Opened 6 years ago

Closed 5 years ago

#15158 closed enhancement (wontfix)

meek-client should support SOCKS proxies w/o Firefox

Reported by: n8fr8 Owned by: yawning
Priority: Medium Milestone:
Component: Circumvention/meek Version:
Severity: Keywords:
Cc: dcf, brade, mcs, saint, n8fr8 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


With meek on Android 4.x in Orbot's VPN mode, we need to proxy outbound connections through a loopback proxy in order to flag socket connections to not go through the VPN. Currently, we have a local SOCKS proxy that does this for tor and obfs4, but since meek requires Firefox to use SOCKS we can't support it in VPN mode.

It would be great to have meek supports SOCKS natively w/o needing Firefox.

We currently use SOCKS 5, but can support SOCKS 4 as well, via this java class:

Child Tickets

Change History (10)

comment:1 Changed 6 years ago by mcs

Cc: dcf brade mcs added

comment:2 Changed 6 years ago by dcf

Component: Pluggable transportmeek
Keywords: meek removed

I think Yawning has a patch for SOCKS support that uses

I wasn't inclined to merge it just for feature creep reasons, and because I'm skeptical of the use of naked meek-client (without a TLS camouflage helper) anyway. The TLS fingerprint is probably the lowest-hanging fruit when a censor decides to start targeting the system.

But I know for testing that you want to check whether something will work, so for that I would recommend Yawning's patch. And maybe I'll include the patch if it really saves a lot of effort.

comment:3 Changed 6 years ago by yawning

If it's just SOCKS5 that's needed, that would be the path of least resistance. I've been threatening to write such a patch but I haven't yet, and that was how I was going to resolve this in the form of a diff I can pass off to n8fr8.

The obfs4proxy code uses the infrastructure to provide support for HTTP CONNECT, SOCKS4(a) and SOCKS5, and it works well, though it ships with extra files that add support for the first 2 proxy types. Maybe I should try to contribute that stuff upstream one of these days...

comment:4 Changed 6 years ago by yawning

Status: newneeds_review

Ask and thou shalt receive. Now when running without the helper both HTTP and SOCKS5 are supported.

comment:5 Changed 6 years ago by n8fr8


comment:6 Changed 5 years ago by saint

Cc: saint n8fr8 added

What's the status of the patch?

comment:7 Changed 5 years ago by yawning

AFAIK works, and shipping in Orbot. No one's told me that it doesn't work. Why?

comment:8 Changed 5 years ago by saint

Resolution: fixed
Status: needs_reviewclosed

If it works and is shipped, then I'll close the ticket. =)

comment:9 Changed 5 years ago by yawning

Resolution: fixed
Status: closedreopened

Errr. The patch is still sitting in my branch on github and not merged upstream AFAIK, so I was going to hold off on closing it till it was in the mainline.

comment:10 Changed 5 years ago by dcf

Resolution: wontfix
Status: reopenedclosed

I'm fine with leaving this in an external patch. Maybe if the proxy stuff arrives in the standard library.

Note: See TracTickets for help on using tickets.