Opened 2 years ago

Closed 20 months ago

#15158 closed enhancement (wontfix)

meek-client should support SOCKS proxies w/o Firefox

Reported by: n8fr8 Owned by: yawning
Priority: Medium Milestone:
Component: Obfuscation/meek Version:
Severity: Keywords:
Cc: dcf, brade, mcs, saint, n8fr8 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


With meek on Android 4.x in Orbot's VPN mode, we need to proxy outbound connections through a loopback proxy in order to flag socket connections to not go through the VPN. Currently, we have a local SOCKS proxy that does this for tor and obfs4, but since meek requires Firefox to use SOCKS we can't support it in VPN mode.

It would be great to have meek supports SOCKS natively w/o needing Firefox.

We currently use SOCKS 5, but can support SOCKS 4 as well, via this java class:

Child Tickets

Change History (10)

comment:1 Changed 2 years ago by mcs

  • Cc dcf brade mcs added

comment:2 Changed 2 years ago by dcf

  • Component changed from Pluggable transport to meek
  • Keywords meek removed

I think Yawning has a patch for SOCKS support that uses

I wasn't inclined to merge it just for feature creep reasons, and because I'm skeptical of the use of naked meek-client (without a TLS camouflage helper) anyway. The TLS fingerprint is probably the lowest-hanging fruit when a censor decides to start targeting the system.

But I know for testing that you want to check whether something will work, so for that I would recommend Yawning's patch. And maybe I'll include the patch if it really saves a lot of effort.

comment:3 Changed 2 years ago by yawning

If it's just SOCKS5 that's needed, that would be the path of least resistance. I've been threatening to write such a patch but I haven't yet, and that was how I was going to resolve this in the form of a diff I can pass off to n8fr8.

The obfs4proxy code uses the infrastructure to provide support for HTTP CONNECT, SOCKS4(a) and SOCKS5, and it works well, though it ships with extra files that add support for the first 2 proxy types. Maybe I should try to contribute that stuff upstream one of these days...

comment:4 Changed 2 years ago by yawning

  • Status changed from new to needs_review

Ask and thou shalt receive. Now when running without the helper both HTTP and SOCKS5 are supported.

comment:5 Changed 2 years ago by n8fr8


comment:6 Changed 20 months ago by saint

  • Cc saint n8fr8 added

What's the status of the patch?

comment:7 Changed 20 months ago by yawning

AFAIK works, and shipping in Orbot. No one's told me that it doesn't work. Why?

comment:8 Changed 20 months ago by saint

  • Resolution set to fixed
  • Status changed from needs_review to closed

If it works and is shipped, then I'll close the ticket. =)

comment:9 Changed 20 months ago by yawning

  • Resolution fixed deleted
  • Status changed from closed to reopened

Errr. The patch is still sitting in my branch on github and not merged upstream AFAIK, so I was going to hold off on closing it till it was in the mainline.

comment:10 Changed 20 months ago by dcf

  • Resolution set to wontfix
  • Status changed from reopened to closed

I'm fine with leaving this in an external patch. Maybe if the proxy stuff arrives in the standard library.

Note: See TracTickets for help on using tickets.