Routing udp and icmp but not tcp

[maber01]

1. Android Version = 13
2. Android Vendor/Custom ROM = LineageOS
3. Device = Pixel 5
4. Version of the app = 0.7.51 from f-droid

I'm using openvpn only to route traffic to hosts on the 'home' network of the openvpn server. ICMP packets for pinging and UDP packets for telephony are correctly routed out via the tun0 interface. However TCP packets for IMAP are not routed to tun0 but rather to the mobile phone network on device rmnet_data3. I can't see any reason why my configuration would cause different routing for TCP versus UDP packets.

Is this an issue with the android app or could this be pilot error? Is any fix possible in my configuration?

When I connect to the same openvpn server from a laptop computer, all traffic; ICMP, UDP and TCP to the 10.55.0.0/16 subnet is properly routed. The key route that is pushed to the client is:

push "route 10.55.0.0 255.255.0.0"

I used Vernet app to help debug. Pinging a host on the 'home' network works and if I run tcpdump on the phone the output is like:

15:06:19.921914 tun0  Out IP 10.55.8.9 > 10.55.1.1: ICMP echo request, id 23, seq 1, length 64
15:06:19.976150 tun0  In  IP 10.55.1.1 > 10.55.8.9: ICMP echo reply, id 23, seq 1, length 64

I use Jami for telephony and here is a snippet of the tcpdump output

15:09:57.811550 tun0  Out IP 10.55.8.9.sip-tls > 10.55.1.3.sip: SIP: BYE sip:10.55.1.3:5060 SIP/2.0
15:09:57.880709 tun0  In  IP 10.55.1.3.sip > 10.55.8.9.sip-tls: SIP: SIP/2.0 200 OK

However, using K-9 mail app to connect to SSL/TLS IMAP port 993 tcpdump shows the packets being sent to the wrong network interface and therefore no packets come back in reply.

15:16:40.666310 rmnet_data3 Out IP 10.91.26.17.37130 > 10.55.1.1.imaps: Flags [S], seq 596847815, win 65535, options [mss 1460,sackOK,TS val 725768773 ecr 0,nop,wscale 9], length 0
15:16:44.719621 rmnet_data3 Out IP 10.91.26.17.37130 > 10.55.1.1.imaps: Flags [S], seq 596847815, win 65535, options [mss 1460,sackOK,TS val 725772826 ecr 0,nop,wscale 9], length 0
15:16:52.826317 rmnet_data3 Out IP 10.91.26.17.37130 > 10.55.1.1.imaps: Flags [S], seq 596847815, win 65535, options [mss 1460,sackOK,TS val 725780933 ecr 0,nop,wscale 9], length 0

Here is the server config file:

proto udp4
port 1194
dev tun

tls-server 
ca /etc/openvpn/server/keys/ca.crt
cert /etc/openvpn/server/keys/vpn.crt
key /etc/openvpn/server/keys/vpn.key
dh /etc/openvpn/server/keys/dh.pem
mode server

client-config-dir /etc/openvpn/server/ccd
ifconfig 10.55.8.1 10.55.8.2

push "route 10.55.8.1 255.255.255.255"
push "route 10.55.0.0 255.255.0.0"

keepalive 10 60
inactive 600
route 10.55.8.0 255.255.255.0

user openvpn
group openvpn
persist-tun
persist-key
verb 4

[maber01]

I'm working on trying to understand how Android routes IP traffic using adb shell with root privilege. It seems very complex!

I'm seeing that the route I expect has been added to the routing table named "tun0".

#ip route list table tun0
10.55.0.0/16 dev tun0 proto static scope link 
10.55.8.1 dev tun0 proto static scope link 
10.55.8.8/30 dev tun0 proto static scope link

This suggests to me that the VPN API is correctly adding the route to the right table but something else is wrong.

It seems that the port 993 TCP packets from my mail client aren't reaching one of the routing rules with "lookup tun0" as an action. I tested this by manually adding the route to the table named "local".
#ip route add 10.55.1.0/24 dev tun0 table local
With this in place the mail client can now connect to the mail server and fetch mail.

So, it looks like the rules are sending my imap packets to the wrong routing table. It's looking more like a bug in the VPN API... More study needed.

[hfc123]

hello ， how did u fix it ，i have same questions like this ，when i do this ip route add 10.55.1.0/24 dev tun0 table local，i receive the sip voice by sdp protocol。

[maber01]

@hfc123 I haven't fixed it. I'm still working on it. By the way, there's no point you copying the command;
ip route add 10.55.1.0/24 dev tun0 table local

1. Because that was a step in researching the issue - NOT a workable solution.
2. It refers to my subnet which won't be the same as yours.

[schwabe]

Can you please provide a client logfile?

you need to look also at ip rule, iptables and so on for VPN routing under Android. It uses fwmark and policy routing.

[maber01]

Thanks for offering to look at the log files. However, after studying the verbose log myself I do seem to have solved the issue. It was pilot error!

In the "Allowed Apps" section of the profile I had used the "VPN is used for all apps..." option. However, I had also left the "Allow apps to bypass the VPN" selected. This was because I misunderstood what that option was for - I thought that if not selected it would force all traffic over the tun0 interface which for me is undesirable.

In reality (please confirm) it gives apps that are allowed to use the VPN the option to not use it.

So, it seems that the app, Jami chooses to route traffic over the VPN without being forced but the apps K-9 mail and Vernet choose to not route traffic over the VPN if given the chance. It is just coincidence that one app is using UDP and the others TCP. How does an Android app choose to (not) use the VPN when opening a socket?

Thanks for all your work to maintain the app and field support requests.

[schwabe]

The app themselves have to request that. See https://developer.android.com/reference/android/net/VpnService.Builder#allowBypass() for a bit more details.

[maber01]

Thanks again.