Make sure ping works while the VPN is active

Author: pimterry

app/src/main/java/tech/httptoolkit/android/ProxyVpnRunnable.kt

@@ -7,7 +7,7 @@ import tech.httptoolkit.android.vpn.ClientPacketWriter
 import tech.httptoolkit.android.vpn.SessionHandler
 import tech.httptoolkit.android.vpn.SessionManager
 import tech.httptoolkit.android.vpn.socket.SocketNIODataService
-import tech.httptoolkit.android.vpn.transport.tcp.PacketHeaderException
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException
 import io.sentry.Sentry
 import java.io.FileInputStream
 import java.io.FileOutputStream

app/src/main/java/tech/httptoolkit/android/vpn/SessionHandler.java

@@ -17,16 +17,20 @@
 package tech.httptoolkit.android.vpn;
 
 import java.io.IOException;
+import java.net.InetAddress;
 import java.nio.ByteBuffer;
 import java.nio.channels.SelectionKey;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
 import tech.httptoolkit.android.vpn.network.ip.IPPacketFactory;
 import tech.httptoolkit.android.vpn.network.ip.IPv4Header;
 import tech.httptoolkit.android.vpn.socket.SocketNIODataService;
-import tech.httptoolkit.android.vpn.transport.tcp.PacketHeaderException;
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
+import tech.httptoolkit.android.vpn.transport.icmp.ICMPPacket;
+import tech.httptoolkit.android.vpn.transport.icmp.ICMPPacketFactory;
 import tech.httptoolkit.android.vpn.transport.tcp.TCPHeader;
 import tech.httptoolkit.android.vpn.transport.tcp.TCPPacketFactory;
-import tech.httptoolkit.android.vpn.transport.ITransportHeader;
 import tech.httptoolkit.android.vpn.transport.udp.UDPHeader;
 import tech.httptoolkit.android.vpn.transport.udp.UDPPacketFactory;
 import tech.httptoolkit.android.vpn.util.PacketUtil;
@@ -48,13 +52,41 @@ public class SessionHandler {
 	private final SocketNIODataService nioService;
 	private final ClientPacketWriter writer;
 
+	private final ExecutorService pingThreadpool = Executors.newCachedThreadPool();
+
 	public SessionHandler(SessionManager manager, SocketNIODataService nioService, ClientPacketWriter writer) {
 		this.manager = manager;
 		this.nioService = nioService;
 		this.writer = writer;
 	}
 
-	private void handleUDPPacket(ByteBuffer clientPacketData, IPv4Header ipHeader, UDPHeader udpheader){
+	/**
+	 * Handle unknown raw IP packet data
+	 *
+	 * @param stream ByteBuffer to be read
+	 */
+	public void handlePacket(@NonNull ByteBuffer stream) throws PacketHeaderException, IOException {
+		final byte[] rawPacket = new byte[stream.limit()];
+		stream.get(rawPacket, 0, stream.limit());
+		stream.rewind();
+
+		final IPv4Header ipHeader = IPPacketFactory.createIPv4Header(stream);
+
+		if (ipHeader.getProtocol() == 6) {
+			handleTCPPacket(stream, ipHeader);
+		} else if (ipHeader.getProtocol() == 17) {
+			handleUDPPacket(stream, ipHeader);
+		} else if (ipHeader.getProtocol() == 1) {
+			handleICMPPacket(stream, ipHeader);
+		} else {
+			Log.w(TAG, "Unsupported IP protocol: " + ipHeader.getProtocol());
+			return;
+		}
+	}
+
+	private void handleUDPPacket(ByteBuffer clientPacketData, IPv4Header ipHeader) throws PacketHeaderException {
+		UDPHeader udpheader = UDPPacketFactory.createUDPHeader(clientPacketData);
+
 		Session session = manager.getSession(
 			ipHeader.getDestinationIP(), udpheader.getDestinationPort(),
 			ipHeader.getSourceIP(), udpheader.getSourcePort()
@@ -77,17 +109,18 @@ private void handleUDPPacket(ByteBuffer clientPacketData, IPv4Header ipHeader, U
 			int len = manager.addClientData(clientPacketData, session);
 			session.setDataForSendingReady(true);
 
+			Log.i(TAG, "Subscribe UDP to OP_WRITE");
 			// Ping the NIO thread to write this, when the session is next writable
 			session.subscribeKey(SelectionKey.OP_WRITE);
 			nioService.refreshSelect(session);
-
-			Log.d(TAG,"Added " + len + " bytes of UDP data, ready to send");
+			Log.d(TAG,"added UDP data for bg worker to send: "+len);
 		}
 
 		manager.keepSessionAlive(session);
 	}
 
-	private void handleTCPPacket(ByteBuffer clientPacketData, IPv4Header ipHeader, TCPHeader tcpheader){
+	private void handleTCPPacket(ByteBuffer clientPacketData, IPv4Header ipHeader) throws PacketHeaderException {
+		TCPHeader tcpheader = TCPPacketFactory.createTCPHeader(clientPacketData);
 		int dataLength = clientPacketData.limit() - clientPacketData.position();
 		int sourceIP = ipHeader.getSourceIP();
 		int destinationIP = ipHeader.getDestinationIP();
@@ -176,34 +209,6 @@ private void handleTCPPacket(ByteBuffer clientPacketData, IPv4Header ipHeader, T
 		}
 	}
 
-	/**
-	 * handle each packet from each vpn client
-	 * @param stream ByteBuffer to be read
-	 */
-	public void handlePacket(@NonNull ByteBuffer stream) throws PacketHeaderException {
-		final byte[] rawPacket = new byte[stream.limit()];
-		stream.get(rawPacket, 0, stream.limit());
-		stream.rewind();
-
-		final IPv4Header ipHeader = IPPacketFactory.createIPv4Header(stream);
-
-		final ITransportHeader transportHeader;
-		if(ipHeader.getProtocol() == 6) {
-			transportHeader = TCPPacketFactory.createTCPHeader(stream);
-		} else if(ipHeader.getProtocol() == 17) {
-			transportHeader = UDPPacketFactory.createUDPHeader(stream);
-		} else {
-			Log.e(TAG, "******===> Unsupported protocol: " + ipHeader.getProtocol());
-			return;
-		}
-
-		if (transportHeader instanceof TCPHeader) {
-			handleTCPPacket(stream, ipHeader, (TCPHeader) transportHeader);
-		} else if (ipHeader.getProtocol() == 17){
-			handleUDPPacket(stream, ipHeader, (UDPHeader) transportHeader);
-		}
-	}
-
 	private void sendRstPacket(IPv4Header ip, TCPHeader tcp, int dataLength){
 		byte[] data = TCPPacketFactory.createRstData(ip, tcp, dataLength);
 
@@ -384,4 +389,48 @@ private void replySynAck(IPv4Header ip, TCPHeader tcp){
 			Log.d(TAG,"Send SYN-ACK to client");
 		}
 	}
-}//end class
+
+	private void handleICMPPacket(
+		ByteBuffer clientPacketData,
+		final IPv4Header ipHeader
+	) throws PacketHeaderException {
+		final ICMPPacket requestPacket = ICMPPacketFactory.parseICMPPacket(clientPacketData);
+
+		pingThreadpool.execute(new Runnable() {
+			@Override
+			public void run() {
+				try {
+					if (!isReachable(PacketUtil.intToIPAddress(ipHeader.getDestinationIP()))) {
+						Log.d(TAG, "Failed ping, ignoring");
+						return;
+					}
+
+					ICMPPacket response = ICMPPacketFactory.buildSuccessPacket(requestPacket);
+
+					// Flip the address
+					int destination = ipHeader.getDestinationIP();
+					int source = ipHeader.getSourceIP();
+					ipHeader.setSourceIP(destination);
+					ipHeader.setDestinationIP(source);
+
+					byte[] responseData = ICMPPacketFactory.packetToBuffer(ipHeader, response);
+
+					Log.d(TAG, "Successful ping response");
+					writer.write(responseData);
+				} catch (PacketHeaderException e) {
+					Log.w(TAG, "Handling ICMP failed with " + e.getMessage());
+					return;
+				}
+			}
+
+			private boolean isReachable(String ipAddress) {
+				try {
+					InetAddress destAddr = InetAddress.getByName(ipAddress);
+					return destAddr.isReachable(10000);
+				} catch (IOException e) {
+					return false;
+				}
+			}
+		});
+	}
+}

app/src/main/java/tech/httptoolkit/android/vpn/network/ip/IPPacketFactory.java

@@ -18,7 +18,7 @@
 
 import androidx.annotation.NonNull;
 
-import tech.httptoolkit.android.vpn.transport.tcp.PacketHeaderException;
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
 
 import java.nio.ByteBuffer;
 import java.nio.ByteOrder;

app/src/main/java/tech/httptoolkit/android/vpn/socket/SocketChannelReader.java

@@ -7,7 +7,7 @@
 import tech.httptoolkit.android.vpn.Session;
 import tech.httptoolkit.android.vpn.network.ip.IPPacketFactory;
 import tech.httptoolkit.android.vpn.network.ip.IPv4Header;
-import tech.httptoolkit.android.vpn.transport.tcp.PacketHeaderException;
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
 import tech.httptoolkit.android.vpn.transport.tcp.TCPHeader;
 import tech.httptoolkit.android.vpn.transport.tcp.TCPPacketFactory;
 import tech.httptoolkit.android.vpn.transport.udp.UDPHeader;

…transport/tcp/PacketHeaderException.java …vpn/transport/PacketHeaderException.javaapp/src/main/java/tech/httptoolkit/android/vpn/transport/tcp/PacketHeaderException.java renamed to app/src/main/java/tech/httptoolkit/android/vpn/transport/PacketHeaderException.java app/src/main/java/tech/httptoolkit/android/vpn/transport/tcp/PacketHeaderException.java renamed to app/src/main/java/tech/httptoolkit/android/vpn/transport/PacketHeaderException.java

@@ -14,7 +14,7 @@
  * limitations under the License.
 */
 
-package tech.httptoolkit.android.vpn.transport.tcp;
+package tech.httptoolkit.android.vpn.transport;
 /**
  * 
  * @author Borey Sao

app/src/main/java/tech/httptoolkit/android/vpn/transport/icmp/ICMPPacket.java

@@ -0,0 +1,44 @@
+package tech.httptoolkit.android.vpn.transport.icmp;
+
+import java.nio.ByteBuffer;
+
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
+
+public class ICMPPacket {
+    public static final byte ECHO_REQUEST_TYPE = 8;
+    public static final byte ECHO_SUCCESS_TYPE = 0;
+
+    final byte type;
+    final byte code; // 0 for request, 0 for success, 0 - 15 for error subtypes
+
+    final int checksum;
+    final int identifier;
+    final int sequenceNumber;
+
+    final byte[] data;
+
+    ICMPPacket(
+        int type,
+        int code,
+        int checksum,
+        int identifier,
+        int sequenceNumber,
+        byte[] data
+    ) throws PacketHeaderException {
+        if (type != ECHO_REQUEST_TYPE && type != ECHO_SUCCESS_TYPE) {
+            throw new PacketHeaderException("ICMP packet with id must be request or response");
+        }
+
+        this.type = (byte) type;
+        this.code = (byte) code;
+        this.checksum = checksum;
+        this.identifier = identifier;
+        this.sequenceNumber = sequenceNumber;
+        this.data = data;
+    }
+
+    public String toString() {
+        return "ICMP packet type " + type + "/" + code + " id:" + identifier +
+                " seq:" + sequenceNumber + " and " + data.length + " bytes of data";
+    }
+}

app/src/main/java/tech/httptoolkit/android/vpn/transport/icmp/ICMPPacketFactory.java

@@ -0,0 +1,88 @@
+package tech.httptoolkit.android.vpn.transport.icmp;
+
+import android.util.Log;
+
+import androidx.annotation.NonNull;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.ByteBuffer;
+
+import tech.httptoolkit.android.TagKt;
+import tech.httptoolkit.android.vpn.network.ip.IPPacketFactory;
+import tech.httptoolkit.android.vpn.network.ip.IPv4Header;
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
+
+import static tech.httptoolkit.android.vpn.util.PacketUtil.calculateChecksum;
+
+public class ICMPPacketFactory {
+
+    public static ICMPPacket parseICMPPacket(@NonNull ByteBuffer stream) throws PacketHeaderException {
+        final byte type = stream.get();
+        final byte code = stream.get();
+        final int checksum = stream.getShort();
+
+        final int identifier = stream.getShort();
+        final int sequenceNumber = stream.getShort();
+
+        final byte[] data = new byte[stream.remaining()];
+        stream.get(data);
+
+        if (type == 8) {
+            return new ICMPPacket(type, code, checksum, identifier, sequenceNumber, data);
+        } else {
+            throw new PacketHeaderException("For ICMP, only echo requests are supported");
+        }
+    }
+
+    public static ICMPPacket buildSuccessPacket(ICMPPacket requestPacket) throws PacketHeaderException {
+        return new ICMPPacket(
+            0,
+            0,
+            0,
+            requestPacket.identifier,
+            requestPacket.sequenceNumber,
+            requestPacket.data
+        );
+    }
+
+    public static byte[] packetToBuffer(IPv4Header ipHeader, ICMPPacket packet) throws PacketHeaderException {
+        byte[] ipData = IPPacketFactory.createIPv4HeaderData(ipHeader);
+
+        ByteArrayOutputStream icmpDataBuffer = new ByteArrayOutputStream();
+        icmpDataBuffer.write(packet.type);
+        icmpDataBuffer.write(packet.code);
+
+        icmpDataBuffer.write(asShortBytes(0 /* checksum placeholder */), 0, 2);
+
+        if (packet.type == ICMPPacket.ECHO_REQUEST_TYPE || packet.type == ICMPPacket.ECHO_SUCCESS_TYPE) {
+            icmpDataBuffer.write(asShortBytes(packet.identifier), 0, 2);
+            icmpDataBuffer.write(asShortBytes(packet.sequenceNumber), 0, 2);
+
+            byte[] extraData = packet.data;
+            icmpDataBuffer.write(extraData, 0, extraData.length);
+        } else {
+            throw new PacketHeaderException("Can't serialize unrecognized ICMP packet type");
+        }
+
+        byte[] icmpPacketData = icmpDataBuffer.toByteArray();
+        byte[] checksum = calculateChecksum(icmpPacketData, 0, icmpPacketData.length);
+
+        ByteBuffer resultBuffer = ByteBuffer.allocate(ipData.length + icmpPacketData.length);
+        resultBuffer.put(ipData);
+        resultBuffer.put(icmpPacketData);
+
+        // Replace the checksum placeholder
+        resultBuffer.position(ipData.length + 2);
+        resultBuffer.put(checksum);
+        resultBuffer.position(0);
+
+        byte[] result = new byte[resultBuffer.remaining()];
+        resultBuffer.get(result);
+        return result;
+    }
+
+    private static byte[] asShortBytes(int value) {
+        return ByteBuffer.allocate(2).putShort((short) value).array();
+    }
+
+}

app/src/main/java/tech/httptoolkit/android/vpn/transport/tcp/TCPPacketFactory.java

@@ -23,6 +23,7 @@
 import tech.httptoolkit.android.vpn.Packet;
 import tech.httptoolkit.android.vpn.network.ip.IPPacketFactory;
 import tech.httptoolkit.android.vpn.network.ip.IPv4Header;
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
 import tech.httptoolkit.android.vpn.util.PacketUtil;
 
 import java.nio.ByteBuffer;

app/src/main/java/tech/httptoolkit/android/vpn/transport/udp/UDPPacketFactory.java

@@ -4,7 +4,7 @@
 
 import tech.httptoolkit.android.vpn.network.ip.IPPacketFactory;
 import tech.httptoolkit.android.vpn.network.ip.IPv4Header;
-import tech.httptoolkit.android.vpn.transport.tcp.PacketHeaderException;
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException;
 import tech.httptoolkit.android.vpn.util.PacketUtil;
 
 import java.nio.ByteBuffer;