Closed maber01 closed 3 months ago
I'm working on trying to understand how Android routes IP traffic using adb shell with root privilege. It seems very complex!
I'm seeing that the route I expect has been added to the routing table named "tun0".
#ip route list table tun0
10.55.0.0/16 dev tun0 proto static scope link
10.55.8.1 dev tun0 proto static scope link
10.55.8.8/30 dev tun0 proto static scope link
This suggests to me that the VPN API is correctly adding the route to the right table but something else is wrong.
It seems that the port 993 TCP packets from my mail client aren't reaching one of the routing rules with "lookup tun0" as an action. I tested this by manually adding the route to the table named "local".
#ip route add 10.55.1.0/24 dev tun0 table local
With this in place the mail client can now connect to the mail server and fetch mail.
So, it looks like the rules are sending my imap packets to the wrong routing table. It's looking more like a bug in the VPN API... More study needed.
hello , how did u fix it ,i have same questions like this ,when i do this ip route add 10.55.1.0/24 dev tun0 table local,i receive the sip voice by sdp protocol。
@hfc123 I haven't fixed it. I'm still working on it. By the way, there's no point you copying the command;
ip route add 10.55.1.0/24 dev tun0 table local
Can you please provide a client logfile?
you need to look also at ip rule
, iptables
and so on for VPN routing under Android. It uses fwmark and policy routing.
Thanks for offering to look at the log files. However, after studying the verbose log myself I do seem to have solved the issue. It was pilot error!
In the "Allowed Apps" section of the profile I had used the "VPN is used for all apps..." option. However, I had also left the "Allow apps to bypass the VPN" selected. This was because I misunderstood what that option was for - I thought that if not selected it would force all traffic over the tun0 interface which for me is undesirable.
In reality (please confirm) it gives apps that are allowed to use the VPN the option to not use it.
So, it seems that the app, Jami chooses to route traffic over the VPN without being forced but the apps K-9 mail and Vernet choose to not route traffic over the VPN if given the chance. It is just coincidence that one app is using UDP and the others TCP. How does an Android app choose to (not) use the VPN when opening a socket?
Thanks for all your work to maintain the app and field support requests.
The app themselves have to request that. See https://developer.android.com/reference/android/net/VpnService.Builder#allowBypass() for a bit more details.
Thanks again.
I'm using openvpn only to route traffic to hosts on the 'home' network of the openvpn server. ICMP packets for pinging and UDP packets for telephony are correctly routed out via the tun0 interface. However TCP packets for IMAP are not routed to tun0 but rather to the mobile phone network on device rmnet_data3. I can't see any reason why my configuration would cause different routing for TCP versus UDP packets.
Is this an issue with the android app or could this be pilot error? Is any fix possible in my configuration?
When I connect to the same openvpn server from a laptop computer, all traffic; ICMP, UDP and TCP to the 10.55.0.0/16 subnet is properly routed. The key route that is pushed to the client is:
push "route 10.55.0.0 255.255.0.0"
I used Vernet app to help debug. Pinging a host on the 'home' network works and if I run tcpdump on the phone the output is like:
I use Jami for telephony and here is a snippet of the tcpdump output
However, using K-9 mail app to connect to SSL/TLS IMAP port 993 tcpdump shows the packets being sent to the wrong network interface and therefore no packets come back in reply.
Here is the server config file: