VPN -> TOR chain on GrapheneOS

nigled

I have a phone with GrapheneOS. For my super secret operation, I need to chain VPN > TOR (and sometimes VPN > TOR > VPN). I know that in some contexts this isn't the most optimal flow, but as I said, I need it that way for my specific operation.

Is it possible to achieve this securely without relying on external gateways on the device?

Thanks!

Sigismund

nigled ok so you have a 'super secret' project, that you n need 'very secure' channel for transferring data. Have you at least tried to understand and or research what capabilities you have to achieve your goal? Things like that are often mentioned here, have you tried to use the search function, if yes,what results did you get?

nigled

Sigismund I did, but couldn't find any useful technical resource to set up the chain safely on Android/GOS.

jacksmith

Do you need user-wide VPN or only split tunneling for specific apps or is it enough to get a socks exposure to the entrance of the chain? I can suggest the flow described below but it has to utilize Termux and possibly a VPN client that can route traffic through a specified proxy if port exposure to the proxy chain is not enough.

If you're using owner profile, you can stitch something up with Termux. Run your VPN(s) in proxy mode, same with TOR, chain however many socks proxies you have with something like 3proxy. Either make your app use the proxy which will be the entrance of 3proxy, or use something that can utilize system VPN while routing traffic through the specified proxy.

Overall, it's a bit tedious. It might DNS leak or EDNS metadata leak your IP. Best way would be to find an app that could do chaining and utilize VPN api in one package. Even then, especially if you need full-device VPN, there might be network traffic that bypassses VPN such as VoLTE/VoWiFi.

nigled

jacksmith

I need to set up my traffic to go through a wireguard-based VPN to hide the TOR usage (bridges aren't sufficient for me) and have all system traffic come out of TOR transparently (like in Tails and Whonix). It's crucial that there are no leaks of any kind. I know I can do this easily if I rely on an external gateway, but my intention is to do it directly from the phone. The technical aspect isn't a problem for me - I just need to figure out how to achieve this since I have limited experience working with Android.

jacksmith

nigled You should search Russian and Chinese forums when it comes to traffic obfuscation and censorship-evasion related topics.

It's good that you are technical. If the app you want to route through this has a setting to set up proxy (such as Firefox), you won't need an additional app as the VPN api layer. But for the approach I suggested, in all cases you need each node in your network stack (VPNs or TOR) to expose a proxy. Then you need to use Termux to proxy chain these and expose the resulting tunnel as proxy. Now, you will have access to your (VPN1 -> TOR -> VPN2) tunnel as its own proxy, if you need VPN api features you'll need some app that can route traffic of apps through this Termux-created proxy.

To sum up the unusual restrictions that come with this approach, you'll need

VPN software that can expose itself as proxy
If you need VPN api features, need a 'VPN' app that can route app/system traffic through the resulting proxy
Scarcity of resources for these kinds of circumvention in English.
If you want user-wide routing with no gaps, without root, you need to consider VoLTE/VoWiFi and some other system level communications. Not an expert but even with VoLTE/VoWiFi turned off it might be possible some hardware traffic can bypass user-wide VPN; if you have other running users they will also not go through your VPN in the owner profile.

nigled

jacksmith

Lemme see:

Expose a proxy for each node
Chain these proxies from Termux
Configure the resulting proxy in each specific application

Is this what you had in mind? Are there any integrated system functions that allow you to proxy applications (or the whole system) without relying on each app's internal configuration?

if you have other running users they will also not go through your VPN in the owner profile.

Would it be possible to set up a solution for each user profile separately?

Thanks!

jacksmith

Essentially you stack up several proxies as a chain wesulting in one proxy. Now, if your app has proxy settings, you are done here. If not, you need an app that utilizes Android's VPN api to route traffic from the whole user or specific apps through that 'VPN' app which will route traffic to the proxy. You can use something like Proxy My Apps for that VPN, and need to setup wireguard to expose a proxy.

Depending on your paranoia level, you need to consider the factors I mentioned or more; at the minimum, DNS leak and EDNS metadata leak must be considerered. There might be other de-anonymizing leaks in this stack however if your adversary is just websites, CDNs and DNS; you should be fine if you use something like Tor browser while respecting opsec principles.

The integrated solution to that is Android's VPN api. It is what you use to route apps through tunnels of your choice. You need an app that utilizes that api in the way I described.

You could set this stack on each user and due to Android's security model they'll each have their own independent VPN.

If you find an app to stack proxies like 3proxy, you could use that rather than Termux+3proxy that's used to chain the proxies and expose the tunnel as a single proxy.

jacksmith

something like this

[VPN1]      [Tor]      [VPN2]
   │          │          │
   ▼          ▼          ▼
[SOCKS Proxies Exposed on localhost]
               │
               ▼
        [3proxy in Termux]
               │
               ▼
[Unified Proxy Chain Output (SOCKS)]
               │
      ┌──────────┐
      ▼                 ▼
[App supporting      [Proxy My
 proxy config]         Apps]
      │                 │
      ▼                 ▼
  [Internet]   [Apps routed via VPN API]
                         │
                         ▼
                     [Internet]

nigled

jacksmith

I appreciate the effort in your responses. I've been searching for “Proxy My Apps”, but it doesn’t seem to be open-source. Also, why use the built-in app's proxy settings when I can use something like “Proxy My Apps” (or similar) and ensure there are no leaks in the app?

jacksmith

You might have several apps that need to be tunneled through different proxies. Since Android VPN API only supports a single VPN app running, in such a case you cannot tunnel differently based on app unless the VPN app supports it. I think it would be possible to write up something that'd assign different routes on a per-app basis but I don't believe there's a public and open source VPN app that has this function.

You are right to question using in-app proxy settings. I do think VPN based tunneling is more reliable compared to whatever routing code is running inside the app.