Opened 6 years ago

Last modified 12 days ago

#3595 accepted defect

Connections with IPv4-mapped IPv6 addresses bypass transproxy

Reported by: __sporkbomb Owned by: n8fr8
Priority: High Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords:
Cc: n8fr8 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


A user (DEplan on #guardianproject) reported that Gibberbot was using his real IP despite Orbot's transproxy being turned on; further research led to the conclusion that recent releases of Android seem to use IPv4-mapped IPv6 adresses for a large portion of connections. For examples, please see These connections completely bypass transproxy.

I am not yet sure about the circumstances under which Android employs these addresses.

The problems in finding a solution are that Android usually does not include ip6tables (though Orbot could simply package that) and kernels do usually not include IPv6 netfilter modules. The latter is a major issue, since Orbot can't package modules for every single kernel a user might be running.

As a side note, IPv6 does not support NAT (which is what transproxying is based on).

I'll try to figure out what triggers this behaviour of Android and find possible solutions (using sysctl to disable IPv6 does not solve it).

Child Tickets

Change History (5)

comment:1 Changed 6 years ago by n8fr8

Status: newaccepted

comment:2 Changed 5 years ago by cri

I can reproduce this on Samsung Galaxy Mini 2, running android 2.3.6 and orbot

Connections from the default browser and some apps are correctly torified, while other apps (e.g. the google search widget, the youtube app) use ipv6 connections that bypass the tor transparent proxy. This happens both enabling the "Tor everything" option, and selecting specific apps in the list.

comment:3 Changed 4 years ago by rombak

I have this issue too on my Google Nexus 5 running Android 4.4 and orbot 13.0.3 (tor v0.2.4.20).

When using a native ipv6 connection all apps silently connect via ipv6 and ignore orbot. As an end user I didn't notice it at first, just by accident when looking at my server logs. Maybe a warning message if an ipv6 network is detected would be a first step.

comment:4 Changed 4 years ago by n8fr8

Now that we have a modern xtables/iptables binary in the app, we should be able to setup transproxy for ipv6 as well. Looking into it...

comment:5 Changed 12 days ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.