From c6c0209ad45fb7d2e45370ee3a39f2dd437603b0 Mon Sep 17 00:00:00 2001
From: "kali kaneko (leap communications)" <kali@leap.se>
Date: Mon, 17 May 2021 17:50:23 +0200
Subject: [PATCH] [feat] log dns lookup if first cert fetch fails
---
docs/circumvention.rst | 20 +++++++++++++++++---
pkg/vpn/bonafide/eip_service.go | 10 +++++-----
pkg/vpn/diagnose.go | 19 +++++++++++++++++++
pkg/vpn/openvpn.go | 3 +++
4 files changed, 44 insertions(+), 8 deletions(-)
create mode 100644 pkg/vpn/diagnose.go
diff --git a/docs/circumvention.rst b/docs/circumvention.rst
index 8c220cc8..ee31e58a 100644
--- a/docs/circumvention.rst
+++ b/docs/circumvention.rst
@@ -9,9 +9,23 @@ Bootstrapping the connection
There are two different steps where circumvention can be used: boostrapping the
connection (getting a certificate and the configuration files) and using an
-obfuscated transport protocol. At the moment RiseupVPN offers obfs4 transport
-"bridges" (you can try them with the `--obfs4` command line argument). For the
-initial bootstrap, there are a couple of techniques that will be attempted.
+obfuscated transport protocol.
+
+For the initial bootstrap, there are a couple of techniques that will be
+attempted. If this fails, please open an issue with the relevant log
+information.
+
+Obfuscated bridges
+-----------------------------
+
+At the moment RiseupVPN offers obfs4 transport "bridges" (you can try them with
+the `--obfs4` command line argument, a way to enable them from the gui will be
+following soon).
+
+If you know you need bridges but the current ones do not work for you, please
+get in contact. We're interested in learning what are the specific censorship
+measures being deployed in your concrete location, and we could work together
+to enable new bridges.
Getting certificates off-band
-----------------------------
diff --git a/pkg/vpn/bonafide/eip_service.go b/pkg/vpn/bonafide/eip_service.go
index 5755b6ca..c1061350 100644
--- a/pkg/vpn/bonafide/eip_service.go
+++ b/pkg/vpn/bonafide/eip_service.go
@@ -79,17 +79,17 @@ func (b *Bonafide) fetchEipJSON() error {
eip3API := config.APIURL + "3/config/eip-service.json"
resp, err := b.client.Post(eip3API, "", nil)
for err != nil {
- log.Printf("Error fetching eip v3 json: %v", err)
- // TODO why exactly 1 retry? Make it configurable, for tests
- time.Sleep(retryFetchJSONSeconds * time.Second)
resp, err = b.client.Post(eip3API, "", nil)
if err != nil {
- // TODO it might be that it's not an error, but an empty file or whatever done
+ // TODO it might be that we get no error, but an empty file or whatever done
// by DNS poisoning. Should try to parse the file.
uri := b.getURLNoDNS("eip")
- log.Println("Fetching ", uri)
resp, err = b.client.Post(uri, "", nil)
}
+ if err != nil {
+ log.Printf("Error fetching eip v3 json: %v", err)
+ time.Sleep(retryFetchJSONSeconds * time.Second)
+ }
}
defer resp.Body.Close()
diff --git a/pkg/vpn/diagnose.go b/pkg/vpn/diagnose.go
new file mode 100644
index 00000000..5d12d4d6
--- /dev/null
+++ b/pkg/vpn/diagnose.go
@@ -0,0 +1,19 @@
+package vpn
+
+import (
+ "log"
+ "net"
+)
+
+func logDnsLookup(domain string) {
+ addrs, err := net.LookupHost(domain)
+ if err != nil {
+ log.Println("ERROR cannot resolve address:", domain)
+ log.Println(err)
+ }
+
+ log.Println("From here,", domain, "resolves to:")
+ for _, addr := range addrs {
+ log.Println(addr)
+ }
+}
diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go
index a568a329..244195bd 100644
--- a/pkg/vpn/openvpn.go
+++ b/pkg/vpn/openvpn.go
@@ -202,6 +202,8 @@ func (b *Bitmask) getCert() (certPath string, err error) {
}
}
if failed || !isValidCert(certPath) {
+ d := config.APIURL[8 : len(config.APIURL)-1]
+ logDnsLookup(d)
cert, err := b.bonafide.GetPemCertificateNoDNS()
if cert != nil {
log.Println("Successfully did certificate bypass")
@@ -214,6 +216,7 @@ func (b *Bitmask) getCert() (certPath string, err error) {
failed = true
}
}
+
return certPath, err
}
--
GitLab