Loading .onion on device "The Internet connection appears to be offline"

Question

Created Apr ’19

Replies 3

Boosts 0

Views 3.8k

Participants 3

Here is my situation, I need to connect through a tor proxy to a .onion address on the Tor network. I'm using Tor.framework in my app and I can connect to Tor fine. Tor framework spins up a proxy that runs inside the app and I set my proxy configuration with URLSession and all is great.

However On a physical device, when I attempt to load a URL at a .onion address, I get an error -1009, "The Internet connection appears to be offline."

NOTE:

- this error only happens when loading .onion address from a hardware device

- I am able to load a .onion address from the SIMULATOR with no problems

- On the physical device, I am able to send requests through the proxy to a non-onion address and I can confirm that I have a TOR IP address.

- I have enabled allow arbitrary Loads in my ATS

My thoughts are that something at the URLSession level doesn't like the .onion domain for some reason or there is some other device specific security setting I am not aware of.

To prove this is not a TOR specific error I have done the following:

- remove the code to connect to tor and the proxy setup step and send a request to a .onion address with the default url session and config

- I get the same "internet connection appears to be offline" error on the physical device

- I get a the expected error on the simulator "A server with the specified hostname could not be found."

Thanks for your help

         let sessionConfiguration = URLSessionConfiguration.default
        sessionConfiguration.connectionProxyDictionary = [
            kCFProxyHostNameKey as AnyHashable: "127.0.0.1",
            kCFProxyPortNumberKey as AnyHashable: 39050, //myPortInt
            kCFProxyTypeKey as AnyHashable: kCFProxyTypeSOCKS
         ]
          self.newSession = URLSession(configuration: config)
 
        // THIS FIND MY URL REQUEST WORKS FINE AND GIVES ME A NEW REMOTE IP
        //let url =  "http://api.ipify.org?format=json"
 
        //.onion address 
        let url = "http://3heens4xbedlj57xwcggjsdglot7e36p4rogy642xokemfo2duh6bbyd.onion/"
        
        let request = URLRequest(url: URL(string:url)!, cachePolicy: 
               URLRequest.CachePolicy.reloadIgnoringLocalCacheData, timeoutInterval: 10)
        self.newSession.dataTask(with: request, completionHandler: { (responseData, urlResponse, error) -> Void in
               // THE .onion address request works fine on the simulator. 
               // BUT gives a -1009 error on physical device.
        })

Boost

Answer 1

Claude31 OP

Apr ’19

This is a question about an external framwork (TOR).

You'd better contact their forum.

Good luck.

0

Answer 2

lsease OP

Apr ’19

I understand the thought process, but I don't feel like this error is coming from Tor.

It appears to be the underlying iOS Networking libraries that are throwing the error, not anything tor specific--- since as I mentioned this is working on the simulator and I can connect through the proxy to normal .com addresses on the physical device
Also, if I disable the Tor Library, remove the proxy config and simply attempt to send a request to a .onion address I get the same "Internet connection appears to be offline" error on the physical device-- where as on the simulator I get the expected error "A server with the specified hostname could not be found."

{Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <49BF8E4C-66D7-422D-9F34-AE69932B2703>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(

"LocalDataTask <49BF8E4C-66D7-422D-9F34-AE69932B2703>.<1>"

0

Answer 3

DTS Engineer OP

Apple

May ’19

For some reason this bubbled to the top of the thread list today, so I thought I’d post a quick summary of what I’ve since learnt about the issue.

First, RFC 7686 explains that

.onion

names are special, in the sense defined by RFC 6761.

By default, iOS has a policy that blocks all traffic associated with that domain, and it’s this policy that’s causing the

NSURLErrorNotConnectedToInternet

(-1009) error.

It’s possible to disable this policy deeper in the system [1], but it’s not possible to disable it within a specific app. I haven’t yet come to a conclusion as to whether there’s a solution for lsease’s high-level problem.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Specifically, if you configure a VPN interface with a

SupplementalMatchDomains

property that includes

onion

, the policy is disabled for just that interface. See Configuration Profile Reference for more about

SupplementalMatchDomains

.

1

	let sessionConfiguration = URLSessionConfiguration.default
	sessionConfiguration.connectionProxyDictionary = [
	kCFProxyHostNameKey as AnyHashable: "127.0.0.1",
	kCFProxyPortNumberKey as AnyHashable: 39050, //myPortInt
	kCFProxyTypeKey as AnyHashable: kCFProxyTypeSOCKS
	]
	self.newSession = URLSession(configuration: config)

	// THIS FIND MY URL REQUEST WORKS FINE AND GIVES ME A NEW REMOTE IP
	//let url = "http://api.ipify.org?format=json"

	//.onion address
	let url = "http://3heens4xbedlj57xwcggjsdglot7e36p4rogy642xokemfo2duh6bbyd.onion/"

	let request = URLRequest(url: URL(string:url)!, cachePolicy:
	URLRequest.CachePolicy.reloadIgnoringLocalCacheData, timeoutInterval: 10)
	self.newSession.dataTask(with: request, completionHandler: { (responseData, urlResponse, error) -> Void in
	// THE .onion address request works fine on the simulator.
	// BUT gives a -1009 error on physical device.
	})