Android 4.4.2: all traffic routed to VPN, routing options from the app are ignored

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Configure VPN using a working configuration tested on a GNU/Linux box. The 
configuration does not use pushed routes, it just have a route for a remote LAN 
through the vpn_gateway.

What is the expected output? What do you see instead?

After the VPN is estabilished, I see the following ip route (terminal with root 
access):

0.0.0.0/1 dev tun0 scope link
default via 10.0.1.252 dev wlan0
10.0.1.0/24 dev wlan scope link
10.0.1.0/24 dev wlan proto kernel scope link src 10.0.1.205 metric 315
10.0.1.252 dev wlan0 scope link
128.0.0.0/1 dev tun0 scope link

I.e. no route for the remote LAN, all the traffic routed to the VPN due the 
rule 0.0.0.0/1 dev tun0.

In app options I have ignore VPN for local networks checked, default routing 
unchecked and a custom route to 192.168.3.0/24

Fom the app log I see:

Routes: 192.168.3.0/24
Routes excluded: 10.0.1.0/24
VpnService routes installed: 192.168.3.0/24

What mobile phone are you using?

Kingelon (Alps) G9000

Which Android Version and stock ROM or aftermarket like cyanogenmod?

Android 4.4.2 build G9000_20140815

Please provide any additional information below.

It seems a bug in Android service, how can I confirm that?

The pone is rooted, can I use a connect script as a workaround to set routes as 
I want?

Original issue reported on code.google.com by niccolo....@gmail.com on 24 Nov 2014 at 9:24

[GoogleCodeExporter]

Please don't jump to conclusion from ip route output. Android 4.4 does policy 
based routing. See also the last FAQ.

Original comment by arne@rfc2549.org on 24 Nov 2014 at 9:28

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Thanks arne, you are right! At least in part. The remote LAN route is there, 
using policy:

ip rule show
0:      from all lookup local 
100:    from all fwmark 0x3c lookup 60 
32766:  from all lookup main 
32767:  from all lookup default 

infact there is a routing table #60 which goes through the VPN:

ip route show table 60                              
default dev tun0  scope link 

and remote private traffic is marked with iptables mangle:

iptables -L -t mangle
...
MARK       all  --  anywhere             192.168.3.0/24       MARK set 0x3c
...

The problem remains with the first entry in the "main" routing table:

ip route show table main                              
0.0.0.0/1 dev tun0  scope link 
default via 10.0.1.252 dev wlan0 
10.0.1.0/24 dev wlan0  scope link 
10.0.1.0/24 dev wlan0  proto kernel  scope link  src 10.0.1.205  metric 315 
10.0.1.252 dev wlan0  scope link 
128.0.0.0/1 dev tun0  scope link 

where 0.0.0.0/1 (as far as I can understand) matches any traffic, so that 
everything is routed into the VPN, which I don't want...

Original comment by niccolo....@gmail.com on 24 Nov 2014 at 10:14

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Well. The output you quoted from the the app (VpnService routes installed: 
192.168.3.0/24) are the only routes that the app is telling Android to install. 
Anything beyond that is Android. In your case this seem to be buggy :(

Original comment by arne@rfc2549.org on 24 Nov 2014 at 2:02

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Big headache!

In order to let internet traffic go through standard WiFi, I had to fiddle with 
ip route and iptables mangle table:

ip route del 0.0.0.0/1 dev tun0
ip route del 128.0.0.0/1 dev tun0
iptables -t mangle -A st_mangle_EXEMPT ! -d 192.168.3.0/24  -j ACCEPT

It works, but it remains a problem with name resolution traffic: using nslookup 
it is routed via WiFi as expected, e.g. "nslookup www.google.com" works well.

Using ping instead (or the browser, or any other app) it hangs forever because 
DNS query goes through the VPN (seen with tcpdump), and that traffic is blocked 
by remote firewall rules.

Why nslookup and ping uses different source address for name resolution? I 
don't see any ip route or iptables policy!

Original comment by niccolo....@gmail.com on 24 Nov 2014 at 3:56

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Finally I found a workaround for my problem, it needs a rooted device.

I just added a script /data/local/bin/openvpn-route-fix

#!/system/bin/sh
/system/xbin/su -c '/system/bin/ip route del 0.0.0.0/1 dev tun0'
/system/xbin/su -c '/system/bin/ip route del 128.0.0.0/1 dev tun0'

Set the script permissions to 755, then add two advanced custom options to the 
OpenVPN configuration:

script-security 2
up /data/local/bin/openvpn-route-fix

You need a super user permission management app, like SuperSU, and you have to 
grant root permission to the OpenVPN for Android application.

Original comment by niccolo....@gmail.com on 28 Dec 2014 at 2:07

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

I am closing this bug as an ROM specific bug 

Original comment by arne@rfc2549.org on 9 Jan 2015 at 1:38

• Changed state: Invalid
• Added labels: ****
• Removed labels: ****