Merge pull request #1416 from tladesignz/upnp

bitmold · web-flow · commit b6f99851394e · 2025-09-07T13:34:27.000-04:00
Added support for UPnP IGD to automatically open up ports for Snowflake Proxy…
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
@@ -34,6 +34,11 @@
         </intent>
     </queries>
 
+    <!--
+    usesCleartextTraffic is needed for SSDP multicast local router discovery (which is an unencrypted
+    HTTP-style protocol) and for UPnP IGD requests to map ports for Snowflake Proxy, (which are also
+    unencrypted HTTP-style requests).
+     -->
     <application
         android:name=".OrbotApp"
         android:supportsRtl="true"
@@ -42,6 +47,7 @@
         android:configChanges="locale|orientation|screenSize"
         android:description="@string/app_description"
         android:hasFragileUserData="false"
+        android:usesCleartextTraffic="true"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
         android:taskAffinity=""
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -29,6 +29,7 @@ app-icon-name-changer = "1.0.7"
 androidx-biometric = "1.1.0"
 androidx-lifecycle = "2.9.3"
 screengrab = "2.1.1"
+upnp = "1.0.0"
 
 [libraries]
 android-material = { group = "com.google.android.material", name = "material", version.ref = "android-material" }
@@ -64,6 +65,7 @@ androidx-biometric = { group = "androidx.biometric", name = "biometric", version
 androidx-lifecycle-process = { group = "androidx.lifecycle", name = "lifecycle-process", version.ref = "androidx-lifecycle" }
 androidx-lifecycle-common = { group = "androidx.lifecycle", name = "lifecycle-common", version.ref = "androidx-lifecycle" }
 screengrab = { group = "tools.fastlane", name = "screengrab", version.ref = "screengrab" }
+upnp = { group = "com.netzarchitekten", name = "upnp", version.ref = "upnp" }
 
 [plugins]
 android-application = { id = "com.android.application", version.ref = "agp" }
diff --git a/orbotservice/build.gradle.kts b/orbotservice/build.gradle.kts
@@ -67,4 +67,5 @@ dependencies {
     implementation(libs.kotlinx.serialization.json)
     implementation(libs.retrofit.converter)
     implementation(libs.retrofit.lib)
+    implementation(libs.upnp)
 }
diff --git a/orbotservice/src/main/java/org/torproject/android/service/circumvention/SnowflakeProxyWrapper.kt b/orbotservice/src/main/java/org/torproject/android/service/circumvention/SnowflakeProxyWrapper.kt
@@ -4,16 +4,26 @@ import IPtProxy.SnowflakeClientConnected
 import IPtProxy.SnowflakeProxy
 import android.content.Context
 import android.os.Handler
+import com.netzarchitekten.upnp.UPnP
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
+import org.torproject.android.service.OrbotConstants
 import org.torproject.android.service.OrbotConstants.ONION_EMOJI
 import org.torproject.android.service.OrbotService
 import org.torproject.android.service.R
 import org.torproject.android.service.util.Prefs
 import org.torproject.android.service.util.showToast
 import java.security.SecureRandom
+import kotlin.random.Random
 
 class SnowflakeProxyWrapper(private val context: Context) {
+
     private var proxy: SnowflakeProxy? = null
 
+    private var mappedPorts = mutableListOf<Int>()
+
     @Synchronized
     fun enableProxy(
         hasWifi: Boolean,
@@ -22,37 +32,63 @@ class SnowflakeProxyWrapper(private val context: Context) {
         if (proxy != null) return
         if (Prefs.limitSnowflakeProxyingWifi() && !hasWifi) return
         if (Prefs.limitSnowflakeProxyingCharging() && !hasPower) return
-        proxy = SnowflakeProxy()
-        val stunServers = BuiltInBridges.getInstance(context)?.snowflake?.firstOrNull()?.ice
-            ?.split(",".toRegex())?.dropLastWhile { it.isEmpty() }?.toTypedArray() ?: emptyArray()
-        val stunUrl = stunServers[SecureRandom().nextInt(stunServers.size)]
-
-        proxy = SnowflakeProxy()
-        with(proxy!!) {
-            brokerUrl = OrbotService.getCdnFront("snowflake-target-direct")
-            capacity = 1L
-            pollInterval = 120L
-            stunServer = stunUrl
-            relayUrl = OrbotService.getCdnFront("snowflake-relay-url")
-            natProbeUrl = OrbotService.getCdnFront("snowflake-nat-probe")
-            clientConnected = SnowflakeClientConnected { onConnected() }
-            start()
-        }
 
-        if (Prefs.showSnowflakeProxyMessage()) {
-            val message = context.getString(R.string.log_notice_snowflake_proxy_enabled)
-            Handler(context.mainLooper).post {
-                context.applicationContext.showToast(message)
+        CoroutineScope(Dispatchers.IO).launch {
+            val start = Random.nextInt(49152, 65536 - 2)
+
+            for (port in (start..start + 2)) {
+                if (UPnP.openPortUDP(port, OrbotConstants.TAG)) {
+                    mappedPorts.add(port)
+                }
+            }
+
+            // Snowflake Proxy needs Capacity * 2 + 1 = 3 consecutive ports mapped for unrestricted mode.
+            // If we can't get all of these, remove the ones we have and
+            // rather have Snowflake Proxy run in restricted mode.
+            if (mappedPorts.size < 3) {
+                releaseMappedPorts()
+            }
+
+            val stunServers = BuiltInBridges.getInstance(context)?.snowflake?.firstOrNull()?.ice
+                ?.split(",".toRegex())?.dropLastWhile { it.isEmpty() }?.toTypedArray() ?: emptyArray()
+            val stunUrl = stunServers[SecureRandom().nextInt(stunServers.size)]
+
+            proxy = SnowflakeProxy()
+            with(proxy!!) {
+                brokerUrl = OrbotService.getCdnFront("snowflake-target-direct")
+                capacity = 1L
+                pollInterval = 120L
+                stunServer = stunUrl
+                relayUrl = OrbotService.getCdnFront("snowflake-relay-url")
+                natProbeUrl = OrbotService.getCdnFront("snowflake-nat-probe")
+                clientConnected = SnowflakeClientConnected { onConnected() }
+
+// TODO: Activate, when new IPtProxy is available.
+                // Setting these to null or 0 is equivalent to not setting this at all.
+//                ephemeralMinPort = mappedPorts.firstOrNull()
+//                ephemeralMaxPort = mappedPorts.lastOrNull()
+
+                start()
+            }
+
+            if (Prefs.showSnowflakeProxyMessage()) {
+                val message = context.getString(R.string.log_notice_snowflake_proxy_enabled)
+
+                withContext(Dispatchers.Main) {
+                    context.applicationContext.showToast(message)
+                }
             }
         }
     }
 
     @Synchronized
     fun stopProxy() {
         if (proxy == null) return
-        proxy!!.stop()
+        proxy?.stop()
         proxy = null
 
+        releaseMappedPorts()
+
         if (Prefs.showSnowflakeProxyMessage()) {
             val message = context.getString(R.string.log_notice_snowflake_proxy_disabled)
             Handler(context.mainLooper).post {
@@ -72,6 +108,13 @@ class SnowflakeProxyWrapper(private val context: Context) {
         Handler(context.mainLooper).post {
             context.applicationContext.showToast(message)
         }
+    }
+
+    private fun releaseMappedPorts() {
+        for (port in mappedPorts) {
+            UPnP.closePortUDP(port)
+        }
 
+        mappedPorts = mutableListOf()
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,4 +67,5 @@ dependencies {`
`67`	`67`	`implementation(libs.kotlinx.serialization.json)`
`68`	`68`	`implementation(libs.retrofit.converter)`
`69`	`69`	`implementation(libs.retrofit.lib)`
	`70`	`+ implementation(libs.upnp)`
`70`	`71`	`}`