From ca5adc953a04508d7449287f426544c2133fc2e5 Mon Sep 17 00:00:00 2001 From: Rod Hynes Date: Wed, 2 Nov 2022 10:51:15 -0400 Subject: [PATCH] On iOS, use custom resolver with system DNS servers only in VPN mode - Partially reverts https://github.com/Psiphon-Labs/psiphon-tunnel-core/commit/ecd11954fd3fcab4e6092863764a0d8391d3981f, adding back self->tunnelWholeDevice --- .../PsiphonTunnel/PsiphonTunnel.m | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m b/MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m index ade89f029..3249c7af8 100644 --- a/MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m +++ b/MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m @@ -114,6 +114,8 @@ @implementation PsiphonTunnel { id reachability; _Atomic NetworkReachability currentNetworkStatus; + BOOL tunnelWholeDevice; + _Atomic BOOL usingNoticeFiles; // DNS @@ -166,6 +168,7 @@ - (void)initializeWithAppDelegate:(id _Nullable)appDelegate self->reachability = [Reachability reachabilityForInternetConnection]; } atomic_init(&self->currentNetworkStatus, NetworkReachabilityNotReachable); + self->tunnelWholeDevice = FALSE; atomic_init(&self->usingNoticeFiles, FALSE); // Use the workaround, comma-delimited format required for gobind. @@ -536,6 +539,7 @@ - (NSString * _Nullable)getConfig:(BOOL * _Nonnull)usingNoticeFiles NSError *err; NSString *psiphonConfig = [PsiphonTunnel buildPsiphonConfig:configObject + tunnelWholeDevice:&self->tunnelWholeDevice usingNoticeFiles:usingNoticeFiles sessionID:self.sessionID logMessage:logMessage @@ -549,6 +553,7 @@ - (NSString * _Nullable)getConfig:(BOOL * _Nonnull)usingNoticeFiles } + (NSString * _Nullable)buildPsiphonConfig:(id _Nonnull)configObject + tunnelWholeDevice:(BOOL * _Nonnull)tunnelWholeDevice usingNoticeFiles:(BOOL * _Nonnull)usingNoticeFiles sessionID:(NSString * _Nonnull)sessionID logMessage:(void (^)(NSString * _Nonnull))logMessage @@ -790,7 +795,7 @@ + (NSString * _Nullable)buildPsiphonConfig:(id _Nonnull)configObject // // We'll record our state about what mode we're in. - BOOL tunnelWholeDevice = (config[@"PacketTunnelTunFileDescriptor"] != nil); + *tunnelWholeDevice = (config[@"PacketTunnelTunFileDescriptor"] != nil); // Optional fields not being altered. If not set, their defaults will be used: // * LocalSocksProxyPort @@ -820,7 +825,7 @@ + (NSString * _Nullable)buildPsiphonConfig:(id _Nonnull)configObject *usingNoticeFiles = (config[@"UseNoticeFiles"] != nil); // For iOS VPN, set VPN client feature while preserving any present feature names - if (tunnelWholeDevice == TRUE) { + if (*tunnelWholeDevice == TRUE) { id oldClientFeatures = config[@"ClientFeatures"]; NSString *vpnClientFeature = @"VPN"; NSMutableArray *clientFeatures; @@ -840,6 +845,7 @@ + (NSString * _Nullable)buildPsiphonConfig:(id _Nonnull)configObject clientFeatures = [NSMutableArray arrayWithObject:vpnClientFeature]; } config[@"ClientFeatures"] = clientFeatures; + } NSString *finalConfigStr = [[[SBJson4Writer alloc] init] stringWithObject:config]; @@ -1228,7 +1234,11 @@ - (NSString *)bindToDevice:(long)fileDescriptor error:(NSError **)error { - (NSString *)getDNSServersAsString { - if (atomic_load(&self->useInitialDNS)) { + // In non-VPN mode, don't use the tunnel-core custom DNS resolver with + // any system DNS servers, as these are commonly LAN addresses and + // sending UDP packets to the LAN will trigger Local Network Privacy + // permissions requirements. + if (self->tunnelWholeDevice == TRUE && atomic_load(&self->useInitialDNS)) { return self->initialDNSCache; } else { // Alternate DNS servers may be provided by psiphon-tunnel-core config @@ -1635,9 +1645,11 @@ - (void)startSendFeedback:(NSString * _Nonnull)feedbackJson return; } + BOOL tunnelWholeDevice = FALSE; BOOL usingNoticeFiles = FALSE; NSString *psiphonConfig = [PsiphonTunnel buildPsiphonConfig:feedbackConfigJson + tunnelWholeDevice:&tunnelWholeDevice usingNoticeFiles:&usingNoticeFiles sessionID:sessionID logMessage:logMessage