MintFlow NetStack 1.9.0 is out
MintFlow 1.9.0 release
Recently we get MintFlow NetStack 1.9.0 released on the iOS Apple Store.
In this version, we enabled the macOS store availability through the so-called ‘Designed for iPad’ target, which means that the app can now run on macOS device with Apple Silicon.
Here are some features that worth talking in this writeup.
DNS architecture refactoring
For paid user, there is an app-routing feature which is the cornerstone for many advanced features including Domain based split routing and HTTP capturing and rewrite.
It basicaly serve as a internal DNS server to answer DNS queries from the various app and iOS system, thus we can dynamically install routes inside the MintFlow NetStack’s routing table (thanks for fd.io VPP we have great flexibility on routing) to different targets including Proxies and VPNs based on user’s Routing Rules.
Previously we do not want to reserve another IP address from 192.88.99.0/24 (A Reserved IPv4 Address block use) for the internal DNS server, we only use two IPs:
- 192.88.99.2, iOS system utun IP address we pushed
- 192.88.99.1, MintFlow NetStack internal utun peer interface(powered by fd.io VPP too, and thus we can respond to ping)
Then we push 192.88.99.2 as DNS server to iOS systems and bind the internal DNS server to the utun interface to listen on the well-know UDP prt 53, it works on iOS, but turned out that method do not work on macOS, clearly there are some subtle implementation issue for the so-called ‘Designed for iPad’.
So, in 1.9.0 version, we finally decide to to an architecture refactor for this, in shorts:
We allocate a new IP adress 192.88.99.3 for the internal DNS server, and process the DNS query inside fd.io vpp engine and communicate via a IPC mechanism to the internal DNS server(which is written using RUST language).
From the iOS system’s prospective, it see 192.88.99.3 as DNS server, thus it query to that IP address and we take the query, relay to the the internal DNS server, it query it based on the DomainSet Routing rules and the DNS Fallback Rules(If a queried domain not in any of the Domain Set-based Rules), then respond back via the same path.
It works well on the macOS too, so we re-enable the so-called ‘Designed for iPad’ target with this release.
But we will commited to release a macOS build this year, because we find there are more powerful way to get traffic from the macOS system, and also it will also have more features such Routing by Application bundle id(which is not available on iOS).
DoT/DoH support
Some user asked for this, so we ship it with 1.9.0 release.
It’s only worked for paid user because DoT/DoH is support through the internal DNS server which we have more control.
Just remind, in MintFlow NetStack’s word, we have two set of DNS server required, one set for Direct traffic (traffic that need to send over the phone’s internet connection, be it Cellular of WiFi network), the other set for VPN traffic(traffic that send over any of Layer 4 Proxies of Layer 3 VPNs user configured), both can configure DoT/DoH, and when you mix traditional DNS server with a DoT/DoH server, only DoT/DoH will be used for maximum privacy.
And for the VPN traffic, configure Dot/DoH server with a domain also require a new VPN-DNS-SERVER-DOMAINS routing rule MUST be configured because we need to resolve the Dot/DoH server’s IP address in order to do encrypted DNS queries, there is also a new bootstrap-dns config introduced in the dns section, which have good defaults and user do not need to set it in most of case.
AmneziaWG 1.5& 2.0 support
Since MintFlow NetStack is based on fd.io vpp, and it have a native WireGuard plugin and works quite well.
Previously we ship AmneziaWG 1.0 with auguments to the same WireGuard plugin, but some user require AmneziaWG 1.5&2.0 for better obfustration.
So we just ship it, and also with a config import which is compatible with some AmneziaWG 2.0 installer on the GitHub.
Shadowsocks2022 support
Shadowsocks2022 is a new cipher suite compared to the AEAD version of the shadowsocks, it also change the wire format a bit.
With 1.9.0, we add the fully 3 cipher in the 2022 cipher suite, and UDP forward is also supported if the server support it.
Diagnose tools
We add some brand-new diagnose tools, such as VPN&Proxy diagnose, which enable user to diagnose different VPN&Proxy’s reachability when MintFlow VPN is on, it bypass the iOS system’s networking, so it can be used to diagnose some config error, if you find a specific VPN&Proxy you configured diagnosed OK, but you still not get VPN working, perhaps you need to read the MintFlow NetStack Manual again to see if anything is wrong.
We also add a profile diagnose tool, it can capture the current active profile and it’s compiled form which will be loaded by MintFlow NetStack’s runtime, thus it helps to see if something is not correctly configured.
UI refinement
We continue to refine the UI to enforce some rules we learned during the App development, such as consistency coloring and font styling.
Final words
From the 1.0.0 get released on the iOS App Store 15 months ago, we have released 8 version in total, we are glad the shape of the App becoming and it’s also used by us daily.
We will be commited to enhance MintFlow NetStack’s feature parity and stability.
As always, if you have any feedback or suggestion, free free to drop a email to us.