Skip to content

Feature/vpn 4192 fix domain fronting #3669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 70 commits into
base: develop
Choose a base branch
from
+1,690 −995
Open

Feature/vpn 4192 fix domain fronting #3669

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
70 commits
Select commit Hold shift + click to select a range
68701ae
Set resolver overrides using the new ResolverOverrides type.
trojanfoe Oct 10, 2025
5cdf6d7
Set resolver overrides using the new ResolverOverrides type.
trojanfoe Oct 10, 2025
95deef6
Merge branch 'feature/vpn-4192-fix-domain-fronting' of https://github…
trojanfoe Oct 10, 2025
a2a32b1
The old behaviour of from_network was use_nym_api_urls=false.
trojanfoe Oct 10, 2025
43b2ade
Update firewall when we receive a new discovery.
trojanfoe Oct 10, 2025
a4f5e76
Remove unnecessary variable renames.
trojanfoe Oct 10, 2025
59920ab
Set resolver overrides using the new ResolverOverrides type.
trojanfoe Oct 10, 2025
7e5b7ba
The old behaviour of from_network was use_nym_api_urls=false.
trojanfoe Oct 10, 2025
42d541a
Update firewall when we receive a new discovery.
trojanfoe Oct 10, 2025
90ab2a4
Remove unnecessary variable renames.
trojanfoe Oct 10, 2025
f4f2629
Support `CommonCommand` to set `ResolverOverrides`.
trojanfoe Oct 13, 2025
c2c693d
Merge branch 'feature/vpn-4192-fix-domain-fronting' of https://github…
trojanfoe Oct 13, 2025
41578f6
You cannot set the firewall on iOS/Android.
trojanfoe Oct 13, 2025
8406b46
Try again with iOS/Android fix.
trojanfoe Oct 13, 2025
394fcc4
Minor change.
trojanfoe Oct 13, 2025
679758a
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 13, 2025
5ca75ac
Remove some duplication.
trojanfoe Oct 13, 2025
7686ec9
Use `url_to_socket_addrs` to resolve addresses.
trojanfoe Oct 13, 2025
f25835b
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 13, 2025
48328c2
Remove comments.
trojanfoe Oct 13, 2025
3218538
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 13, 2025
d610c47
Add `build_fronted_http_client()`.
trojanfoe Oct 14, 2025
23b181b
Use fronted HTTP client for validator.
trojanfoe Oct 14, 2025
97175fd
Allow setting of timeout for fronted HTTP client.
trojanfoe Oct 14, 2025
b0214d9
Fix error.
trojanfoe Oct 14, 2025
17a07f0
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 14, 2025
ee7027f
Fix clippy errors.
trojanfoe Oct 14, 2025
da1a5cc
Change order of setting HTTP client fronting in order to avoid warning.
trojanfoe Oct 14, 2025
34db4e7
Fix format errors.
trojanfoe Oct 15, 2025
5106ac5
Use `ResolverOverrides` from gateway config.
trojanfoe Oct 15, 2025
0d409f4
Use `ResolverOverrides` from gateway config.
trojanfoe Oct 15, 2025
17e89da
Fix error with private field.
trojanfoe Oct 15, 2025
b6ea428
Fix error with private field.
trojanfoe Oct 15, 2025
36b0906
Fix error with private field.
trojanfoe Oct 15, 2025
d4e8ba0
Expand Windows firewall endpoints to 24.
trojanfoe Oct 15, 2025
b9378f4
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 15, 2025
9bfb982
Remove all blocking address resolver functions.
trojanfoe Oct 15, 2025
3b55748
Remove all blocking address resolver functions.
trojanfoe Oct 15, 2025
9fb98b5
Print errors resolving IP addresses.
trojanfoe Oct 15, 2025
b75918a
Merge from origin/develop.
trojanfoe Oct 15, 2025
b440570
Fix creation of `VpnApiClient`.
trojanfoe Oct 15, 2025
4b331e9
Only use VPN URLs when creating `VpnApiClient`.
trojanfoe Oct 15, 2025
02eee0b
Use the right `ApiUrl` and `Url` types!
trojanfoe Oct 15, 2025
04b9f5c
Restore the `ApiUrl` type used by `Discovery`.
trojanfoe Oct 16, 2025
bf74923
Do the conversion from `ApiUrl` to `Url` ourselves.
trojanfoe Oct 16, 2025
309f1d1
Also do the conversion in `build_fronted_http_client()`.
trojanfoe Oct 16, 2025
88ab8a8
Set-up resolver overrides for fronted hosts.
trojanfoe Oct 16, 2025
5393fc4
Fix clippy error about large future.
trojanfoe Oct 16, 2025
477d03e
Fix clippy warning about large future.
trojanfoe Oct 16, 2025
a050d8e
Fix clippy import warnings.
trojanfoe Oct 16, 2025
e850c34
More clippy import warnings.
trojanfoe Oct 16, 2025
1c37599
Also open-up the non-fronted domains.
trojanfoe Oct 16, 2025
54f735b
Remove singular API URLs in favour of `Vec<ApiUrl>`.
trojanfoe Oct 16, 2025
a69f515
Limit resolved addresses to 1-per-host.
trojanfoe Oct 16, 2025
8eee525
Fix compilation issues in nym-vpn-lib-uniffi.
trojanfoe Oct 17, 2025
5073b9f
Merge remote-tracking branch 'origin/develop' into
trojanfoe Oct 17, 2025
8726b55
Fix `api_url_to_url()` to handle URLs with IP addresses.
trojanfoe Oct 17, 2025
a57b1db
Add unit tests for `api_url_to_url()`.
trojanfoe Oct 17, 2025
0793dc9
If the URL doesn't have a domain then don't return host instead. Tha…
trojanfoe Oct 17, 2025
2f37e1e
Allow one IPv4 and one IPv6 address when resolving addresses.
trojanfoe Oct 17, 2025
42cc2b8
Restore patch line.
trojanfoe Oct 17, 2025
98613fd
`make_gateway_config()` now returns `Result`.
trojanfoe Oct 17, 2025
352329a
Move to using `Url`s to create HTTP clients.
trojanfoe Oct 17, 2025
8529121
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 18, 2025
9154c83
Complete move to using `Url`s to create HTTP clients.
trojanfoe Oct 18, 2025
f126b79
More work around gateway client.
trojanfoe Oct 18, 2025
908e4d2
Use a `HashSet` to ensure all addresses in `ResolverOverrides` are un…
trojanfoe Oct 20, 2025
aed2a5a
Add `has_resolver_overrides()` as a convenience.
trojanfoe Oct 20, 2025
dc871d3
Merge remote-tracking branch 'origin/develop' into feature/vpn-4192-f…
trojanfoe Oct 20, 2025
e69caa0
Update change log.
trojanfoe Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions nym-vpn-core/crates/nym-gateway-directory/src/gateway_client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ impl ResolvedConfig {

#[derive(Clone)]
pub struct GatewayClient {
// TODO: Now that VpnApiClient can be constructed from both types of URLs, we can use it here.
api_client: nym_http_api_client::Client,
nym_vpn_api_client: Option<nym_vpn_api_client::VpnApiClient>,
nyxd_url: Url,
Expand All @@ -122,7 +123,7 @@ impl GatewayClient {
pub fn new_with_resolver_overrides(
config: Config,
user_agent: UserAgent,
static_nym_api_ip_addresses: Option<&[SocketAddr]>,
resolver_overrides: Option<&nym_vpn_api_client::ResolverOverrides>,
) -> Result<Self> {
let api_client = nym_http_api_client::Client::builder(config.api_url.clone())
.map_err(|e| Error::FailedToLookupDescribedGateways(e.into()))?
Expand All @@ -135,7 +136,7 @@ impl GatewayClient {
nym_vpn_api_client::VpnApiClient::new_with_resolver_overrides(
url,
user_agent.clone(),
static_nym_api_ip_addresses,
resolver_overrides,
)
})
.transpose()?;
Expand All @@ -153,7 +154,7 @@ impl GatewayClient {
config: Config,
network_details: &nym_network_defaults::NymNetworkDetails,
user_agent: UserAgent,
static_nym_api_ip_addresses: Option<&[SocketAddr]>,
resolver_overrides: Option<&nym_vpn_api_client::ResolverOverrides>,
) -> Result<Self> {
// Use the new unified HTTP client with domain fronting for the main API client
let api_client = nym_http_api_client::ClientBuilder::from_network(network_details)
Expand All @@ -167,8 +168,9 @@ impl GatewayClient {
Some(
nym_vpn_api_client::VpnApiClient::from_network_with_resolver_overrides(
network_details,
true, // Using nym_vpn_api_urls from network_details
user_agent.clone(),
static_nym_api_ip_addresses,
resolver_overrides,
)?,
)
} else {
Expand Down
18 changes: 9 additions & 9 deletions nym-vpn-core/crates/nym-gateway-probe/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@ use std::{
};

use crate::{netstack::NetstackResult, types::Entry};
use anyhow::Context;
use anyhow::{anyhow, bail};
use anyhow::{Context, anyhow, bail};
use base64::{Engine as _, engine::general_purpose};
use bytes::BytesMut;
use clap::Args;
Expand All @@ -20,8 +19,7 @@ use nym_authenticator_requests::{
v4, v5,
};
use nym_bandwidth_controller::error::BandwidthControllerError;
use nym_client_core::client::base_client::storage::OnDiskPersistent;
use nym_client_core::config::ForgetMe;
use nym_client_core::{client::base_client::storage::OnDiskPersistent, config::ForgetMe};
use nym_config::defaults::{
NymNetworkDetails, WG_METADATA_PORT, WG_TUN_DEVICE_IP_ADDRESS_V4,
mixnet_vpn::{NYM_TUN_DEVICE_ADDRESS_V4, NYM_TUN_DEVICE_ADDRESS_V6},
Expand All @@ -42,11 +40,13 @@ use nym_ip_packet_requests::{
ControlResponse, DataResponse, InfoLevel, IpPacketResponse, IpPacketResponseData,
},
};
use nym_sdk::bandwidth::BandwidthImporter;
use nym_sdk::mixnet::{
CredentialStorage, DisconnectedMixnetClient, Ephemeral, EphemeralCredentialStorage, KeyStore,
MixnetClient, MixnetClientBuilder, MixnetClientStorage, NodeIdentity, ReconstructedMessage,
StoragePaths,
use nym_sdk::{
bandwidth::BandwidthImporter,
mixnet::{
CredentialStorage, DisconnectedMixnetClient, Ephemeral, EphemeralCredentialStorage,
KeyStore, MixnetClient, MixnetClientBuilder, MixnetClientStorage, NodeIdentity,
ReconstructedMessage, StoragePaths,
},
};
use nym_validator_client::nyxd::error::NyxdError;
use nym_wireguard_types::PeerPublicKey;
Expand Down
7 changes: 4 additions & 3 deletions nym-vpn-core/crates/nym-vpn-account-controller/src/command_sender.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
// Copyright 2024 - Nym Technologies SA <[email protected]>
// SPDX-License-Identifier: GPL-3.0-only

use std::net::SocketAddr;

use crate::{
AvailableTicketbooks,
commands::{AccountCommand, CommonCommand, ReturnSender},
Expand All @@ -12,7 +14,6 @@ use nym_vpn_api_client::{
};
use nym_vpn_lib_types::{AccountCommandError, RegisterAccountResponse};
use nym_vpn_store::types::StorableAccount;
use std::net::SocketAddr;
use tokio::sync::mpsc::UnboundedSender;

#[derive(Clone)]
Expand Down Expand Up @@ -145,12 +146,12 @@ impl AccountCommandSender {

pub async fn set_static_api_addresses(
&self,
static_addresses: Option<Vec<SocketAddr>>,
static_api_addresses: Option<Vec<SocketAddr>>,
) -> Result<(), AccountCommandError> {
let (tx, rx) = ReturnSender::new();
self.command_tx
.send(AccountCommand::Common(
CommonCommand::SetStaticApiAddresses(tx, static_addresses),
CommonCommand::SetStaticApiAddresses(tx, static_api_addresses),
))
.map_err(AccountCommandError::internal)?;
rx.await.map_err(AccountCommandError::internal)?
Expand Down
34 changes: 28 additions & 6 deletions nym-vpn-core/crates/nym-vpn-account-controller/src/commands/common_handler.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
// Copyright 2025 - Nym Technologies SA <[email protected]>
// SPDX-License-Identifier: GPL-3.0-only

use std::net::SocketAddr;

// Copyright 2025 - Nym Technologies SA <[email protected]>
// SPDX-License-Identifier: GPL-3.0-only
use nym_offline_monitor::ConnectivityMonitor;
use nym_vpn_api_client::response::{NymVpnDevice, NymVpnUsage};
use nym_vpn_api_client::{
ResolverOverrides,
response::{NymVpnDevice, NymVpnUsage},
};
use nym_vpn_lib_types::AccountCommandError;

use crate::{
Expand Down Expand Up @@ -46,6 +48,12 @@ pub(crate) async fn handle_common_command<C: ConnectivityMonitor>(
static_api_addresses,
));
}
CommonCommand::SetResolverOverrides(result_tx, resolver_overrides) => {
result_tx.send(handle_set_resolver_overrides(
shared_state,
resolver_overrides,
));
}
};
}

Expand Down Expand Up @@ -164,6 +172,20 @@ pub(crate) fn handle_set_static_api_addresses<C: ConnectivityMonitor>(
) -> Result<(), AccountCommandError> {
shared_state
.vpn_api_client
.override_resolver(static_api_addresses.as_deref())
.map_err(|e| AccountCommandError::internal(format!("Failed to set static addresses: {e}")))
.override_resolver_addresses(static_api_addresses.as_ref())
.map_err(|e| {
AccountCommandError::internal(format!("Failed to set resolver overrides: {e}"))
})
}

pub(crate) fn handle_set_resolver_overrides<C: ConnectivityMonitor>(
shared_state: &mut SharedAccountState<C>,
resolver_overrides: Option<ResolverOverrides>,
) -> Result<(), AccountCommandError> {
shared_state
.vpn_api_client
.override_resolver(resolver_overrides.as_ref())
.map_err(|e| {
AccountCommandError::internal(format!("Failed to set resolver overrides: {e}"))
})
}
13 changes: 12 additions & 1 deletion nym-vpn-core/crates/nym-vpn-account-controller/src/commands/dispatch.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
// Copyright 2025 - Nym Technologies SA <[email protected]>
// SPDX-License-Identifier: GPL-3.0-only

use std::net::SocketAddr;

use nym_vpn_lib_types::{AccountCommandError, RegisterAccountResponse};
use nym_vpn_store::account::StorableAccount;

use nym_validator_client::nyxd::Coin;
use nym_vpn_api_client::{
ResolverOverrides,
response::{NymVpnDevice, NymVpnUsage},
types::Platform,
};
use std::net::SocketAddr;
use tokio::sync::oneshot;

use crate::AvailableTicketbooks;
Expand Down Expand Up @@ -78,6 +80,9 @@ impl AccountCommand {
CommonCommand::SetStaticApiAddresses(return_sender, _) => {
return_sender.send(Err(error))
}
CommonCommand::SetResolverOverrides(return_sender, _) => {
return_sender.send(Err(error))
}
},
}
}
Expand Down Expand Up @@ -112,6 +117,12 @@ pub enum CommonCommand {
ReturnSender<(), AccountCommandError>,
Option<Vec<SocketAddr>>,
),

/// Override the VPN API client resolver to allow him to go through the firewall (witg Domain Fronting)
SetResolverOverrides(
ReturnSender<(), AccountCommandError>,
Option<ResolverOverrides>,
),
}

#[derive(Debug)]
Expand Down
3 changes: 2 additions & 1 deletion nym-vpn-core/crates/nym-vpn-account-controller/src/state_machine/decentralised_state.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ impl<C: ConnectivityMonitor> AccountControllerStateHandler<C> for DecentralisedS
CommonCommand::GetStoredAccount(return_sender) => return_sender.send(common_handler::handle_get_stored_account(shared_state).await),
CommonCommand::GetDeviceIdentity(return_sender) => return_decentralised(return_sender),
CommonCommand::GetAccountIdentity(return_sender) => return_sender.send(common_handler::handle_get_account_identity(shared_state)),
CommonCommand::SetStaticApiAddresses(return_sender,socket_addrs) => return_sender.send(common_handler::handle_set_static_api_addresses(shared_state,socket_addrs)),
CommonCommand::SetStaticApiAddresses(return_sender, static_api_addresses) => return_sender.send(common_handler::handle_set_static_api_addresses(shared_state, static_api_addresses)),
CommonCommand::SetResolverOverrides(return_sender, resolver_overrides) => return_sender.send(common_handler::handle_set_resolver_overrides(shared_state, resolver_overrides)),
CommonCommand::GetUsage(return_sender) => return_decentralised(return_sender),
CommonCommand::GetDevices(return_sender) => return_decentralised(return_sender),
CommonCommand::GetActiveDevices(return_sender) => return_decentralised(return_sender),
Expand Down
3 changes: 2 additions & 1 deletion nym-vpn-core/crates/nym-vpn-account-controller/src/state_machine/logged_out_state.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,8 @@ impl<C: ConnectivityMonitor> AccountControllerStateHandler<C> for LoggedOutState

AccountCommand::Common(common_command) => {
match common_command {
CommonCommand::SetStaticApiAddresses(return_sender, socket_addrs) => return_sender.send(common_handler::handle_set_static_api_addresses(shared_state,socket_addrs)),
CommonCommand::SetStaticApiAddresses(return_sender, static_api_addresses) => return_sender.send(common_handler::handle_set_static_api_addresses(shared_state, static_api_addresses)),
CommonCommand::SetResolverOverrides(return_sender, resolver_overrides) => return_sender.send(common_handler::handle_set_resolver_overrides(shared_state, resolver_overrides)),

CommonCommand::GetAccountIdentity(return_sender) => return_sender.send(Ok(None)),
CommonCommand::GetStoredAccount(return_sender) => return_sender.send(Ok(None)),
Expand Down
3 changes: 2 additions & 1 deletion nym-vpn-core/crates/nym-vpn-account-controller/src/state_machine/offline_state.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,8 @@ impl<C: ConnectivityMonitor> AccountControllerStateHandler<C> for OfflineState {
CommonCommand::GetStoredAccount(return_sender) => return_sender.send(common_handler::handle_get_stored_account(shared_state).await),
CommonCommand::GetDeviceIdentity(return_sender) => return_sender.send(common_handler::handle_get_device_identity(shared_state)),
CommonCommand::GetAccountIdentity(return_sender) => return_sender.send(common_handler::handle_get_account_identity(shared_state)),
CommonCommand::SetStaticApiAddresses(return_sender,socket_addrs) => return_sender.send(common_handler::handle_set_static_api_addresses(shared_state,socket_addrs)),
CommonCommand::SetStaticApiAddresses(return_sender, static_api_addresses) => return_sender.send(common_handler::handle_set_static_api_addresses(shared_state, static_api_addresses)),
CommonCommand::SetResolverOverrides(return_sender, resolver_overrides) => return_sender.send(common_handler::handle_set_resolver_overrides(shared_state, resolver_overrides)),
CommonCommand::GetUsage(return_sender) => return_no_connectivity(return_sender),
CommonCommand::GetDevices(return_sender) => return_no_connectivity(return_sender),
CommonCommand::GetActiveDevices(return_sender) => return_no_connectivity(return_sender),
Expand Down
Loading
Loading