Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Orbot is leaking ICMP traffic on Android #1008

Closed
ihateprogramming88 opened this issue Nov 2, 2023 · 9 comments · Fixed by #1012
Closed

Orbot is leaking ICMP traffic on Android #1008

ihateprogramming88 opened this issue Nov 2, 2023 · 9 comments · Fixed by #1012
Assignees
@n8fr8
Labels
bug

Comments

@ihateprogramming88
Copy link

ihateprogramming88 commented Nov 2, 2023
edited
Loading

Describe the Bug
After testing with termux and orbot, it has been established that ICMP traffic is being leaked with Orbot
To Reproduce
Install Termux, establish the vpn tunnel on orbot and run ping google.com on Termux.

for UDP nc -vz -u 8.8.8.8 443
possibly leaking UDP?

image

image
image

  • Device: Pixel 8 Pro
  • OS: GrapheneOS Android 14
  • Version: Orbot for Android 17.1.1 BETA 2 (tor 0.4.7.8)
@ihateprogramming88 ihateprogramming88 changed the title Orbot is not blocking UDP traffic on Android Orbot is not blocking ICMP traffic on Android Nov 2, 2023
@Woman-at-arms
Copy link

I can reproduce this issue using ping in Termux.

I have Orbot configured as a VPN, connected, and the Android VPN kill switch is enabled for the VPN.

Orbot appears to be leaking ICMP traffic through the VPN.

@Woman-at-arms
Copy link

Woman-at-arms commented Nov 2, 2023
edited
Loading

Uh oh.

It ALSO leaks UDP.

You can confirm this with nc -vz -u 8.8.8.8 443 in termux.

@ihateprogramming88 ihateprogramming88 changed the title Orbot is not blocking ICMP traffic on Android Orbot is leaking both ICMP and UDP traffic on Android Nov 2, 2023
@Woman-at-arms
Copy link

Woman-at-arms commented Nov 2, 2023
edited
Loading

Netcat test isn't accurate. My mistake!

@ihateprogramming88 ihateprogramming88 changed the title Orbot is leaking both ICMP and UDP traffic on Android Orbot is leaking ICMP traffic on Android Nov 2, 2023
@ghost
Copy link

ghost commented Nov 2, 2023

@n8fr8 and @bitmold and @meenbeese pleese take a look

@n8fr8
Copy link
Member

n8fr8 commented Nov 2, 2023 via email

@n8fr8
Copy link
Member

n8fr8 commented Nov 3, 2023

There have been some issues with Android VPN leaking related to connectivity checks - could this be related?

https://www.ipvanish.com/blog/android-vpn-leaks/

@n8fr8
Copy link
Member

n8fr8 commented Nov 3, 2023

https://mullvad.net/en/help/configure-connectivity-checks-on-android/

n8fr8 added a commit that referenced this issue Nov 3, 2023
@n8fr8
for #1008 manually ensure ICMP packets are not routed or bypassed
5a156ba 
also tune VPN settings to ensure IPv6 traffic routing as possible
@n8fr8 n8fr8 self-assigned this Nov 3, 2023
@n8fr8
Copy link
Member

n8fr8 commented Nov 3, 2023

for testing: https://github.com/guardianproject/orbot/releases/tag/17.1.1-BETA-3-tor-0.4.8.7

@trinity-1686a
Copy link

Have you confirmed there is a leak, for instance by running tcpdump on your wifi access point?
When I reproduce the experiment, I get the same results, but nothings leak to the access point. Additionally, if I try pinging IPs that shouldn't answer (172.16.1.1, private network, or 203.0.113.1, "provided for use in documentation"), they answer, with ~1ms latency and a ttl of 64.
So far, I think some component of Orbot is just replying itself to every icmp echo request/ping it sees

syphyr pushed a commit to syphyr/orbot that referenced this issue Nov 4, 2023
@n8fr8 @syphyr
for guardianproject#1008 manually ensure ICMP packets are not routed …
75e98e6 
…or bypassed

also tune VPN settings to ensure IPv6 traffic routing as possible
@syphyr syphyr mentioned this issue Nov 4, 2023
Merged
syphyr added a commit to syphyr/orbot that referenced this issue Nov 4, 2023
@syphyr
Ensure ICMPV6 packets are not routed
1848169 
Fixes guardianproject#1008
meenbeese pushed a commit to meenbeese/orbot that referenced this issue Nov 26, 2023
@syphyr @meenbeese
Ensure ICMPV6 packets are not routed
1386ca3 
Fixes guardianproject#1008
@oleg72-bit oleg72-bit mentioned this issue Mar 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n8fr8 n8fr8

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure ICMPV6 packets are not routed syphyr/orbot
4 participants
@n8fr8 @trinity-1686a @Woman-at-arms @ihateprogramming88