Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow certain VPN apps to access the LAN, needed for GSF-based Cast API e.g. Spotify Cast #367

Open
infinity0 opened this issue Jul 19, 2020 · 1 comment
Open

Allow certain VPN apps to access the LAN, needed for GSF-based Cast API e.g. Spotify Cast #367

infinity0 opened this issue Jul 19, 2020 · 1 comment

Comments

@infinity0
Copy link

I am using AFWall+ with Orbot and its VPN mode. Please bear with me while I explain the non-Orbot-specific background.

My AFWall+ is set to:

  • block by default
  • allow access to VPN by default
  • certain apps also have additional access to LAN, to access the chromecast, e.g.
    • VLC
    • Spotify
    • GSF (Google Play Services, Google Services Framework, Google Account Manager, Google Backup Transport), these are all grouped together by AFWall+.

This works fine, both VLC and Spotify can cast to my Chromecast, yay.

Note that for Spotify, we need to additionally allow LAN access for GSF as well - Spotify directly accesses the LAN to discover the device, but its application data is sent to the chromecast via GSF, using the GSF Cast API. It is entirely possible to connect to a Chromecast without using this API, e.g. VLC does it, so I only need to allow LAN access for VLC.

Now the issue comes when trying to combine this with Orbot. My above AFWall+ settings allow me to use Orbot in a safe way - I can use its VPN mode and its app-specific settings to only give certain apps access to the VPN, and the default AFWall+ rules block access for other apps.

In Orbot, I had been allowing VPN access to GSF (Google Play Services, Google Services Framework, Google Account Manager) because I figured that they might need to contact Google, and I didn't want things to randomly break because I was forbidding access. However this breaks the GSF Cast API, because Orbot seems to prevent their LAN connections from working, I guess by redirecting it to the VPN although I didn't confirm this. Then Spotify can discover the device, but gets stuck when attempting to connect to it.

If in Orbot, I disable VPN access to those 3 GSF apps, then Spotify can both discover the device and connect to it again, and life is good. However it may be the case that those 3 apps really do need to access the internet in a different context, and in that case I would like them to do it via Orbot instead of directly revealing my IP address to Google.

So what would be nice, is to allow certain VPN-enabled apps to also be able to access the LAN directly bypassing Orbot - just like AFWall+ allows you to do.
@infinity0 infinity0 mentioned this issue Jul 19, 2020
Closed
@infinity0
Copy link
Author

For example with microG this is fairly important, since they just have a monolithic app that sometimes needs internet access and sometimes needs LAN access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@infinity0