Add Anti-Censorship features support and udp over tcp obfuscator on Linux and Android

[encrypt94]

Description

This PR adds support for anti-censorship features / obfuscators.
A new menu similar to "Privacy Features" , allows users to configure the following anti-censorship features when available on the platform (the menu item will be hidden if a feature is not available.)

• Connect using port 53 - not an obfuscation method, simply exposes an existing feature and allows the user to always use port 53 (compatible with LWO)
• Udp over Tcp - the only obfuscator implemented in this pr, uses udp over tcp crate to tunnel WireGuard traffic over TCP
• Lighweight obfuscation - lighweight WireGuard scrambler, planned as the next obfuscator
• MASQUE - tunnel WireGuard traffic over CONNECT-UDP
• Shadowsocks - tunnel WireGuard traffic over shadowsocks
  obfuscators description strings and anti-censorship help text can be improved, help is super appreciated :)

Obfuscators are implemented in a Rust crate located under the obfuscators/ directory.
An obfuscator acts as a local UDP proxy running on a local UDP port, the outbound sockets must be protected to avoid traffic loops.

On Linux (and Windows in the future except for the marking part):

• The crate produces a standalone binary (mozilla-obfuscator) installed alongside the daemon.
• When the VPN is turned on or a server switch occurs, the obfuscator is launched.
• The obfuscator requires CAP_NET_ADMIN privileges to set SO_MARK.
• The obfuscator listens on a free port and writes the port to stdout.
• The MozillaVPN daemon parses the port from stdout and rewrites the server/port in WireGuard's peer config (alternatively, we can probe a free port in the daemon and send it to the obfuscator but this approach may be prone to race contitions)

On Android (and likely iOS in a similar way):

• The crate is accessed via FFI using JNA.
• VPNActivity starts the obfuscator.
• VPNActivity calls protect on the obfuscator's sockets.
• VPNActivity rewrites the local port in the configuration.

This architecture was chosen because most of the libraries required to implement obfuscation protocols are available in the Rust ecosystem: UDP-over-TCP, Shadowsocks, and QUIC stacks.

Impacts on the rust build bits:

• added add_rust_binary in rustlang.cmake and refactored add_rust_library to split out shared parts
• updated rust to 1.91 because:
  • udp-over-tcp requires rust >= 1.87
  • only rust 1.89 and 1.91 are available in Ubuntu repost
  • i hit a weird bug with cargo 1.8x installed from ubuntu repos being unable to install crates from git (solved in 1.91)
• rust 1.91 is not available in debian:bookworm so is now installed using rustup in linux-qt6-build

UI

When Anti-Censorship features are enabled, a “Anti-Censorship is on” label appears below the timer.

A new Anti-Censorship Features menu is available in Settings.

When Anti-Censorship features are available on the platform, a toggle switch will be displayed in the menu with name and brief description.
Enabling one feature will automatically disable any previously enabled feature, except for the “Use Port 53” feature, which is compatible with LWO.


Help text

Reference

VPN-7588 - Create generic obfuscation interface for anti censorship features
VPN-7566 - Create anti censorship features menu
VPN-7582 - Implement UDP over TCP on Linux
VPN-7583 - Implement UDP over TCP on Android

Checklist

• My code follows the style guidelines for this project
• I have not added any packages that contain high risk or unknown licenses (GPL, LGPL, MPL, etc. consult with DevOps if in question)
• I have performed a self review of my own code
• I have commented my code PARTICULARLY in hard to understand areas
• I have added thorough tests where needed

[oskirby]

I've had kind of a love/hate relationship with building rust binaries over the years, but this might be a good case for splitting the obfuscator into a standalone binary that can be invoked by the daemon as needed rather than baking it into the client.

The obfuscator should only ever operate on unprivileged information, should require no root permissions, and it probably has a pretty heavy workload given that it needs to live in the packet processing loop.

QProcess * obfuscator = new QProcess(this);
QStringList args;
args << "--method" << "lwo";
args << "--pubkey" << config.m_serverPublicKey;
args << "--server" << config.m_serverIpv4AddrIn;
obfuscator->start("/usr/bin/mozillavpn-obfuscator", args);

connect(obfuscator, &QProcess::started, this, &Example::handleObfuscatorStarted);
connect(obfuscator, &QProcess::finished, this, &Example::handleObfuscatorFinished);

[flodolo]

Is this coming from the Content Team? Is this terminology approved by Legal?

[mcleinman]

Similar question - I'm curious if you'd be open to working on wordsmithing a bunch of these. "What can xxxx do for me?", for instance, feels like a different voice than most of our product copy.

[encrypt94]

Is this coming from the Content Team? Is this terminology approved by Legal?
Thanks for raising this. It’s not coming from the Content Team and hasn’t been approved by Legal yet. Legal is currently reviewing the language.

Similar question - I'm curious if you'd be open to working on wordsmithing a bunch of these. "What can xxxx do for me?", for instance, feels like a different voice than most of our product copy.

Sure i'm totally open to change the descriptions! i'll try to come up with something that feels more aligned with the rest of our product copy :) suggestions are super appreciated!

[flodolo]

Why is this uppercase? Should it be translated? Same question for SHADOWSOCKS later.

[encrypt94]

Shadowsocks casing is an error. MASQUE is an acronym, so it should be kept uppercase. Both of them are proper nouns and should not be translated

[mcleinman]

If these options are mutually exclusive, we should not use switches here - we should use radio buttons, like in the DNS settings screen.

[encrypt94]

Good point. Obfuscators are mutually exclusive, and "Always use port 53" only works with LWO. What do you think about using a toggle switch for "Always use port 53" and radio buttons for the obfuscators, and then disabling the switch when anything other than LWO is selected?

[mcleinman]

What about splitting it into two radio buttons? Something like "LWO via typical ports" and "LWO using port 53"? We don't need to touch the settings structure in code - under the hood, we just set those settings as appropriate.

[mcleinman]

This is amazing, thank you! I'm focusing on UI right now, will let others handle the underlying code who are better positioned to review that piece.

[mcleinman]

I think this needs to be done in conjunction with legal, but I'm wondering if "anti-censorship features" is immediately understandable by the average person.

Maybe something like "Advanced networking features" or "restricted network settings" or "alternative connection methods" or "hostile network defense" or "censorship resistance" or "network workaround" or... maybe this is something we can talk out in a meeting next week?

[mcleinman]

And of course, if we rename this we'll need to update many of these strings.

[mcleinman]

Suggested change

	antiCensorshipSettingsWarning: These options may cause connection stability issues.
	antiCensorshipSettingsWarning: These options should be used when a network operator is blocking connection to VPN servers. They may cause stability issues.

[mcleinman]

Should we also include something about how this will not help with a website blocking VPN connections? This seems important for setting user expectations.

[mcleinman]

Suggested change

	antiCensorshipPort53Body: This may help on networks that block ports or UDP traffic.
	antiCensorshipPort53Body: This may help on networks that block specific ports or UDP traffic.

[mcleinman]

Suggested change

	antiCensorshipMasqueBody: This may help on networks that block VPN protocols by disguising VPN traffic as regular HTTPS traffic.
	antiCensorshipMasqueBody: This disguises VPN traffic as regular HTTPS traffic, and may help on networks that block VPN protocols by .

[mcleinman]

Suggested change

	antiCensorshipPort53Title: Connect using port 53
	antiCensorshipPort53Title: Always connect using port 53

[mcleinman]

Suggested change

	antiCensorshipUdpOverTcpBody: This may help on networks that block UDP traffic by tunneling it over TCP.
	antiCensorshipUdpOverTcpBody: This tunnels UDP traffic over TCP, and may help on networks that block UDP traffic.

[mcleinman]

Can we give a little bit more here? We give a minor technical explanation for the others, and this once we just call "lightweight" with no detail.

[mcleinman]

Suggested change

	antiCensorshipShadowsocksBody: A reliable censorship circumvention protocol that may help bypass restrictive or heavily filtered networks.
	antiCensorshipShadowsocksBody: [Insert a phrase of technical detail.] This may help bypass restrictive or heavily filtered networks, and sometimes works when all other ones do not.

Are there tradeoffs to this, like in speed? Is this the first one folks should try, or the last?

[mcleinman]

Suggested change

	value: These features may slow down your connection, so turn them off when you no longer need them.
	value: These features may slow down the connection, so turn them off when they are not needed.

[mcleinman]

Maybe remove this header? I'm not sure it adds anything, given that we have the title as well.