a framework to route traffic through a set of proxies), but it is absolutely not required here. All the “magic” is done with native NEDNSSettings of NetworkExtension framework. I’m very surprised that nobody have ported dnscrypt-proxy to iOS previously.

@jamespoore

This comment has been minimized.

Copy link

jamespoore commented Feb 3, 2018

+1 for Testflight. Would be happy to assist with user testing of your app @s-s.

@jedisct1 top work for the v2 implementation, very pleased so far.

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Feb 3, 2018

Been testing the new DNSCloak for a couple days, and it works really well.

I just had an issue after the installation. "Start" didn't do anything, and I couldn't choose a resolver either. Maybe because I had the previous (non-testflight) version previously installed.

I uninstalled everything and reinstalled the beta. "Start" didn't do anything, which makes sense since no resolvers was selected, but still feels a bit confusing. But I could then pick a resolver, hit start, and watch the query log fill itself with queries.

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Feb 7, 2018

Just want to try TestFlight to

@s-s

This comment has been minimized.

Copy link

s-s commented Feb 8, 2018

@hcarrega, added you to TestFlight, check your email.
@jamespoore, please, send me an email to sergey [dot] smirnov [dot] dev [at] gmail [dot] com - Apple requires an email to send invitation
I'll try to put fresh TestFlight build this weekend - a little busy with work...

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Feb 8, 2018

Thanks ;)

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Feb 23, 2018

Hi @s-s -- Just to mention that the new version you pushed on Testflight is really good!

It works perfectly. Looking forward to seeing it on the AppStore!

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Feb 23, 2018

You may want to upgrade the proxy to the latest version though :)

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Feb 23, 2018

@s-s Just one thing: "filters" should be "no filters": the "filters" label is currently displayed for resolvers that do not filter :)

@tmasiff

This comment has been minimized.

Copy link

tmasiff commented Feb 26, 2018

Also want to try if you can. TestFlight:Temadrakula@gmail.com

@s-s

This comment has been minimized.

Copy link

s-s commented Feb 26, 2018

@jedisct1, thank you for pointing with filter flag, fixed! :) Also upgraded to latest version (was short on time at Friday, stucked with types mess @ gomobile). I'll upload new TF build soon. As for App Store - I want to implement a couple of things before release - add passcode lock for parental control and move to dnscrypt-proxy managed caches as a source for app's list (as a step toward exposing config editor).

@tmasiff, done, check your email.

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Feb 26, 2018

Don't Rush, I'm gonna upload a new proxy version tonight (just to fix a recently reported bug with DoH servers where IP addresses were not specified).

@ghost

This comment has been minimized.

Copy link

ghost commented Mar 2, 2018

@jedisct1 AdGuard Pro iOS is opensource, allows inclusion of custom DNScrypt servers & has a wonderful filtering mechanism. TestFlight it & see for yourself.

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Mar 2, 2018

I bought it, and didn't find any DNSCrypt support in it :(

@ghost

This comment has been minimized.

Copy link

ghost commented Mar 2, 2018

@s-s I’m in agreement with @jedisct1 regarding the latest TestFlight of DNSCloak - it works quite nicely. I’d like to see a mechanism to include custom DNScrypt servers, however. Also a nice enhancement for the use TCP only rule would be an explanation regarding its usefulness running it over TOR. @mtigas maintains https://GitHub.com/mtigas/OnionBrowser which is the only officially endorsed - by the TOR Project - iOS TOR browser.

@ghost

This comment has been minimized.

Copy link

ghost commented Mar 2, 2018

@jedisct1 - you’ve got to use the beta via TestFlight. Hop over to the git repo https://github.com/AdguardTeam/AdguardForiOS & let @ameshkov know you’d like to use it.
Edit: Even simpler, here’s the short form to fill out https://docs.google.com/forms/d/e/1FAIpQLSf5JWqO_Qsdri1nwJphse46Qk48YHVyc3IZs1l-XmJ3ff0dDQ/viewform

@ameshkov

This comment has been minimized.

Copy link

ameshkov commented Mar 2, 2018

We've just finished with the first implementation that will be released next week, but it is based on dnscrypt-proxy v1. Once it's released, we'll push the code to GH.

Using dnscrypt-proxy v2 is on our roadmap.

@jedisct1 regarding beta test application, I can see yours, gimme a minute:)

@s-s

This comment has been minimized.

Copy link

s-s commented Mar 2, 2018

@X8716e, custom static resolvers and lists will be available with config editor (will be added a little bit later).
As for Tor, I'll mention it, but keep in mind that Tor and dnscrypt-proxy will not work simultaneously on a (non-jailbroken) iOS device for many reasons, most of them are iOS limits. The only scenario I see is to put a Tor middlebox in front of an iOS device with dnscrypt-proxy. But I'd prefer to move dnscrypt-proxy on that middlebox device in this scenario.
As for OnionBrowser - all (well, there is an exception, but its existence in the App Store is just a matter of time) "Tor browser" implementations on iOS do name resolutions via SOCKS proxy provided by Tor client. Just because they have no other way to customize resolver settings. They just can't use dnscrypt-proxy (proxied to the same Tor client).

@tmasiff

This comment has been minimized.

Copy link

tmasiff commented Mar 3, 2018

Thanks )

@ghost

This comment has been minimized.

Copy link

ghost commented Mar 5, 2018

@s-s Mostly accurate info; however I’m concerned with the dismissal of TCP as useful. It gives the impression to any who know no better that why try to learn anything on the subject since the developer of this proprietary software is saying there’s no need to do so. I wrongly assumed your application was opensource. Why? Because you’re here on GitHub. My mistake, and one that won’t happen again. Regarding running DNSCrypt concurrently with TOR via SOCKS, there are definite ways to go about doing it. Ideally, simply entering & exiting TOR via DNSCrypt & minimising the connection time to your chosen DNSCrypt server is how most would want to use the mix. Other alternatives exist, though they rely a lot on your level of trust in the DNSCrypt provider. As for asking “how”, well, I’m sure you’ll figure it out ;)

EDIT: @jedisct1 Apologies for a convo that should be taking place on the dev’s project page instead of hijacking space on your own. It’s not possible, however, and I’ll respond no further to said dev. Thanks for your understanding

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Mar 7, 2018

@s-s The release candidate is perfect! Really nice. This makes it by far the best DNS changing tool on mobile platforms.

I just had a case where I was stuck in the settings page. Close didn't do anything, other controls didn't work any more either.
I'm gonna try to find a sequence to reproduce this.

@s-s

This comment has been minimized.

Copy link

s-s commented Mar 7, 2018

@jedisct1, thank you, but all credits should go to you actually - I’m just wrapping UI around your client.

It seems that I’ve found what you are writing about - stuck due to conflicting modals, I’ll make a relayout to fix this problem and one more with logs modal. So, there would be rc2...

Actually, there are still a lot of work to be done: I want to expose as much as possible of dnscrypt-proxy original features. The next big things should be config editor (it would be simpler to edit a couple of lines than have a complex UI as well as adding custom lists and static resolvers, which in fact are already supported ;), forwarding and cloaking, then blacklists (they may be tricky due to iOS behavior).

As for “proprietary”, of course, you can judge me for that, but I don’t want to produce the hell of “yet-another-cl0kdNs-clone-with-brand-new-unique-created-by-myself-icon-buy-now-for-the-only-$0.99” copies which the App Store is all about (AS review policies just don’t work or work against the original developer). This makes frustrating and demotivates a lot. I’m a dev and I want to spend my time on development, not on fighting with copycats. So, choosing between keeping project “proprietary” (in fact - not) or not touching the theme at all I’ve decided to select the first one, at least for the first time. The mentioned Mike’s OB and many other devs that were making opensource projects for iOS stucked with exactly the same problem.

@jedisct1 jedisct1 changed the title Help wanted: iOS support [Thread] dnscrypt-proxy on iOS Mar 25, 2018

@jedisct1 jedisct1 added announce and removed help wanted labels Mar 25, 2018

@ameshkov

This comment has been minimized.

Copy link

ameshkov commented Jan 6, 2019

But to make it available again in the App Store Apple awaits from me an app transfer from my individual account to some company or organization account.

@s-s why is it not viable to register a company account? It'll take some time indeed, but there're no serious risks there.

If you 100% want to avoid messing with a company account, I guess we can try to help you with publishing DNSCloak. You know my Telegram username, we can discuss the details there or in person when I am back to Moscow.

@moba

This comment has been minimized.

Copy link

moba commented Jan 6, 2019

Sounds like we might be able to help ( www.techcultivation.org, a non-profit company based in Germany serving as "legal host" for free software projects ). You can find us on OFTC #techcultivation or get in touch via email.

@peterlewis

This comment has been minimized.

Copy link

peterlewis commented Jan 6, 2019

It might be worth having a chat with @keeshux as I believe that he was in a similar position with his OpenVPN app, Passepartout.

Repository owner deleted a comment from JonoHaysom Jan 7, 2019

@s-s

This comment has been minimized.

Copy link

s-s commented Jan 7, 2019

@jedisct1, @ameshkov, @moba, @peterlewis, everyone from Twitter and Reddit - thank you all for your help! I have contacted techcultivation.org and hope that we can make a collaboration.

@jedisct1, IMHO there are two main reasons for such policy changes:

  1. Roots come from China’s VPN regulations. In order to run a VPN service in China one need a license from their government. This license can be obtained by a (China located) company only (I can be mistaken). Apple first introduced such ASRG changes two years ago, by requiring a company to have all appropriate licenses for all target countries.
  2. Facebook - Cambridge Analytica scandal. App Store has tons of different VPN and proxy apps. A lot of them don’t disclose their data usage/privacy policies (they were optional to provide till iOS 12 release). In fact iOS developer (depending on the used features) has up to a full access to raw network traffic transferred via his network extension/VPN profile, so it can be used in many ways besides expected data transfer from point A to point B.

I guess Apple as a distributor wants to limit their risks by decreasing the subset of such apps artificially. Also companies are more comfortable to sue with. Just business. IMHO main problem here is that Apple doesn’t look deep into specific use cases/implementations (I’ve tried to influence it and to talk to their representatives several times over the last two years but without much success). Either it is a secure DNS protocol client, Tor network client, HTTP(S)/SOCKS proxy, local filtering proxy of any form or even some exotics like TCP-over-ICMP (ptunnel) - they are all “VPNs” for Apple, just because you are using the same network extension framework provided by native iOS SDK and have no other options. Even if you have no access to transferred data itself, no backend services and/or making them fully user customizable, you are a VPN service. Duck typing as it is.

@ameshkov, thank you for the proposition! I really appreciate your help! Honestly, I think that our country is not the best option for such organization for many reasons (mostly due to “VPN changes” for 149-FZ in 2017 - you know that this law defines such services too broadly, so almost anything fits it - this may cause various consequences to a company located here). However I believe we are going to meet each other in person sooner or later. :)

@peterlewis, as far as I see Passpartout is available via TestFlight only. TestFlight has more loose review process (in practice only some checks are applied, only the first build within any specific version is checked, then you can push as many builds with any changes but the same version as you want without any review). I’ll try to contact @keeshux, but I guess he is going the same way.

@cleanbrowsing

This comment has been minimized.

Copy link

cleanbrowsing commented Jan 8, 2019

@s-s @jedisct1 If we can help in any way, let us know. We have a corporate account and would be happy to help. We love DNSCloak.

@tekman8

This comment has been minimized.

Copy link

tekman8 commented Jan 8, 2019

Thanks for the add to Testflight! Truly missed this fantastic app. :)

@Payu96

This comment has been minimized.

Copy link

Payu96 commented Jan 9, 2019

Is it possible that I get the IPA (to sign the App myself) or a Testflight invitation?
Mail: testflight@payerl.eu

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Jan 9, 2019

Until this is resolved, it would be nice to keep this thread about how to get the software back to the store, rather than ask the author to send individual copies to everyone. Thanks.

@ZonD80

This comment has been minimized.

Copy link

ZonD80 commented Jan 13, 2019

I can provide you access to European legal entity (we have corporate account on apple store)
PS: live in Moscow, so we can meet IRL.
You can contact me via telegram with my nickname.

@Daou

This comment has been minimized.

Copy link

Daou commented Jan 13, 2019

I think going with http://www.techcultivation.org/ is a great option.
If that doesn’t work out I can offer https://www.smal.de which is a software agency owned by me and based in Munich, Germany 🇩🇪
But let’s see, tech cultivation sounds like an ideal place for the app.

@moba

This comment has been minimized.

Copy link

moba commented Jan 13, 2019

We have agreed to host it, and are currently waiting for Apple's validation of our account. We even found a spare Apple device to use for their mandatory proprietary 2FA. :)

@lancelot-moon

This comment has been minimized.

Copy link

lancelot-moon commented Jan 19, 2019

Hi, I like DNSCloak.
Why was only DNSCloak taken off from app store?
Sergey's other apps which use VPN API are still on app store if you say that Apple doesn't allow individual developers using VPN API.
ex: AdCloak...

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Jan 19, 2019

Orcloak is off to
Since I trial orcloak I can still subscribe

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Jan 20, 2019

Btw people o are previous on TestFlight still continue getting updates?

@jedisct1

This comment has been minimized.

Copy link
Owner Author

jedisct1 commented Jan 29, 2019

Any news on this, @s-s @moba ?

@moba

This comment has been minimized.

Copy link

moba commented Jan 30, 2019

It took ages to get a verified account, and now we're waiting for Apple to manually transfer ownership from the previous personal account to our company account...

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Feb 5, 2019

Any News?

@SirusDoma

This comment has been minimized.

Copy link

SirusDoma commented Feb 6, 2019

Meanwhile waiting for the release, can i have the testflight invitation?

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Feb 6, 2019

My TestFlight is expiring in 20 days I hope in that time the app get back again

@boistordu

This comment has been minimized.

Copy link

boistordu commented Feb 11, 2019

@moba no news yet from Apple?

@moba

This comment has been minimized.

Copy link

moba commented Feb 11, 2019

Not sure about the details, @s-s maybe knows. :)

@hcarrega

This comment has been minimized.

Copy link

hcarrega commented Feb 12, 2019

Subscriptions on ORCloak app from @s-s it’s valid

@s-s

This comment has been minimized.

Copy link

s-s commented Feb 16, 2019

DNSCloak is back!

All credit goes to @moba and the team of Center for the Cultivation of Technology (https://www.techcultivation.org/)! Thank you everyone in this thread for your support!

App link https://itunes.apple.com/app/id1452162351
TestFlight TestFlight is available via public link: https:// testflight [dot] apple [dot] com [slash] join [slash] RlMeZBo7

Why new app?

Apple is unable (technically) to make an app transfer from one account to another due to the presence of iCloud entitlement. It is required to present file picker dialog for black/white/etc-lists (please, don't ask me why it is required for a read-only access for a system-provided dialog). So, the only way was to submit it as a new app with a new bundle ID. You may migrate to a new app yourself only.

What is a changelog for 2.2.0?

Since App Store doesn't provide a changes information for initial build: 2.2.0 contains all changes that was present in the latest TestFlight build:

  1. Latest dnscrypt-proxy 2.0.19 (8377d49 for 2.2.0);
  2. TLS 1.3 support (2.2.0 was built using latest Go 1.12rc1);
  3. Strict mode - replace some negative responses to override iOS behavior to fallback to a system resolver. Should prevent leaks in case of failing/rate-limiting resolvers. Also will retry query in case of resolver errors. Enabled by default, can be toggled in Advanced settings.
  4. Toggable ip/black/whitelist logs;
  5. Confirmation dialog for launch with empty "server_names" (aka "Why it takes so long to connect?" issue);
  6. Filter toggle to display selected resolvers only (near search input);
  7. Minor internal improvements: additional log messages, IPv6 handling.
@hcarrega

This comment was marked as off-topic.

Copy link

hcarrega commented Feb 16, 2019

Any news on ORCloak @s-s ?

@s-s

This comment was marked as off-topic.

Copy link

s-s commented Feb 16, 2019

@hcarrega, I would suggest to avoid discussing ORCloak here, as the thread is for dnscrypt-proxy, not Tor.

Offtopic about ORCloak Same story as DNSCloak. Both apps were unpublished at the same time. Don't ask me why and why only these two - only Apple knows, they give me no comments and are ignoring communications with me on this subject. :) That was a surprise for me too. ORCloak is still available for download from your previous downloads in the App Store, its' subscriptions still working, since the app is not removed. Will it return to the App Store? I doubt, at least not in the near future. Let's say it is too cool for the App Store, only few people had appreciated how efficient it is. Currently I'm trying to make a yet-another-Tor-powered-browser... but based on WebKit. It would be very funny if Apple will pass it to the App Store. Still waiting for UIWebView complete removal and curious why no one cares about it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment