seanho00
commented
7 years ago A partial workaround is to run a separate routed tinc network just for the Android phones. Two servers run double-duty and can route between both VPNs.
On the Android clients, use tinc host files and Subnet declarations to specify which host can route packets to the main VPN (or indeed to the internet, default route).
On the VPN routers, add FORWARDING and -t nat POSTROUTING iptables rules to do SNAT to the internet and to the main VPN.
Need to set ansible for multiple tinc networks (with_dict).
Android app requires it due to Android VPN service limitation. Worthwhile to convert entire tinc network over to L3 router mode instead of L2 switch mode?