FR: Custom NIC addr

[samthesamman]

Here you define the subnet for the Interface:

rethink-app/app/src/main/java/com/celzero/bravedns/service/BraveVPNService.kt

Line 160 in 59aa0da

private const val IPV4_TEMPLATE: String = "10.111.222.%d"

. Would it be possible to make this a customizable value? Otherwise this value can be used to contribute to your fingerprint.

For example, ProtonVPN assigns the interface an IP 10.2.0.2 for all of its users. It would be nice for me to be able to set the same interface IP address so that I blend in with other ProtonVPN users.

On that note, is there any harm if I edit the hardcoded value from 10.111.222.%d to 10.2.0.%d, and edit the gateway enum to 2 (and the interface to 3 and DNS to 4): https://github.com/celzero/rethink-app/blob/59aa0daae1c3be0bbda8c8e15a5a47f5385bfbce/app/src/main/java/com/celzero/bravedns/service/BraveVPNService.kt#L2483C1-L2486C16

[ignoramous]

ProtonVPN assigns the interface an IP 10.2.0.2 for all of its users. It would be nice for me to be able to set the same interface IP address so that I blend in with other ProtonVPN users

If this is why you want to modify the interface address Rethink uses for its tunnel, then you're mistaken that changing this will change the WireGuard interface addresses (it won't).

The tunnel interface address is app facing (local ingress), while the WireGuard interface address is network facing (egress). They don't overlap, and in fact, they don't even know about each other's existence, either.

On that note, is there any harm if I edit the hardcoded value from 10.111.222.%d to 10.2.0.%d, and edit the gateway enum to 2 (and the interface to 3 and DNS to 4)

Changing this in & before the current version (v055n) should work. But there's no guarantee that it will continue to.

[samthesamman]

WebRCT leaks the tunnel interface address (https://browserleaks.com/webrtc#howto-disable-webrtc). Malicious actors use this. Imagine 99% of protonvpn users use the standard proton app. The WebRCT leak shows their tunnel address as 10.2.0.2. Now imagine a very small portion of protonvpn users use this app. We will all have a different tunnel interface address and so we stick out like a sore thumb.

[ignoramous]

The WebRCT leak shows their tunnel address as 10.2.0.2.

If the browser from which you're running this test is set to be routed through WireGuard (and yet ends up showing Rethink's tunnel address), then that's actually a problem.

Are you running WireGuard in Advanced mode or Simple mode? If the latter, make sure to add the browser app to be routed through WireGuard. To be double sure, you can opt to turn ON Lockdown, too.

[samthesamman]

This is running in Advanced mode Always On. This is due to how the mobile browsers are implemented (at least Chrome, Firefox, and likely all the others). You can test it yourself on that link with your favorite mobile browser. It has to do with how WebRCT is implemented and malicious actors exploit this vulnerability. Firefox uBlock and block WebRCT, but if anyone wants to use WebRCT on mobile they will be subject to this value leaking, hence why it's ideal for this value to be the same across all users.

[ignoramous]

This is due to how the mobile browsers are implemented (at least Chrome, Firefox, and likely all the others).

I see how that can happen (as apps only see Rethink's tunnel address and cannot see WireGuard's).

if anyone wants to use WebRCT on mobile they will be subject to this value leaking

I wouldn't call it a "leak". The addresses of ALL network interfaces (not just Rethink) are visible to any installed app on your Android and has nothing to do with WebRTC.

hence why it's ideal for this value to be the same across all users

It isn't "ideal" to use a Proton default address, as Rethink can run multiple WireGuards from different providers at the same time.

I guess we should allow users to set the interface address for Rethink, regardless.