Skip to content
This repository has been archived by the owner on Jun 13, 2023. It is now read-only.
/ orplug Public archive

Android firewall with per-app Tor circuit isolation

License

Notifications You must be signed in to change notification settings

rustybird/orplug

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

orplug, an Android firewall with per-app Tor circuit isolation

Not affiliated with the Tor Project.


    Short intro

- No GUI, please write one ;)
- Default deny pretty much everything. Combinable access policies for
  individual apps, whole Android user accounts, etc.: transparent
  torification (circuit-isolated per app), fenced off access to Socks/
  Polipo, LAN access, clearnet access
- Multi user account support
- Doesn't leak IPv6 traffic
- Clean DNS, but requires three small ROM patches
- Logs blocked DNS queries and blocked other packets
- Input firewall allows sshd by default
- Should work with enforcing SELinux
- Includes the "--state INVALID" transproxy leak fix[1]
- Tested on Android 7.1.1 (Nougat)


    Longer intro

Really no GUI, unfortunately I don't have any talent for that. There's a
simple plain text configuration format[2] though, and the command line
"orplug-reconf" script could work as a backend to a graphical app. (It
accepts stdin as well as files for configuration.)

Unconfigured processes may only communicate with localhost and the
loopback interface. You can configure an individual app, a Unix user/
group, or an Android account:

  - to be transparently torified, with circuit isolation per rule
  - to be allowed access to local TCP ports 9050/8118 for native Orbot
    support
  - to be allowed LAN access (except DNS)
  - to be allowed full clearnet access

All of the above can be combined: Transparently torify a VoIP app as
far as possible, but allow clearnet access for the remainder (UDP voice
packets). Or, for a home media streaming app: transparent torification
with LAN access.

Rules can apply to the primary Android device user account or to other
accounts.

For incoming traffic, every port is blocked to the outside by default.
But a hook loads files with raw ip(6)tables-restore rulesets, and one
such ruleset allows TCP port 22 (sshd).


    The DNS mess

Android 4.3+ mixes DNS requests of all apps together by default[3]; when
a request finally appears in Netfilter, it's unknown where it came from.
orplug takes a strict approach, so it needs a ROM patched[4] to separate
DNS queries. DNS will not work at all without these patches!

Disallowed DNS requests are blocked by sending them to a local dnsmasq
instance that only logs queries (logcat | grep dnsmasq), but doesn't
forward them. This is how I noticed that CM13 with "everything disabled"
nevertheless attempts to connect to the hosts stats.cyanogenmod.org,
account.cyngn.com, and shopvac.cyngn.com. (Via UID 1000, in this case
the Settings package.)


    Captive portals

Enable clearnet access for either UID 1000 (beware of the random stuff
apparently floating around there), or for a dedicated browser (and run
"settings put global captive_portal_detection_enabled 0" as root).


    Installation

0. Set up some independent way to check for leaks, e.g. corridor[5].
   You've been warned...
1. Copy the orplug subdirectory to /data/local/ on your Android device
   and run "chmod 755 /data/local/orplug/bin/*".
2. Add the line "su -c /data/local/orplug/bin/orplug-start" to
   /data/local/userinit.sh and run "chmod 755 userinit.sh".
3. Copy the contents of /data/local/orplug/torrc-custom-config.txt into
   the clipboard, e.g. using File Manager. This file contains directives
   for tor to open 99 different TransPort and DNSPort ports.
4. In Orbot's settings, paste the clipboard contents into "Torrc Custom
   Config", disable "Transparent Proxying", disable "Request Root
   Access", and choose "Proxy None" in "Select Apps".
5. Reboot your device.
6. Check that orplug has brought the firewall up: The output of
   "getprop orplug.up" is supposed to say "true". Log files are in
   /data/local/orplug/debug/ in case it didn't work.
7. Configure your apps by creating one ore more .conf file(s) in
   /data/local/orplug/conf/ (there's a commented user.conf.example[2]).
8. Run "su -c /data/local/orplug/bin/orplug-reconf". The output is
   supposed to say "orplug-reconf: populated". This will happen
   automatically if you reboot.
9. To help you configure a newly installed app, you can run
   "su -c /data/local/orplug/bin/orplug-newapp".


    Footnotes

1. "--state INVALID" transproxy leak fix
https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html

2. Example orplug configuration
https://raw.githubusercontent.com/rustybird/orplug/master/orplug/conf/rules/90-user.conf.example

3. Explanation of DNS in Android 4.3+
http://forum.xda-developers.com/showthread.php?t=2386584

4. Clean DNS ROM patches (in this repo)
https://raw.githubusercontent.com/rustybird/orplug/master/android-patches/system-netd.setfsids.patch
https://raw.githubusercontent.com/rustybird/orplug/master/android-patches/system-sepolicy.capabilties.patch
https://raw.githubusercontent.com/rustybird/orplug/master/android-patches/bionic.property.patch

5. corridor, a Tor traffic whitelisting gateway
https://github.com/rustybird/corridor


    Redistribution

orplug is ISC licensed, see the LICENSE file for details.

About

Android firewall with per-app Tor circuit isolation

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages