Pushed routes are not added to the routing table

[GoogleCodeExporter]

This used to work fine until recently. Not sure if it was the upgrade to 
Android 4.4.2 or the upgrade to OpenVPN for Android 0.6.3 that broke this.

What steps will reproduce the problem?
1. My server-side config has the following statements:
push "route 213.13.24.161 255.255.255.255"
push "route 213.13.24.162 255.255.255.255"
push "route 213.30.70.22 255.255.255.255"
push "route 213.30.70.23 255.255.255.255"

2. All options in the Routing section are unchecked

What is the expected output? What do you see instead?

The above routes should be added to the Android's routing table (via tun0). But 
they are not.
Please check the ics-openvpn log attached.

What mobile phone are you using?

Nexus 7

Which Android Version and stock ROM or aftermarket like cyanogenmod?

4.4.2

Original issue reported on code.google.com by joaof.0...@gmail.com on 31 Dec 2013 at 6:15

[GoogleCodeExporter]

I also tried adding the Custom Route 213.13.24.161/32 on the client, but the 
route is not added to the system either. The routing table remains the same:

   default via 192.168.9.1 dev wlan0
   172.31.0.8/255.255.255.252 via default dev tun0
   192.168.9.0/255.255.255.0 via default dev wlan0
   192.168.9.0/255.255.255.0 via default dev wlan0
   192.168.9.1/255.255.255.255 via default dev wlan0

Original comment by joaof.0...@gmail.com on 31 Dec 2013 at 6:28

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

The VPN API works diffent under 4.4. You should trust the openvpn output or 
check the ip rules and secondary routing tables.

Original comment by arne@rfc2549.org on 1 Jan 2014 at 3:51

• Changed state: Invalid
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

This issue shouldn't be considered Invalid. In fact:

1. Server pushed routes don't work in 4.4
2. Client Custom Routes don't work in 4.4
3. Use default Route doesn't work in 4.4

Points 2 and 3 are features of OpenVPN for Android. If any of them work then 
users are being mislead by the fact those options appear in the Settings.

I don't see anything in the openvpn log that looks like an error in terms of 
routes.
When openvpn is connected an additional ip rule appears:

100:    from all fwmark 0x3c lookup 60

The corresponding routing table is just:

$ ip ro sh ta 60
default dev tun0  scope link

Original comment by joaof.0...@gmail.com on 1 Jan 2014 at 4:57

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

1) I marked the bug invalid because the bug is an Android bug and not an 
ics-openvpn bug if it exists.
2) Your output still does not show that the rules are not installed correctly. 
You are still mising the iptables rules which actually redirect the traffic. I 
tested it on my own Nexus 7 which some random nets and everything is working 
like it should. Packets to the custom routes arrive on the OpenVPN server. 
Packets to other network do not. I am not yet convinced that there is something 
that does not work.

Original comment by arne@rfc2549.org on 1 Jan 2014 at 11:15

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

FYI: 
Test with some random networks:

iptables -t mangle -L -n
[...]

Chain st_mangle_tun0_OUTPUT (3 references)
target     prot opt source               destination         
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK and 0x0
MARK       all  --  0.0.0.0/0            2.0.0.0/8            MARK set 0x3c
MARK       all  --  0.0.0.0/0            60.0.0.0/16          MARK set 0x3c
MARK       all  --  0.0.0.0/0            200.8.0.0/17         MARK set 0x3c

Original comment by arne@rfc2549.org on 1 Jan 2014 at 11:45

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Issue 227 has been merged into this issue.

Original comment by arne@rfc2549.org on 18 Jan 2014 at 10:57

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

With a non-rooted phone, how can I check that the iptables rules have been 
created correctly?

Original comment by google....@nooblet.org on 18 Jan 2014 at 11:11

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

You cannot. You just have to trust Android to do the right thing.

Original comment by arne@rfc2549.org on 18 Jan 2014 at 11:14

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Well it isn't doing the right thing. I have no VPN connectivity since the 
upgrade to Kitkat. Neither the default route or the specific network routes 
work after it connects. All packets went over the public interface.

I got into trouble on Friday for not having office access whilst on site. Will 
be downgrading to ICS.

Original comment by google....@nooblet.org on 18 Jan 2014 at 11:36

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

It seems I can't downgrade without voiding warranty :(

Not sure if its relevant, but DNS requests go over the VPN, just not other 
traffic.

192.168.7.254 = remote LAN router
10.0.7.6 = local tun0 IP

"ping 192.168.7.254" doesn't work
"ping -I 10.0.7.6 192.168.7.254" does work, so I know the tunnel is up and 
running

Original comment by google....@nooblet.org on 18 Jan 2014 at 12:33

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I really hate to say but that sounds like a bug in your firmware.

Original comment by arne@rfc2549.org on 18 Jan 2014 at 12:39

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Okay :(

Well, I don't know how it gets done any differently but FEATVPN is working 
okay. I am saved!

Original comment by google....@nooblet.org on 18 Jan 2014 at 12:56

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Which version of FEATVPN? The one for Android 4.0+?

Original comment by arne@rfc2549.org on 18 Jan 2014 at 12:58

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I downloaded the APK direct from their website ( http://www.featvpn.com/ ) 
which says

If you have Android 4.x or later, then download ics-2013-12-07.apk:
http://www.featvpn.com/dl.php?id=2

Looking at logs it is running: /data/data/com.featvpn.app.comm/failes/ip route 
add 0.0.0.0/1 via 10.0.7.5

However that route still doesn't appear in "ip routes", probably due to the new 
way Kitkat works.

I am not going to pretend I fully understand all this :) If you want logs or 
anything else I can do to help, let me know.

Original comment by google....@nooblet.org on 18 Jan 2014 at 1:02

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Looks like this was a short lived random event. It's been connected for several 
hours but as soon as I returned home and the phone connected to my home wifi 
the subsequent reconnect didn't work. I've now tried many vpn apps both on and 
off wifi and it no longer works :( guess like you said something in my rom is 
fubar. And I'm stuck with it. Even basic built in pptp vpn won't route any 
packets :(

Original comment by google....@nooblet.org on 18 Jan 2014 at 11:09

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Issue 284 has been merged into this issue.

Original comment by arne@rfc2549.org on 26 Sep 2014 at 9:02

• Added labels: ****
• Removed labels: ****