fix: add auth to local mixed inbound to prevent IP leak#63
Conversation
All popular VLESS/xray/sing-box clients expose a local SOCKS5 proxy
without authentication. Any app on the device can connect to it directly,
bypassing VpnService, and discover the real outbound server IP.
Fix: generate a random secret on first run (UUID, stored in SharedPreferences)
and set it as the password for the mixed inbound. The secret is only applied
in VPN mode; in proxy-only mode the inbound stays unauthenticated.
A runtime flag (DataStore.runningAsVPN) is set in BoxInstance.buildConfig()
and cleared in BaseService.stopRunner() to propagate the mode to all HTTP
clients without re-reading the config.
Changed files:
- libcore/http.go — TrySocks5(port) -> TrySocks5(port, username, password)
- DataStore.kt — add mixedSecret (lazy UUID) and runningAsVPN flag
- ConfigBuilder.kt — set users=[{username=\"neko\", password=mixedSecret}]
on mixed inbound only when isVPN=true
- BoxInstance.kt — set DataStore.runningAsVPN after buildConfig()
- BaseService.kt — clear DataStore.runningAsVPN in stopRunner()
- RawUpdater.kt — pass credentials to trySocks5 when runningAsVPN
- AboutFragment.kt — pass credentials to trySocks5 when runningAsVPN
- AssetsActivity.kt — pass credentials to trySocks5 when runningAsVPN (2 calls)
|
It conflicts with the append HTTP proxy, so this feature may be re-evaluated. |
|
Both SOCKS5 and HTTP proxies operate in proxy mode; they don’t work in VPN mode, nor are they supposed to. It’s a matter of compromise. While some people might absolutely need HTTP proxy functionality, I personally believe that plugging data leaks is far more important. Or did you have something else in mind |
|
I honestly don't see the point of keeping the local proxy accessible without authentication while in VPN mode. If a user specifically needs a proxy, they can just switch the app to proxy mode.However, if the goal of 'append HTTP proxy' is to allow hotspot sharing (tethering), forcing authentication indeed breaks it for external devices. To resolve this conflict, maybe we can disable authentication strictly for the HTTP inbound if 'append HTTP proxy' is enabled, or add a toggle in the settings so users can choose between maximum leak protection and proxy sharing? |
2 participants
All popular VLESS/xray/sing-box clients expose a local SOCKS5 proxy without authentication. Any app on the device can connect to it directly, bypassing VpnService, and discover the real outbound server IP.
Fix: generate a random secret on first run (UUID, stored in SharedPreferences) and set it as the password for the mixed inbound. The secret is only applied in VPN mode; in proxy-only mode the inbound stays unauthenticated. A runtime flag (DataStore.runningAsVPN) is set in BoxInstance.buildConfig() and cleared in BaseService.stopRunner() to propagate the mode to all HTTP clients without re-reading the config.
Changed files:
on mixed inbound only when isVPN=true