I have no technical expertise, but I do believe the issue lies in UDP vs TCP. I have faced the same issue on Signal too, and even video streaming (including Youtube). Overall, the best option for WhatsApp at the moment is to use a VPN. TOR is working on supporting UDP so we will have a great solution soon.
Hello! I’m working on UDP, and specifically I’m trying to analyze the benefits we expect and the risks we open the network up to. I’d love to get more information about your use case.
As you’ve noticed, some calling apps do work over Orbot already because the app provides some level of TCP fallback. For common WebRTC-based apps, typically this will be a TURN server that has TCP support. TURN servers don’t always help with Orbot, since they may be configured without TCP support.
Signal for example does have a working TCP fallback. Each side of the call reaches out to a Signal-provided TURN server over TCP from the Tor exit. In Signal’s case, adding UDP support via Tor would have similar but slightly better overall performance, removing this extra exit-to-TURN-to-exit segment of the path. The overall latency and jitter of the path would not be much different.
With WhatsApp, are you looking for a particular level of privacy? I’m wondering what the goals are for a whatsapp-over-tor setup, since it’s not clear that IP address security is relevant when the app has access to your phone’s contacts and unique identifiers.
Wow, great to have someone working on UDP here, welcome!
Oh, I learned something new. This explains why WhatsApp calls for example couldn’t work over Orbot.
There are many use cases and benefits:
If both contacts is in a strict censorship country
If one contact is in a free country, and the other in a strict censorship country
Even if both contacts is in an uncensored country. Or only one of them is on Tor. There are still a number of advantages
I agree that it won’t protect from WhatsApp from already knowing so much about you. Also many contacts of privacy conscious individuals refuses to use anything other than WhatsApp (or iMessage depending where you are). But Tor may still help to protect from an unfriendly contact or stalker who knows your phone number. Or you or your contact’s ISP or untrusted network from performing MitM attack or surveillance.
E.g. a researcher demonstrated how coarse location can be tracked from Signal calls
Although I heard like Signal, WhatsApp is supporting opt-in relay servers soon
But this still doesn’t solve the censorship problem. And lets just say GFW is extremely sophisticated at blocking stuffs and Tor is easier to setup and better than most at this.
If Orbot is used as a VPN with kill switch. It’s not convenient to be constantly switching the network on and off just to make or receive WhatsApp calls, and that will lead to many missed calls. Also disabling kill switch to conditionally select apps will risk traffic leakage (by untrusted apps) or human error.
And I think networking effect is at stake. If one side finds it too inconvenient or impossible to use, then the other will simply give up because there are nobody to contact with. This gradually creates a domino effect.
In a nutshell, Tor supporting UDP will bring immense benefit not just for WhatsApp or Signal but all other apps using it.
Thanks @beth and other developers for listening and your contribution.
I hope Tor project succeeds in making more apps and websites (like banking) compatible with it.
Thanks for all the extra info, @ewoko. It helps to understand the focus on connectivity rather than privacy in this use case.
I’ve been trying to reproduce these problems with WhatsApp calls. I’ve got a virtualized setup which seems to work for voice calls at least. I haven’t verified actual call quality yet and I haven’t verified video, I’ve just been looking at network traffic and UI state. It seems to be using some of the same building blocks as WebRTC, like STUN and TURN including TURN over TCP.
It definitely looks like WhatsApp includes support for TCP. This puts it into the broad category of chat apps that support UDP-less setups but at a performance penalty. With an unfiltered network, my VMs can exchange call data peer to peer over UDP. With UDP outgoing traffic filtered, the connection checks notice this and fall back on TURN-over-TCP. The TURN/STUN server appears to be part of facebook CDN infrastructure, so it’s geographically localized.
I’m not sure where the difference is between this test setup and your experience. I’d expect calls to work sometimes and with varying quality.
I just had a chance to try this on physical devices. Two Android 12 devices (low-end but recent). Both running orbot on wifi. Video calls do connect and they basically work despite some lag and some connection quality warnings.
Thanks for the testing, beth. It definitely has been a moving target with WhatsApp and TCP support, and whether it works over Orbot or not. Signal seemed to work better in the past, but not sure now.
Just as a side comment, voice messaging works great over both WhatsApp and Signal, since those are just sent as files essentially, and are not streaming.
Hi @n8fr8, thanks for the tip about voice messaging. That does seem to be a nice option for folks who want to communicate without typing and who are having trouble with establishing a real-time connection.
Re Signal, I tried that recently actually. It’s pretty similar to the WhatsApp calling experience. Signal also uses TURN-over-TCP automatically (which you can see on Wireshark and in the open source code). The first time I tried over Orbot it connected but the quality was bad and it dropped frequently. A couple subsequent connection attempts failed, but then I had a good connection which was stable enough to keep a video call going for over two hours.
With these apps that have TURN-over-TCP support, I expect the connectivity isn’t being limited by lack of UDP but the practicality of calling may still be limited by overall performance.
There was no leak, I also had UDP filtered on the wifi and i was watching all the outgoing traffic on wireshark.
It would be great to get more data on when this does and doesn’t work.
It would also be great if we could isolate some of the cases where this seems like it should work but isn’t. One of the debug tools I’ve been using is a wifi router configured with transparent tor proxy, so i can capture traces there as a point of comparison with orbot on the phone. Typically orbot and the transparent proxy behave the same and it’s enough to repro a bug in an environment that’s easier to trace.
Wow, great to have someone working on UDP here, welcome!