Rethink blocks incoming P2P connections

[Farzat07]

I have Rethink running on two of my phones: Galaxy A51 (Android 12) and Galaxy Note8 (Android 9).

For some reason I have trouble accessing apps such as Syncthing on Galaxy A51 - the main functionality of Syncthing works just fine, but I can't access its web GUI from my computer, unlike the Note8. I tried setting up a simple http server on termux, but couldn't access that either.

However, once I excluded the relevant app from Rethink - in this case Syncthing - I was able to access its web GUI just fine, so I guess Rething was blocking incoming connections?

Also F-Droid discovery on Galaxy Note8 says that the wifi discovery "Conflicts with active VPN!" if F-Droid is not excluded, but still works just fine (maybe auto-discovery becomes a bit harder? still works by scanning the QR code though). F-Droid still needs to be excluded from Rethink on the A51 for this to work though.

[ignoramous]

Thanks for your bug report.

However, once I excluded the relevant app from Rethink - in this case Syncthing - I was able to access its web GUI just fine, so I guess Rething was blocking incoming connections?

Likely that incoming connections are blocked because Rethink's Firewall because:

1. It doesn't really have any code to support LAN traffic just yet Firewall may be shouldn't block all TCP and UDP conns #26 (connections to LAN IPs may still work, but we haven't explicitly tested for it or made provisions for it in the code).
2. It doesn't permit UDP hole-punching which makes it hard for NAT traversal in a P2P setting, too, I'd imagine.

While excluding the app is a viable solution, we do want to make these apps work from within the Firewall. That said, in the mid-term, there are other issues and feature requests that are higher priority for us.

Also F-Droid discovery on Galaxy Note8 says that the wifi discovery "Conflicts with active VPN!"

On this specifically, I am not sure how F-Droid implements discovery, but if its via mutli-cast DNS, then wait for this to be fixed #368 (happening in a few weeks / month).

If it is over Wifi P2P, then I am not sure how to support it in Rethink just yet as I haven't really looked at how it all works.

---

A few Qs:

1. One Galaxy Note8 (Android 9), Syncthing is able to serve web-ui from behind Rethink Firewall?
2. Which version (v053x) and flavour (f-droid, website, play-store) of Rethink Firewall are you on?

[Farzat07]

Thanks for the reply. I appreciate that you have many other issues to work with so this will probably take some time. Fortunately, I will probably (hopefully) only need to host services from FOSS applications on my phone, which I don't really mind exluding.

The F-Droid thing doesn't really bother me as it actually works with the QR code and I barely use the feature anyway. I just thought you might find it relevant.

As for the Qs:

1. Yes, Syncthing is able to serve from behind the Rethink Firewall on the Note8. Other apps such as Termux were able to serve behind the firewall as well. The issue is with the A51 (all of Syncthing web-ui, F-Droid discovery, and Termux http-server don't work).
2. Both use v053j from F-Droid.

[ignoramous]

Yes, Syncthing is able to serve from behind the Rethink Firewall on the Note8.

Strange. This has me more confused. On Note8, you are able to serve Syncthing web over both Mobile and Wifi?

I suspect that some firewall setting is the difference between the two:

1. Syncthing may be allowlisted to Bypass Universal firewall rules?
2. The configured DNS is different between the two? Perhaps, one among them uses System DNS?
3. Some Universal firewall rule (like Block connections when DNS is bypassed / Block all UDP traffic except DNS and NTP) gets in the way?
4. Some IP Rule (either at the app-level or universal) is blocking connections?
5. On DNS' Configure page: May be Prevent DNS Leaks is enabled on one and not the other?
6. On Rethink's Settings: May be Allow Bypass / Use all available networks is enabled in one and not the other?

---

On A51, can you check if setting Choose IP Version to IPv4 makes any difference (it shouldn't, but worth a shot)?

[Farzat07]

I only tested on Wifi - my SIM doesn't even work on the Note8 so I can't test it.

1. No.
2. I do use System DNS sometimes on the A51, but wasn't using it at the time of testing.
3. Both have the same universal options set (Block connections when source app is unknown and Block newly installed apps by default).
4. I don't have any IP Rules set.
5. Both have Prevent DNS Leaks enabled.
6. Both settings are not enabled on both devices.

Choose IP Version didn't make a difference.

[tim-hub]

Got the same issue here, cannot start a local http server on phone.

Share to computer the app is, to start a local http server so that it could be shared to computer easily

[ignoramous]

Share to computer the app is, to start a local http server so that it could be shared to computer easily.

As a workaround, you can "Exclude" the http-server app until we merge in LAN related changes.

[ignoramous]

As a workaround, you can "Exclude" the http-server app until we merge in LAN related changes.

@tim-hub We shipped a feature in v054 (launched 6 May) where enabling Do not route Private IPs (from Configure -> Network) should exclude all LAN traffic from the tunnel (#26). Can you please see if that has fixed the issue for you?

Yes, Syncthing is able to serve from behind the Rethink Firewall on the Note8. Other apps such as Termux were able to serve behind the firewall as well. The issue is with the A51 (all of Syncthing web-ui, F-Droid discovery, and Termux http-server don't work).

@Farzat07 Can you also please check, if you've got the time? If v054 doesn't help, perhaps a better implementation shipping in v055 (a day or so away) will. Thanks.

[Farzat07]

@ignoramous sorry for the late reply. I tried the feature and it worked! Thanks!