orplug, an Android firewall with per-app Tor circuit isolation
Not affiliated with the Tor Project.
Short intro
- No GUI, please write one ;)
- Default deny pretty much everything. Combinable access policies for
individual apps, whole Android user accounts, etc.: transparent
torification (circuit-isolated per app), fenced off access to Socks/
Polipo, LAN access, clearnet access
- Multi user account support
- Doesn't leak IPv6 traffic
- Clean DNS, but requires three small ROM patches
- Logs blocked DNS queries and blocked other packets
- Input firewall allows sshd by default
- Should work with enforcing SELinux
- Includes the "--state INVALID" transproxy leak fix[1]
- Tested on Android 7.1.1 (Nougat)
Longer intro
Really no GUI, unfortunately I don't have any talent for that. There's a
simple plain text configuration format[2] though, and the command line
"orplug-reconf" script could work as a backend to a graphical app. (It
accepts stdin as well as files for configuration.)
Unconfigured processes may only communicate with localhost and the
loopback interface. You can configure an individual app, a Unix user/
group, or an Android account:
- to be transparently torified, with circuit isolation per rule
- to be allowed access to local TCP ports 9050/8118 for native Orbot
support
- to be allowed LAN access (except DNS)
- to be allowed full clearnet access
All of the above can be combined: Transparently torify a VoIP app as
far as possible, but allow clearnet access for the remainder (UDP voice
packets). Or, for a home media streaming app: transparent torification
with LAN access.
Rules can apply to the primary Android device user account or to other
accounts.
For incoming traffic, every port is blocked to the outside by default.
But a hook loads files with raw ip(6)tables-restore rulesets, and one
such ruleset allows TCP port 22 (sshd).
The DNS mess
Android 4.3+ mixes DNS requests of all apps together by default[3]; when
a request finally appears in Netfilter, it's unknown where it came from.
orplug takes a strict approach, so it needs a ROM patched[4] to separate
DNS queries. DNS will not work at all without these patches!
Disallowed DNS requests are blocked by sending them to a local dnsmasq
instance that only logs queries (logcat | grep dnsmasq), but doesn't
forward them. This is how I noticed that CM13 with "everything disabled"
nevertheless attempts to connect to the hosts stats.cyanogenmod.org,
account.cyngn.com, and shopvac.cyngn.com. (Via UID 1000, in this case
the Settings package.)
Captive portals
Enable clearnet access for either UID 1000 (beware of the random stuff
apparently floating around there), or for a dedicated browser (and run
"settings put global captive_portal_detection_enabled 0" as root).
Installation
0. Set up some independent way to check for leaks, e.g. corridor[5].
You've been warned...
1. Copy the orplug subdirectory to /data/local/ on your Android device
and run "chmod 755 /data/local/orplug/bin/*".
2. Add the line "su -c /data/local/orplug/bin/orplug-start" to
/data/local/userinit.sh and run "chmod 755 userinit.sh".
3. Copy the contents of /data/local/orplug/torrc-custom-config.txt into
the clipboard, e.g. using File Manager. This file contains directives
for tor to open 99 different TransPort and DNSPort ports.
4. In Orbot's settings, paste the clipboard contents into "Torrc Custom
Config", disable "Transparent Proxying", disable "Request Root
Access", and choose "Proxy None" in "Select Apps".
5. Reboot your device.
6. Check that orplug has brought the firewall up: The output of
"getprop orplug.up" is supposed to say "true". Log files are in
/data/local/orplug/debug/ in case it didn't work.
7. Configure your apps by creating one ore more .conf file(s) in
/data/local/orplug/conf/ (there's a commented user.conf.example[2]).
8. Run "su -c /data/local/orplug/bin/orplug-reconf". The output is
supposed to say "orplug-reconf: populated". This will happen
automatically if you reboot.
9. To help you configure a newly installed app, you can run
"su -c /data/local/orplug/bin/orplug-newapp".
Footnotes
1. "--state INVALID" transproxy leak fix
https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
2. Example orplug configuration
https://raw.githubusercontent.com/rustybird/orplug/master/orplug/conf/rules/90-user.conf.example
3. Explanation of DNS in Android 4.3+
http://forum.xda-developers.com/showthread.php?t=2386584
4. Clean DNS ROM patches (in this repo)
https://raw.githubusercontent.com/rustybird/orplug/master/android-patches/system-netd.setfsids.patch
https://raw.githubusercontent.com/rustybird/orplug/master/android-patches/system-sepolicy.capabilties.patch
https://raw.githubusercontent.com/rustybird/orplug/master/android-patches/bionic.property.patch
5. corridor, a Tor traffic whitelisting gateway
https://github.com/rustybird/corridor
Redistribution
orplug is ISC licensed, see the LICENSE file for details.