summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkali kaneko (leap communications) <kali@leap.se>2021-05-17 17:50:23 +0200
committerkali kaneko (leap communications) <kali@leap.se>2021-05-17 17:57:54 +0200
commitc6c0209ad45fb7d2e45370ee3a39f2dd437603b0 (patch)
treeb374a9536fcb4f3d4fb449db4eab042cef14577c
parent86d30f2a2edc0d9b9c54b51258a6566e37476849 (diff)
[feat] log dns lookup if first cert fetch fails
-rw-r--r--docs/circumvention.rst20
-rw-r--r--pkg/vpn/bonafide/eip_service.go10
-rw-r--r--pkg/vpn/diagnose.go19
-rw-r--r--pkg/vpn/openvpn.go3
4 files changed, 44 insertions, 8 deletions
diff --git a/docs/circumvention.rst b/docs/circumvention.rst
index 8c220cc..ee31e58 100644
--- a/docs/circumvention.rst
+++ b/docs/circumvention.rst
@@ -9,9 +9,23 @@ Bootstrapping the connection
There are two different steps where circumvention can be used: boostrapping the
connection (getting a certificate and the configuration files) and using an
-obfuscated transport protocol. At the moment RiseupVPN offers obfs4 transport
-"bridges" (you can try them with the `--obfs4` command line argument). For the
-initial bootstrap, there are a couple of techniques that will be attempted.
+obfuscated transport protocol.
+
+For the initial bootstrap, there are a couple of techniques that will be
+attempted. If this fails, please open an issue with the relevant log
+information.
+
+Obfuscated bridges
+-----------------------------
+
+At the moment RiseupVPN offers obfs4 transport "bridges" (you can try them with
+the `--obfs4` command line argument, a way to enable them from the gui will be
+following soon).
+
+If you know you need bridges but the current ones do not work for you, please
+get in contact. We're interested in learning what are the specific censorship
+measures being deployed in your concrete location, and we could work together
+to enable new bridges.
Getting certificates off-band
-----------------------------
diff --git a/pkg/vpn/bonafide/eip_service.go b/pkg/vpn/bonafide/eip_service.go
index 5755b6c..c106135 100644
--- a/pkg/vpn/bonafide/eip_service.go
+++ b/pkg/vpn/bonafide/eip_service.go
@@ -79,17 +79,17 @@ func (b *Bonafide) fetchEipJSON() error {
eip3API := config.APIURL + "3/config/eip-service.json"
resp, err := b.client.Post(eip3API, "", nil)
for err != nil {
- log.Printf("Error fetching eip v3 json: %v", err)
- // TODO why exactly 1 retry? Make it configurable, for tests
- time.Sleep(retryFetchJSONSeconds * time.Second)
resp, err = b.client.Post(eip3API, "", nil)
if err != nil {
- // TODO it might be that it's not an error, but an empty file or whatever done
+ // TODO it might be that we get no error, but an empty file or whatever done
// by DNS poisoning. Should try to parse the file.
uri := b.getURLNoDNS("eip")
- log.Println("Fetching ", uri)
resp, err = b.client.Post(uri, "", nil)
}
+ if err != nil {
+ log.Printf("Error fetching eip v3 json: %v", err)
+ time.Sleep(retryFetchJSONSeconds * time.Second)
+ }
}
defer resp.Body.Close()
diff --git a/pkg/vpn/diagnose.go b/pkg/vpn/diagnose.go
new file mode 100644
index 0000000..5d12d4d
--- /dev/null
+++ b/pkg/vpn/diagnose.go
@@ -0,0 +1,19 @@
+package vpn
+
+import (
+ "log"
+ "net"
+)
+
+func logDnsLookup(domain string) {
+ addrs, err := net.LookupHost(domain)
+ if err != nil {
+ log.Println("ERROR cannot resolve address:", domain)
+ log.Println(err)
+ }
+
+ log.Println("From here,", domain, "resolves to:")
+ for _, addr := range addrs {
+ log.Println(addr)
+ }
+}
diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go
index a568a32..244195b 100644
--- a/pkg/vpn/openvpn.go
+++ b/pkg/vpn/openvpn.go
@@ -202,6 +202,8 @@ func (b *Bitmask) getCert() (certPath string, err error) {
}
}
if failed || !isValidCert(certPath) {
+ d := config.APIURL[8 : len(config.APIURL)-1]
+ logDnsLookup(d)
cert, err := b.bonafide.GetPemCertificateNoDNS()
if cert != nil {
log.Println("Successfully did certificate bypass")
@@ -214,6 +216,7 @@ func (b *Bitmask) getCert() (certPath string, err error) {
failed = true
}
}
+
return certPath, err
}