diff options
Diffstat (limited to 'app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java')
| -rw-r--r-- | app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java | 173 |
1 files changed, 134 insertions, 39 deletions
diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java index 58732713..a7df99bf 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java @@ -19,6 +19,7 @@ package se.leap.bitmaskclient.eip; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4_KCP; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OPENVPN; +import static de.blinkt.openvpn.core.connection.Connection.TransportType.PT; import static se.leap.bitmaskclient.base.models.Constants.CAPABILITIES; import static se.leap.bitmaskclient.base.models.Constants.IP_ADDRESS; import static se.leap.bitmaskclient.base.models.Constants.IP_ADDRESS6; @@ -44,14 +45,17 @@ import org.json.JSONObject; import java.io.IOException; import java.io.StringReader; import java.util.HashMap; +import java.util.HashSet; import java.util.Iterator; +import java.util.Set; import de.blinkt.openvpn.VpnProfile; import de.blinkt.openvpn.core.ConfigParser; import de.blinkt.openvpn.core.VpnStatus; import de.blinkt.openvpn.core.connection.Connection; -import se.leap.bitmaskclient.BuildConfig; +import de.blinkt.openvpn.core.connection.Connection.TransportType; import se.leap.bitmaskclient.base.models.Provider; +import se.leap.bitmaskclient.base.models.Transport; import se.leap.bitmaskclient.base.utils.ConfigHelper; import se.leap.bitmaskclient.pluggableTransports.Obfs4Options; @@ -64,23 +68,65 @@ public class VpnConfigGenerator { private final int apiVersion; private final boolean preferUDP; private final boolean experimentalTransports; + private final boolean useObfuscationPinning; + private final String obfuscationPinningIP; + private final String obfuscationPinningPort; + private final String obfuscationPinningCert; + private final boolean obfuscationPinningKCP; + private final String remoteGatewayIP; + private final String profileName; + private final Set<String> excludedApps; public final static String TAG = VpnConfigGenerator.class.getSimpleName(); private final String newLine = System.getProperty("line.separator"); // Platform new line - public VpnConfigGenerator(JSONObject generalConfiguration, JSONObject secrets, JSONObject gateway, int apiVersion, boolean preferUDP, boolean experimentalTransports) throws ConfigParser.ConfigParseError { + public static class Configuration { + int apiVersion; + boolean preferUDP; + boolean experimentalTransports; + String remoteGatewayIP = ""; + String profileName = ""; + Set<String> excludedApps = null; + + boolean useObfuscationPinning; + boolean obfuscationProxyKCP; + String obfuscationProxyIP = ""; + String obfuscationProxyPort = ""; + String obfuscationProxyCert = ""; + } + + public VpnConfigGenerator(JSONObject generalConfiguration, JSONObject secrets, JSONObject gateway, Configuration config) throws ConfigParser.ConfigParseError { this.generalConfiguration = generalConfiguration; this.gateway = gateway; this.secrets = secrets; - this.apiVersion = apiVersion; - this.preferUDP = preferUDP; - this.experimentalTransports = experimentalTransports; + this.apiVersion = config.apiVersion; + this.preferUDP = config.preferUDP; + this.experimentalTransports = config.experimentalTransports; + this.useObfuscationPinning = config.useObfuscationPinning; + this.obfuscationPinningIP = config.obfuscationProxyIP; + this.obfuscationPinningPort = config.obfuscationProxyPort; + this.obfuscationPinningCert = config.obfuscationProxyCert; + this.obfuscationPinningKCP = config.obfuscationProxyKCP; + this.remoteGatewayIP = config.remoteGatewayIP; + this.profileName = config.profileName; + this.excludedApps = config.excludedApps; checkCapabilities(); } public void checkCapabilities() throws ConfigParser.ConfigParseError { try { + if (useObfuscationPinning) { + if (obfuscationPinningKCP) { + // the protocol TCP refers to the allowed openvpn protocol + obfs4TKcpTransport = new JSONObject(new Transport(OBFS4_KCP.toString(), new String[]{"tcp"}, new String[]{obfuscationPinningPort}, obfuscationPinningCert).toString()); + } else { + String jsonTransportString = new Transport(OBFS4.toString(), new String[]{"tcp"}, new String[]{obfuscationPinningPort}, obfuscationPinningCert).toString(); + obfs4Transport = new JSONObject(jsonTransportString); + } + return; + } + if (apiVersion >= 3) { JSONArray supportedTransports = gateway.getJSONObject(CAPABILITIES).getJSONArray(TRANSPORT); for (int i = 0; i < supportedTransports.length(); i++) { @@ -101,7 +147,7 @@ public class VpnConfigGenerator { } } - public HashMap<Connection.TransportType, VpnProfile> generateVpnProfiles() throws + public HashMap<TransportType, VpnProfile> generateVpnProfiles() throws ConfigParser.ConfigParseError, NumberFormatException, JSONException, @@ -133,7 +179,7 @@ public class VpnConfigGenerator { return obfs4TKcpTransport != null; } - private String getConfigurationString(Connection.TransportType transportType) { + private String getConfigurationString(TransportType transportType) { return generalConfiguration() + newLine + gatewayConfiguration(transportType) @@ -144,7 +190,7 @@ public class VpnConfigGenerator { } @VisibleForTesting - protected VpnProfile createProfile(Connection.TransportType transportType) throws IOException, ConfigParser.ConfigParseError, JSONException { + protected VpnProfile createProfile(TransportType transportType) throws IOException, ConfigParser.ConfigParseError, JSONException { String configuration = getConfigurationString(transportType); ConfigParser icsOpenvpnConfigParser = new ConfigParser(); icsOpenvpnConfigParser.parseConfig(new StringReader(configuration)); @@ -153,22 +199,30 @@ public class VpnConfigGenerator { } else if (transportType == OBFS4_KCP) { icsOpenvpnConfigParser.setObfs4Options(getObfs4Options(obfs4TKcpTransport, true)); } - return icsOpenvpnConfigParser.convertProfile(transportType); + + VpnProfile profile = icsOpenvpnConfigParser.convertProfile(transportType); + profile.mName = profileName; + profile.mGatewayIp = remoteGatewayIP; + if (excludedApps != null) { + profile.mAllowedAppsVpn = new HashSet<>(excludedApps); + } + return profile; } + // TODO: whad does private Obfs4Options getObfs4Options(JSONObject transportJson, boolean useUdp) throws JSONException { JSONObject transportOptions = transportJson.getJSONObject(OPTIONS); String iatMode = transportOptions.getString("iatMode"); String cert = transportOptions.getString("cert"); - String port = obfs4Transport.getJSONArray(PORTS).getString(0); + String port = transportJson.getJSONArray(PORTS).getString(0); String ip = gateway.getString(IP_ADDRESS); boolean udp = useUdp; - if (BuildConfig.obfsvpn_pinning) { - cert = BuildConfig.obfsvpn_cert; - port = BuildConfig.obfsvpn_port; - ip = BuildConfig.obfsvpn_port; - udp = BuildConfig.obfsvpn_use_kcp; + if (useObfuscationPinning) { + cert = obfuscationPinningCert; + port = obfuscationPinningPort; + ip = obfuscationPinningIP; + udp = obfuscationPinningKCP; } return new Obfs4Options(ip, port, cert, iatMode, udp); } @@ -196,7 +250,7 @@ public class VpnConfigGenerator { return commonOptions; } - private String gatewayConfiguration(Connection.TransportType transportType) { + private String gatewayConfiguration(TransportType transportType) { String remotes = ""; StringBuilder stringBuilder = new StringBuilder(); @@ -217,6 +271,7 @@ public class VpnConfigGenerator { String[] ipAddresses = ipAddress6.isEmpty() ? new String[]{ipAddress} : new String[]{ipAddress6, ipAddress}; + JSONArray transports = capabilities.getJSONArray(TRANSPORT); gatewayConfigMinApiv3(transportType, stringBuilder, ipAddresses, transports); break; @@ -234,9 +289,9 @@ public class VpnConfigGenerator { return remotes; } - private void gatewayConfigMinApiv3(Connection.TransportType transportType, StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { - if (transportType == OBFS4) { - obfs4GatewayConfigMinApiv3(stringBuilder, ipAddresses, transports); + private void gatewayConfigMinApiv3(TransportType transportType, StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { + if (transportType.getMetaType() == PT) { + ptGatewayConfigMinApiv3(stringBuilder, ipAddresses, transportType, transports); } else { ovpnGatewayConfigMinApi3(stringBuilder, ipAddresses, transports); } @@ -296,7 +351,7 @@ public class VpnConfigGenerator { } } - private JSONObject getTransport(JSONArray transports, Connection.TransportType transportType) throws JSONException { + private JSONObject getTransport(JSONArray transports, TransportType transportType) throws JSONException { JSONObject selectedTransport = new JSONObject(); for (int i = 0; i < transports.length(); i++) { JSONObject transport = transports.getJSONObject(i); @@ -308,9 +363,35 @@ public class VpnConfigGenerator { return selectedTransport; } - private void obfs4GatewayConfigMinApiv3(StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { - JSONObject obfs4Transport = getTransport(transports, OBFS4); - JSONArray protocols = obfs4Transport.getJSONArray(PROTOCOLS); + private boolean isAllowedProtocol(TransportType transportType, String protocol) { + switch (transportType) { + case OPENVPN: + return "tcp".equals(protocol) || "udp".equals(protocol); + case OBFS4: + case OBFS4_KCP: + return "tcp".equals(protocol); + } + return false; + } + + private void ptGatewayConfigMinApiv3(StringBuilder stringBuilder, String[] ipAddresses, TransportType transportType, JSONArray transports) throws JSONException { + if (useObfuscationPinning) { + JSONArray pinnedTransports = new JSONArray(); + for (int i = 0; i < transports.length(); i++) { + if (OPENVPN.toString().equals(transports.getJSONObject(i).get(TYPE))) { + pinnedTransports.put(transports.getJSONObject(i)); + break; + } + } + pinnedTransports.put(supportsObfs4() ? obfs4Transport : obfs4TKcpTransport); + transports = pinnedTransports; + } + + JSONObject ptTransport = getTransport(transports, transportType); + JSONArray ptProtocols = ptTransport.getJSONArray(PROTOCOLS); + JSONObject openvpnTransport = getTransport(transports, OPENVPN); + JSONArray gatewayProtocols = openvpnTransport.getJSONArray(PROTOCOLS); + //for now only use ipv4 gateway the syntax route remote_host 255.255.255.255 net_gateway is not yet working // https://community.openvpn.net/openvpn/ticket/1161 /*for (String ipAddress : ipAddresses) { @@ -337,41 +418,55 @@ public class VpnConfigGenerator { return; } - // check if at least one protocol is TCP, UDP is currently not supported for obfs4 - boolean hasTcp = false; - for (int i = 0; i < protocols.length(); i++) { - String protocol = protocols.getString(i); + // check if at least one openvpn protocol is TCP, openvpn in UDP is currently not supported for obfs4, + // however on the wire UDP might be used + boolean hasOpenvpnTcp = false; + for (int i = 0; i < gatewayProtocols.length(); i++) { + String protocol = gatewayProtocols.getString(i); if (protocol.contains("tcp")) { - hasTcp = true; + hasOpenvpnTcp = true; + break; + } + } + + if (!hasOpenvpnTcp) { + VpnStatus.logError("obfs4 currently only allows openvpn in TCP mode! Skipping obfs4 config for ip " + ipAddress); + return; + } + + boolean hasAllowedPTProtocol = false; + for (int i = 0; i < ptProtocols.length(); i++) { + String protocol = ptProtocols.getString(i); + if (isAllowedProtocol(transportType, protocol)) { + hasAllowedPTProtocol = true; + break; } } - if (!hasTcp) { - VpnStatus.logError("obfs4 currently only allows TCP! Skipping obfs4 config for ip " + ipAddress); + if (!hasAllowedPTProtocol) { + VpnStatus.logError("Misconfigured provider: wrong protocol defined in " + transportType.toString()+ " transport JSON."); return; } - JSONArray ports = obfs4Transport.getJSONArray(PORTS); + JSONArray ports = ptTransport.getJSONArray(PORTS); if (ports.isNull(0)){ - VpnStatus.logError("Misconfigured provider: no ports defined in obfs4 transport JSON."); + VpnStatus.logError("Misconfigured provider: no ports defined in " + transportType.toString()+ " transport JSON."); return; } String route = "route " + ipAddress + " 255.255.255.255 net_gateway" + newLine; stringBuilder.append(route); + String remote; if (useObfsVpn()) { - String remote; - if (BuildConfig.obfsvpn_pinning) { - remote = REMOTE + " " + BuildConfig.obfsvpn_ip + " " + BuildConfig.obfsvpn_port + newLine; + if (useObfuscationPinning) { + remote = REMOTE + " " + obfuscationPinningIP + " " + obfuscationPinningPort + newLine; } else { remote = REMOTE + " " + ipAddress + " " + ports.getString(0) + newLine; } - - stringBuilder.append(remote); } else { - String remote = REMOTE + " " + DISPATCHER_IP + " " + DISPATCHER_PORT + " tcp" + newLine; - stringBuilder.append(remote); + remote = REMOTE + " " + DISPATCHER_IP + " " + DISPATCHER_PORT + " tcp" + newLine; } + stringBuilder.append(remote); } private String secretsConfiguration() { |