-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Routing udp and icmp but not tcp #1702
Comments
I'm working on trying to understand how Android routes IP traffic using adb shell with root privilege. It seems very complex! I'm seeing that the route I expect has been added to the routing table named "tun0".
This suggests to me that the VPN API is correctly adding the route to the right table but something else is wrong. It seems that the port 993 TCP packets from my mail client aren't reaching one of the routing rules with "lookup tun0" as an action. I tested this by manually adding the route to the table named "local". So, it looks like the rules are sending my imap packets to the wrong routing table. It's looking more like a bug in the VPN API... More study needed. |
hello , how did u fix it ,i have same questions like this ,when i do this ip route add 10.55.1.0/24 dev tun0 table local,i receive the sip voice by sdp protocol。 |
@hfc123 I haven't fixed it. I'm still working on it. By the way, there's no point you copying the command;
|
Can you please provide a client logfile? you need to look also at |
Thanks for offering to look at the log files. However, after studying the verbose log myself I do seem to have solved the issue. It was pilot error! In the "Allowed Apps" section of the profile I had used the "VPN is used for all apps..." option. However, I had also left the "Allow apps to bypass the VPN" selected. This was because I misunderstood what that option was for - I thought that if not selected it would force all traffic over the tun0 interface which for me is undesirable. In reality (please confirm) it gives apps that are allowed to use the VPN the option to not use it. So, it seems that the app, Jami chooses to route traffic over the VPN without being forced but the apps K-9 mail and Vernet choose to not route traffic over the VPN if given the chance. It is just coincidence that one app is using UDP and the others TCP. How does an Android app choose to (not) use the VPN when opening a socket? Thanks for all your work to maintain the app and field support requests. |
The app themselves have to request that. See https://developer.android.com/reference/android/net/VpnService.Builder#allowBypass() for a bit more details. |
Thanks again. |
I'm using openvpn only to route traffic to hosts on the 'home' network of the openvpn server. ICMP packets for pinging and UDP packets for telephony are correctly routed out via the tun0 interface. However TCP packets for IMAP are not routed to tun0 but rather to the mobile phone network on device rmnet_data3. I can't see any reason why my configuration would cause different routing for TCP versus UDP packets.
Is this an issue with the android app or could this be pilot error? Is any fix possible in my configuration?
When I connect to the same openvpn server from a laptop computer, all traffic; ICMP, UDP and TCP to the 10.55.0.0/16 subnet is properly routed. The key route that is pushed to the client is:
push "route 10.55.0.0 255.255.0.0"
I used Vernet app to help debug. Pinging a host on the 'home' network works and if I run tcpdump on the phone the output is like:
I use Jami for telephony and here is a snippet of the tcpdump output
However, using K-9 mail app to connect to SSL/TLS IMAP port 993 tcpdump shows the packets being sent to the wrong network interface and therefore no packets come back in reply.
Here is the server config file:
The text was updated successfully, but these errors were encountered: