Amirale47 / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

HTC not routing through tunnel. #18

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

On HTC Sensation XE when you run ics-openvpn, it connects as expected, however 
nothing is routed through the tunnel.

This is because of an HTC idiosyncrasy regarding "ip rule" tables.
Described in this issue: 
http://code.google.com/p/android-openvpn-settings/issues/detail?id=35

I'm not sure this can be dealt with without root.

But "up"/"down" commands would help, letting you change the routes manually.

currently I run this script as root after:
vpn up:
--------8<--------
#!/system/xbin/busybox ash

tun=tun0

ip route show dev $tun table main scope link | while read r; do
    case "$r" in
        *" "*)
            true
            ;;
        *)
            ip route del dev $tun $r
            ip route add dev $tun $r table vpn
            ;;
    esac
done
ip rule show | while read no r; do
    if [ $no != 0: ]; then
        case "$r" in
            "from all lookup vpn")
                no=${no/:/}
                break
                ;;
            "from all lookup"*)
                no=$((${no/:/} - 1))
                ip rule add pref $no from all lookup vpn
                break
                ;;
        esac
    fi
done

--------8<--------
and after:
vpn down:
--------8<--------
#!/system/xbin/busybox ash

ip route show table vpn scope link | while read l; do
    ip route del $l
done
ip rule show | while read no r; do
    case "$r" in
        "from all lookup vpn")
            no=${no/:/}
            ip rule del pref $no from all lookup vpn
            break
            ;;
    esac
done
--------8<--------

Original issue reported on code.google.com by bogeskov...@gmail.com on 11 May 2012 at 8:23

GoogleCodeExporter commented 9 years ago
You should file a bug report at HTC. The openvpn app is using an official API 
that has to work in Android 4.0 images.

You can always try to add the up down script as custom options under obscure 
options. You will also have to set script-security 3 (or something like this). 
But the scripts will be executed as non root.

I also have not looked into iptables/ip rule/routing what android does to 
protect the vpn connection socket.

I am not really sure what the best way to fix this in my application is 
considering this a bug in the ROM.

Original comment by arne@rfc2549.org on 11 May 2012 at 9:24

GoogleCodeExporter commented 9 years ago

Thanks for the quick reply.

I've now reported the issue to HTC, trying my best to be diplomatic (and 
unfortunately that isn't one of my strong suits) while claiming that they have 
apparently broken the ICS-api.

I'm not too well traveled in the ics-openvpn yet, But i've trued Custom Options 
(and checked the generated config, that they appear):
--------8<--------
up /data/local/vpn.up
down /data/local/vpn.down
script-security 3
--------8<--------

Results in:

P:Fri May 11 12:54:25 2012 us=595568 OPTIONS IMPORT: timers and/or timeouts 
modified
P:Fri May 11 12:54:25 2012 us=595599 OPTIONS IMPORT: LZO parms modified
P:Fri May 11 12:54:25 2012 us=595629 OPTIONS IMPORT: --ifconfig/up options 
modified
P:Fri May 11 12:54:25 2012 us=595690 OPTIONS IMPORT: route options modified
P:Fri May 11 12:54:25 2012 us=595721 OPTIONS IMPORT: route-related options 
modified
P:Fri May 11 12:54:25 2012 us=595751 OPTIONS IMPORT: --ip-win32 and/or 
--dhcp-option options modified
P:Fri May 11 12:54:25 2012 us=596178 ROUTE_GATEWAY 
10.162.86.229/255.255.255.252 IFACE=rmnet0 HWADDR=00:00:00:00:00:00
P:Fri May 11 12:54:25 2012 us=596362 do_ifconfig, tt->ipv6=0, 
tt->did_ifconfig_ipv6_setup=0
P:Fri May 11 12:54:25 2012 us=601153 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
P:Fri May 11 12:54:25 2012 us=602496 MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:Fri May 11 12:54:25 2012 us=603655 MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:Fri May 11 12:54:25 2012 us=604601 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
P:Fri May 11 12:54:25 2012 us=609606 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
P:Fri May 11 12:54:26 2012 us=15551 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
P:Fri May 11 12:54:26 2012 us=15917 MANAGEMENT: Client disconnected
P:Fri May 11 12:54:26 2012 us=15978 Assertion failed at 
openvpn//src/openvpn/misc.c:116
P:Fri May 11 12:54:26 2012 us=16039 Exiting due to fatal error
MGMT:Got unrecognized command>FATAL:Assertion failed at 
openvpn//src/openvpn/misc.c:116

I'm not entirely sure up/down is actually supported.

I've modified my scripts to be runnable as any user, and without "Custom 
Options", I can connect run them as user shell and return value is 0 ($?), and 
then everything is working.

Original comment by bogeskov...@gmail.com on 11 May 2012 at 11:14

GoogleCodeExporter commented 9 years ago
I will look into the assert failed failed. I believe that is something I fix on 
my side :)

Original comment by arne@rfc2549.org on 11 May 2012 at 11:44