I have openvpn setup on my note 4 . 4.4.4, root rom.
But I use split tunnel some traffic over non vpn and some traffic over vpn.
had a quick look a the iptables rules
0 0 droidwall-wifi all -- * tiwlan+ 0.0.0.0/0 0.0.0.0/0
803 102K droidwall-wifi all -- * wlan+ 0.0.0.0/0 0.0.0.0/0
0 0 droidwall-wifi all -- * eth+ 0.0.0.0/0 0.0.0.0/0
0 0 droidwall-wifi all -- * ra+ 0.0.0.0/0 0.0.0.0/0
0 0 droidwall-vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 droidwall-vpn all -- * tun0+ 0.0.0.0/0 0.0.0.0/0
421 41876 droidwall-vpn all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] mark match 0x3c/0xfffc
0 0 droidwall-vpn all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] mark match 0x40/0xfff8
Chain st_mangle_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
35884 3733K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1016
2357 301K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0-99999 MARK set 0x3d
So it looks to me like you don't handle split tunnel
iptables -nvL droidwall-vpn
Chain droidwall-vpn (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10284
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10285
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10217
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10221
389 41109 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10093
73 4772 droidwall-reject all -- * * 0.0.0.0/0 0.0.0.0/0
I'm guessing a simple fix would be to accept instead of return on the matching lines ! Which might actually be faster as it doesn't need to traverse the rest of the tree once its matched... But its been a while since I looked at the code so I don't know the other implications
My other observation is that
0 0 droidwall-vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 droidwall-vpn all -- * tun0+ 0.0.0.0/0 0.0.0.0/0
neither of these lines are hit. Openvpn uses tun devices.
Interestingly i notice openvpn use ip rules ! thats a new one for me
ip r
default via 192.168.10.1 dev wlan0
default via 192.168.10.1 dev wlan0 metric 305
10.32.23.0/25 dev tun0 proto kernel scope link src 10.32.23.4
192.168.10.0/24 dev wlan0 scope link
192.168.10.0/24 dev wlan0 proto kernel scope link src 192.168.10.246 metric 305
192.168.10.1 dev wlan0 scope link
thats with openvpn up ... only see the wan ip's in the routing table !
root@trlte:/ # ip ru
ip ru
0: from all lookup local
99: from all to 10.138.38.80 lookup main
100: from all to 10.0.0.0/8 fwmark 0x3d lookup 61
150: from 192.168.10.246 lookup 2
32766: from all lookup main
32767: from all lookup default
line 100 is the openvpn one !
root@trlte:/ # ip ro list table 61
ip ro list table 61
default dev tun0 scope link
all traffic out tun0
I put the last bit in for anyone else who might come here looking, adds to the complete picture
Hi
I have openvpn setup on my note 4 . 4.4.4, root rom. But I use split tunnel some traffic over non vpn and some traffic over vpn.
had a quick look a the iptables rules
803 102K droidwall-wifi all -- * wlan+ 0.0.0.0/0 0.0.0.0/0 0 0 droidwall-wifi all -- * eth+ 0.0.0.0/0 0.0.0.0/0 0 0 droidwall-wifi all -- * ra+ 0.0.0.0/0 0.0.0.0/0 0 0 droidwall-vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0 0 0 droidwall-vpn all -- * tun0+ 0.0.0.0/0 0.0.0.0/0 421 41876 droidwall-vpn all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] mark match 0x3c/0xfffc 0 0 droidwall-vpn all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] mark match 0x40/0xfff8
Chain st_mangle_OUTPUT (1 references) pkts bytes target prot opt in out source destination 35884 3733K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1016 2357 301K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0-99999 MARK set 0x3d
So it looks to me like you don't handle split tunnel
iptables -nvL droidwall-vpn Chain droidwall-vpn (4 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10284 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10285 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10217 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10221 389 41109 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 10093 73 4772 droidwall-reject all -- * * 0.0.0.0/0 0.0.0.0/0
I'm guessing a simple fix would be to accept instead of return on the matching lines ! Which might actually be faster as it doesn't need to traverse the rest of the tree once its matched... But its been a while since I looked at the code so I don't know the other implications
My other observation is that
neither of these lines are hit. Openvpn uses tun devices. Interestingly i notice openvpn use ip rules ! thats a new one for me
ip r default via 192.168.10.1 dev wlan0 default via 192.168.10.1 dev wlan0 metric 305 10.32.23.0/25 dev tun0 proto kernel scope link src 10.32.23.4 192.168.10.0/24 dev wlan0 scope link 192.168.10.0/24 dev wlan0 proto kernel scope link src 192.168.10.246 metric 305 192.168.10.1 dev wlan0 scope link
thats with openvpn up ... only see the wan ip's in the routing table !
root@trlte:/ # ip ru ip ru 0: from all lookup local 99: from all to 10.138.38.80 lookup main 100: from all to 10.0.0.0/8 fwmark 0x3d lookup 61 150: from 192.168.10.246 lookup 2 32766: from all lookup main 32767: from all lookup default
line 100 is the openvpn one !
root@trlte:/ # ip ro list table 61 ip ro list table 61 default dev tun0 scope link
all traffic out tun0
I put the last bit in for anyone else who might come here looking, adds to the complete picture