Unable to connect to LAN IP addresses

[Limezero]

I have a local Synapse server running at http://192.168.0.109:8008 on my local network. Every other client and device I have can successfully connect to it, including the old Riot.im Android client (0.9.12) and the desktop version of Element, but RiotX/Element cannot. If I try to enter a 192.168.0.0/24 address as a custom server, the client will immediately throw an error message saying "No network. Please check your internet connection." whether or not there's a server running on that socket.

A few other strange observations:

• The server only has an HTTP port enabled, no HTTPS - but the Element client CAN connect to an insecure HTTP server if it's running on the phone itself, under http://127.0.0.1:8008
• If I explicitly bind the server to the LAN address of the phone (i.e., put ['::1', '127.0.0.1', '192.168.0.103'] in the config file), it will still only be able to connect using the localhost address, not the LAN one
• If I enter https://192.168.0.109 (HTTPS, without the port), the client DOES find the server and even displays a fingerprint, asking me if I want to trust it - if I click trust, I get an error saying "This is not a valid Matrix server address"
• Trying to enter https://192.168.0.109:8008 (or any other IP/port) causes the client to hang for about 10 seconds while it's waiting for a timeout

[Limezero]

As of version 1.0.7, this is still broken.

[rio]

I'm having the same problem, networks like 10.x.x.x and 192.168.x.x fail to connect with the message show above. Other apps like firefox and curl using tmux have no problem connecting.

[Zombie-Feynman]

Confirming this bug for version 1.0.11 (F-Droid). FWIW, it also occurs if you try to connect via a domain name that points to a LAN address.

[Zombie-Feynman]

The canonical Element-Web at app.element.io gave me a similar error, which I eventually traced back to being caused by mixed content: I was trying to access an http server from an https web app. I added a reverse proxy to my homeserver (using easy-rsa to create self-signed certificates), which allows the Android app to work. (Somehow it still wasn't enough to let app.element.io work; Developer Tools shows a GET request for https://<my_server>/_matrix/client/versions in red, but doesn't actually tell me what the problem is.)

[bmarty]

Are you using an emulator to run Element Android? If it is the case, URLs like http://192.168.0.109:8008 can not work because it is not the 192.168 is not the lan of the emulator itself. If you are using a real device, it's maybe due to the fact the http URLs are not allowed IIRC.

[Limezero]

Are you using an emulator to run Element Android? If it is the case, URLs like http://192.168.0.109:8008 can not work because it is not the 192.168 is not the lan of the emulator itself. If you are using a real device, it's maybe due to the fact the http URLs are not allowed IIRC.

I'm using a physical device personally. We have a Synapse server set up for internal use on a local network not connected to the internet, which has been running for a few years now. I've been through several devices since then, at least 4-5 Android phones, a tablet, and even different emulators. The results were the same in each and every single case - the old Riot.im Android client works fine, the Electron desktop client works fine, Element Android does not.

I'd be willing to bet money it has something to do with the differences between how Riot.im and Element handle network connections and/or URLs. It's clearly not a routing issue, because the client CAN find the server and even displays its fingerprint, it just refuses to connect to it. What's more, if I spin up a new server on the phone itself via Termux (literally apt install python, pip install matrix-synapse, synctl start in the terminal app on the phone itself), everything works fine if I try to connect to this server via http://127.0.0.1, but NOT if I try http://192.168.0.xxx. The old client (Riot.im 0.9.12) works with either.

I'm genuinely curious how this few people seem to have run into this issue so far, how is the client even debugged during development if you can't connect to a local server with it? Do the devs just use matrix.org? Has nobody tried to connect to a local instance yet? Do I need some kind of weird manually injected HTTPS certificate or proxy server or god knows what just to connect to my own LAN?

[mariorossi77]

still can't connect to local matrix servers. also any non https address

[theowenyoung]

still can't connect to local matrix servers, any updates here?

[tobymurray]

Looking at network_security_config.xml:

    <base-config cleartextTrafficPermitted="false" />

    <!-- Allow clearText traffic on some specified host -->
    <domain-config cleartextTrafficPermitted="true">
        <!-- Localhost -->
        <domain includeSubdomains="true">localhost</domain>
        <domain includeSubdomains="true">127.0.0.1</domain>
        <!-- Localhost for Android emulator -->
        <domain includeSubdomains="true">10.0.2.2</domain>
        <!-- Onion services -->
        <domain includeSubdomains="true">onion</domain>
    </domain-config>

So Element can only be used with cleartext on those specific domains (and subdomains). There's some more context here: https://github.com/vector-im/riot-android/issues/2495, and it's really Android itself that is pushing for apps to block cleartext.

I checked out v1.1.3, added <domain includeSubdomains="true">localdomain</domain> so I could use everything on my LAN (e.g \<host>.localdomain) and installed it and it works great. If you're open to building it yourself (yay open source!), this seems like a doable workaround.

Looking at the Android docs here, it isn't jumping out at me that it can use IP addresses nicely. It seems like it'd be great to whitelist 192.*.*.* for exactly this reason

[mariorossi77]

@tobymurray thank you, that solved the issue for me

[RalfStehle]

Perhaps this helps? add this line to your AndroidManifest.xml

<application android:usesCleartextTraffic="true">

[Hunkarada]

Thanks to @tobymurray, I built version for allowing LAN addresses, and this is insane. Why app thinks, that it's smarter, than user and I need to rebuild the whole app to actually use it? My server is private and to access it you need to connect to VPN, which encrypts all traffic by default. ALL OTHER client allows this behavior. On PC ans iOS element allows it too. But not for android. Why not to allow this for android - idk.

[tobymurray]

this is insane. Why app thinks, that it's smarter, than user and I need to rebuild the whole app to actually use it?

I replied in the issue you opened, but my understanding is this is a limitation of Android's security configuration, not Element specifically.