Route VPN controller outside VPN

Author: aitorvs

network-protection/network-protection-impl/src/main/java/com/duckduckgo/networkprotection/impl/VpnRemoteFeatures.kt

@@ -51,6 +51,9 @@ interface VpnRemoteFeatures {
 
     @DefaultValue(false)
     fun allowDnsBlockMalware(): Toggle
+
+    @DefaultValue(false)
+    fun localDNS(): Toggle
 }
 
 @ContributesBinding(AppScope::class)

network-protection/network-protection-impl/src/main/java/com/duckduckgo/networkprotection/impl/config/WgVpnRoutes.kt

@@ -31,6 +31,8 @@ internal class WgVpnRoutes {
      *   - link-local address range
      *   - multicast (Class D) address range - 224.0.0.0 to 239.255.255.255
      *   - broadcast address
+     *   - eun controller: 20.93.77.32
+     *   - use controller: 20.253.26.112
      */
     companion object {
         val wgVpnDefaultRoutes: Map<String, Int> = mapOf(
@@ -39,7 +41,58 @@ internal class WgVpnRoutes {
             // Excluded range: 10.0.0.0 -> 10.255.255.255
             "11.0.0.0" to 8,
             "12.0.0.0" to 6,
-            "16.0.0.0" to 4,
+            "16.0.0.0" to 6,
+            "20.0.0.0" to 10,
+            "20.64.0.0" to 12,
+            "20.80.0.0" to 13,
+            "20.88.0.0" to 14,
+            "20.92.0.0" to 16,
+            "20.93.0.0" to 18,
+            "20.93.64.0" to 21,
+            "20.93.72.0" to 22,
+            "20.93.76.0" to 24,
+            "20.93.77.0" to 27,
+            // Excluded range: 20.93.77.32 -> 20.93.77.32
+            "20.93.77.33" to 32,
+            "20.93.77.34" to 31,
+            "20.93.77.36" to 30,
+            "20.93.77.40" to 29,
+            "20.93.77.48" to 28,
+            "20.93.77.64" to 26,
+            "20.93.77.128" to 25,
+            "20.93.78.0" to 23,
+            "20.93.80.0" to 20,
+            "20.93.96.0" to 19,
+            "20.93.128.0" to 17,
+            "20.94.0.0" to 15,
+            "20.96.0.0" to 11,
+            "20.128.0.0" to 10,
+            "20.192.0.0" to 11,
+            "20.224.0.0" to 12,
+            "20.240.0.0" to 13,
+            "20.248.0.0" to 14,
+            "20.252.0.0" to 16,
+            "20.253.0.0" to 20,
+            "20.253.16.0" to 21,
+            "20.253.24.0" to 23,
+            "20.253.26.0" to 26,
+            "20.253.26.64" to 27,
+            "20.253.26.96" to 28,
+            // Excluded range: 20.253.26.112 -> 20.253.26.112
+            "20.253.26.113" to 32,
+            "20.253.26.114" to 31,
+            "20.253.26.116" to 30,
+            "20.253.26.120" to 29,
+            "20.253.26.128" to 25,
+            "20.253.27.0" to 24,
+            "20.253.28.0" to 22,
+            "20.253.32.0" to 19,
+            "20.253.64.0" to 18,
+            "20.253.128.0" to 17,
+            "20.254.0.0" to 15,
+            "21.0.0.0" to 8,
+            "22.0.0.0" to 7,
+            "24.0.0.0" to 5,
             "32.0.0.0" to 3,
             "64.0.0.0" to 3,
             "96.0.0.0" to 4,
@@ -62,7 +115,11 @@ internal class WgVpnRoutes {
             "169.255.0.0" to 16,
             "170.0.0.0" to 7,
             "172.0.0.0" to 12,
-            // Excluded range: 172.16.0.0 -> 172.31.255.255
+            // Excluded range: 172.16.0.0 -> 172.16.255.255
+            "172.17.0.0" to 16,
+            "172.18.0.0" to 15,
+            "172.20.0.0" to 14,
+            "172.24.0.0" to 13,
             "172.32.0.0" to 11,
             "172.64.0.0" to 10,
             "172.128.0.0" to 9,
@@ -88,12 +145,59 @@ internal class WgVpnRoutes {
         )
 
         val wgVpnRoutesIncludingLocal: Map<String, Int> = mapOf(
-            "0.0.0.0" to 5,
-            "8.0.0.0" to 7,
-            "10.0.0.0" to 8,
-            "11.0.0.0" to 8,
-            "12.0.0.0" to 6,
-            "16.0.0.0" to 4,
+            "0.0.0.0" to 4,
+            "16.0.0.0" to 6,
+            "20.0.0.0" to 10,
+            "20.64.0.0" to 12,
+            "20.80.0.0" to 13,
+            "20.88.0.0" to 14,
+            "20.92.0.0" to 16,
+            "20.93.0.0" to 18,
+            "20.93.64.0" to 21,
+            "20.93.72.0" to 22,
+            "20.93.76.0" to 24,
+            "20.93.77.0" to 27,
+            // Excluded range: 20.93.77.32 -> 20.93.77.32
+            "20.93.77.33" to 32,
+            "20.93.77.34" to 31,
+            "20.93.77.36" to 30,
+            "20.93.77.40" to 29,
+            "20.93.77.48" to 28,
+            "20.93.77.64" to 26,
+            "20.93.77.128" to 25,
+            "20.93.78.0" to 23,
+            "20.93.80.0" to 20,
+            "20.93.96.0" to 19,
+            "20.93.128.0" to 17,
+            "20.94.0.0" to 15,
+            "20.96.0.0" to 11,
+            "20.128.0.0" to 10,
+            "20.192.0.0" to 11,
+            "20.224.0.0" to 12,
+            "20.240.0.0" to 13,
+            "20.248.0.0" to 14,
+            "20.252.0.0" to 16,
+            "20.253.0.0" to 20,
+            "20.253.16.0" to 21,
+            "20.253.24.0" to 23,
+            "20.253.26.0" to 26,
+            "20.253.26.64" to 27,
+            "20.253.26.96" to 28,
+            // Excluded range: 20.253.26.112 -> 20.253.26.112
+            "20.253.26.113" to 32,
+            "20.253.26.114" to 31,
+            "20.253.26.116" to 30,
+            "20.253.26.120" to 29,
+            "20.253.26.128" to 25,
+            "20.253.27.0" to 24,
+            "20.253.28.0" to 22,
+            "20.253.32.0" to 19,
+            "20.253.64.0" to 18,
+            "20.253.128.0" to 17,
+            "20.254.0.0" to 15,
+            "21.0.0.0" to 8,
+            "22.0.0.0" to 7,
+            "24.0.0.0" to 5,
             "32.0.0.0" to 3,
             "64.0.0.0" to 3,
             "96.0.0.0" to 4,

network-protection/network-protection-impl/src/main/java/com/duckduckgo/networkprotection/impl/configuration/VpnLocalDns.kt

@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2025 DuckDuckGo
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.duckduckgo.networkprotection.impl.configuration
+
+import com.duckduckgo.di.scopes.VpnScope
+import com.duckduckgo.networkprotection.impl.VpnRemoteFeatures
+import com.squareup.anvil.annotations.ContributesTo
+import com.squareup.moshi.Moshi
+import dagger.Module
+import dagger.Provides
+import dagger.SingleInstanceIn
+import java.net.InetAddress
+import javax.inject.Qualifier
+import logcat.asLog
+import logcat.logcat
+import okhttp3.Dns
+
+interface VpnLocalDns : Dns
+
+private class VpnLocalDnsImpl(
+    private val vpnRemoteFeatures: VpnRemoteFeatures,
+    moshi: Moshi,
+    private val defaultDns: Dns,
+) : VpnLocalDns {
+
+    private val adapter = moshi.adapter(LocalDnsSettings::class.java)
+
+    /**
+     * String is the domain
+     * DnsEntry is the DNS entry corresponding to the domain
+     */
+    private val localDomains: Map<String, List<DnsEntry>> by lazy {
+        getRemoteDnsEntries()
+    }
+
+    private val fallbackDomains: Map<String, List<DnsEntry>> = mapOf(
+        "controller.netp.duckduckgo.com" to listOf(
+            DnsEntry("20.253.26.112", "use"),
+            DnsEntry("20.93.77.32", "eun"),
+        ),
+    )
+
+    override fun lookup(hostname: String): List<InetAddress> {
+        logcat { "Lookup for $hostname" }
+
+        val localResolution = localDomains[hostname] ?: fallbackDomains[hostname]
+
+        return localResolution?.let { entries ->
+            logcat { "Hardcoded DNS for $hostname" }
+
+            entries.map { InetAddress.getByName(it.address) }
+        } ?: defaultDns.lookup(hostname)
+    }
+
+    private fun getRemoteDnsEntries(): Map<String, List<DnsEntry>> {
+        vpnRemoteFeatures.localDNS().getSettings()?.let { settings ->
+            return try {
+                adapter.fromJson(settings)?.domains
+            } catch (t: Throwable) {
+                logcat { "Error parsing localDNS settings: ${t.asLog()}" }
+                null
+            }.orEmpty()
+        }
+
+        return emptyMap()
+    }
+
+    /*
+    "settings": {
+        "domains": {
+            "controller.duckduckgo.com": [
+                {
+                    "address": "1.2.3.4",
+                    "region": "use"
+                },
+                {
+                    "address": "1.2.2.2",
+                    "region": "eun"
+                }
+            ]
+        }
+    }
+    */
+
+    private data class LocalDnsSettings(
+        val domains: Map<String, List<DnsEntry>>,
+    )
+
+    private data class DnsEntry(
+        val address: String,
+        val region: String,
+    )
+}
+
+@ContributesTo(VpnScope::class)
+@Module
+object VpnLocalDnsModule {
+    @Retention(AnnotationRetention.BINARY)
+    @Qualifier
+    private annotation class InternalApi
+
+    @Provides
+    @SingleInstanceIn(VpnScope::class)
+    fun provideVpnLocalDns(
+        vpnRemoteFeatures: VpnRemoteFeatures,
+        moshi: Moshi,
+        @InternalApi defaultDns: Dns,
+    ): VpnLocalDns {
+        return VpnLocalDnsImpl(vpnRemoteFeatures, moshi, defaultDns)
+    }
+
+    @Provides
+    @InternalApi
+    fun provideDefaultDns(): Dns {
+        return Dns.SYSTEM
+    }
+}

network-protection/network-protection-impl/src/main/java/com/duckduckgo/networkprotection/impl/configuration/WgServerApi.kt

@@ -23,7 +23,6 @@ import com.duckduckgo.di.scopes.VpnScope
 import com.duckduckgo.networkprotection.impl.configuration.WgServerApi.Mode
 import com.duckduckgo.networkprotection.impl.configuration.WgServerApi.Mode.FailureRecovery
 import com.duckduckgo.networkprotection.impl.configuration.WgServerApi.WgServerData
-import com.duckduckgo.networkprotection.impl.di.UnprotectedVpnControllerService
 import com.duckduckgo.networkprotection.impl.settings.geoswitching.NetpEgressServersProvider
 import com.squareup.anvil.annotations.ContributesBinding
 import javax.inject.Inject
@@ -55,7 +54,7 @@ interface WgServerApi {
 
 @ContributesBinding(VpnScope::class)
 class RealWgServerApi @Inject constructor(
-    @UnprotectedVpnControllerService private val wgVpnControllerService: WgVpnControllerService,
+    private val wgVpnControllerService: WgVpnControllerService,
     private val serverDebugProvider: WgServerDebugProvider,
     private val netNetpEgressServersProvider: NetpEgressServersProvider,
     private val appBuildConfig: AppBuildConfig,
@@ -83,7 +82,9 @@ class RealWgServerApi @Inject constructor(
             null
         }
 
-        val userPreferredLocation = netNetpEgressServersProvider.updateServerLocationsAndReturnPreferred()
+        val userPreferredLocation = netNetpEgressServersProvider.updateServerLocationsAndReturnPreferred(
+            wgVpnControllerService.getEligibleLocations(),
+        )
         val registerKeyBody = if (mode is FailureRecovery) {
             RegisterKeyBody(publicKey = publicKey, server = mode.currentServer, mode = mode.toString())
         } else if (selectedServer != null) {

network-protection/network-protection-impl/src/main/java/com/duckduckgo/networkprotection/impl/configuration/WgTunnel.kt

@@ -38,6 +38,7 @@ import java.net.InetAddress
 import javax.inject.Inject
 import javax.inject.Qualifier
 import logcat.LogPriority
+import logcat.LogPriority.ERROR
 import logcat.asLog
 import logcat.logcat
 
@@ -212,7 +213,11 @@ class RealWgTunnel @Inject constructor(
             null
         }
 
-        val serverData = wgServerApi.registerPublicKey(publicKey, mode = mode) ?: throw NullPointerException("serverData = null")
+        val serverData = kotlin.runCatching {
+            wgServerApi.registerPublicKey(publicKey, mode = mode) ?: throw NullPointerException("serverData = null")
+        }.onFailure {
+            logcat(ERROR) { "Error registering public key" }
+        }.getOrThrow()
 
         return Config.Builder()
             .setInterface(