Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wi-Fi calling issue with AdGuard (and other VPNs) and its solution #2550

Closed
ameshkov opened this issue Feb 14, 2019 · 3 comments
Closed

Wi-Fi calling issue with AdGuard (and other VPNs) and its solution #2550

ameshkov opened this issue Feb 14, 2019 · 3 comments
Assignees
Milestone

Comments

@ameshkov
Copy link
Member

@ameshkov ameshkov commented Feb 14, 2019

To the moment, we'd had multiple complaints on Wi-Fi calling being incompatible with AdGuard. In this issue, I'll explain what's going on and how we can solve this.

How it works

Any Wi-Fi network is considered untrusted (compared to the provider's own network) so in order to transfer voice data, your phone must establish a secure encrypted tunnel with the provider's server called ePDG [1].

image

The tunnel is encrypted and uses IPSec so basically this is another VPN. ePDG server discovery is simple: all ePDG server names look like epdg.epc.mnc%MNC%.mcc%MCC%.pub.3gppnetwork.org where %MNC% is your provider's Mobile Network Code, and %MCC% is its Mobile Country Code. You can find these values of your provider here: http://www.mcc-mnc.com/. Both values are padded with zeros to the length of 3.

Why is there a problem with AdGuard (or other VPNs)

Android cannot establish a tunnel with the ePDG when this connection is routed through a VPN. Presumably, it happens due to a bug in the Android's IPSec client, and we should file a bug report about it. It shows connections as 0.0.0.0->ePDG IP instead of something like 192.168.11.x->ePDG IP (the socket is not bound to a proper local interface), and that's why it can send data to the tunnel, but it cannot receive it.

Example of a temporary solution (manual)

You can figure what your ePDG server is and exclude it from the VPN. In this case, the tunnel connection won't be routed through a VPN, and you won't run into this issue.

In some cases (see #2432) it is not enough to exclude ePDG, and it's necessary to exclude the IPv6 range as well. I don't know why yet.

For instance, for Vodafone UK, MCC is 234, and MNC is either 15 or 91. Knowing this we can figure what IP addresses do ePDG servers have.

We should simply lookup these two domains: epdg.epc.mnc015.mcc234.pub.3gppnetwork.org and epdg.epc.mnc091.mcc234.pub.3gppnetwork.org. Only the first one of them resolves, and the IP addresses are 88.82.11.221 and 88.82.11.208.

Once you have these addresses, do the following:

  1. Open AdGuard -> Go to Settings -> Advanced -> Low-level
  2. Find pref.ipv4.routes.excluded and tap on it
  3. Add two new lines there:
    88.82.11.221/32
    88.82.11.208/32
    
  4. ePDG tunnel should now be okay, and Wi-Fi calling should work

AdGuard solution

This section is for devs.

We are yet to figure how to discover the current operator's ePDG server automatically. Once we know it, we can simply add it's IP addresses to the excluded routes. The problem here is that I don't want us to ask for Telephony permission, that'd be too much for such a simple thing.

Another possible solution would be to exclude the UID that establishes the ePDG tunnel. It seems that it's done by /system/bin/eris (uid=1000).

Android bug

I've filed a bug report to Android devs:
https://issuetracker.google.com/issues/124415915

@Lurchus

This comment has been minimized.

Copy link

@Lurchus Lurchus commented Feb 14, 2019

Thanks ameshkov,

Working with zzebrum I also added the exclusion:

88.82.11.0/24

And that was the first time I was able to get WiFi calling working on Vodafone UK without having to flick in to flight mode and disable AG for a moment to get connected.

Should I leave that in the exceptions along with the 2 other you mention to add:

88.82.11.221/32
88.82.11.208/32

Thanks.

@ameshkov ameshkov modified the milestones: 3.1, 3.0 Feb 14, 2019
@ameshkov

This comment has been minimized.

Copy link
Member Author

@ameshkov ameshkov commented Feb 14, 2019

@Lurchus 88.82.11.0/24 would do, it is a little bit wider and includes all IP addresses between 88.82.11.0 and 88.82.11.255. This is okay, though.

@sahlouls

This comment has been minimized.

Copy link

@sahlouls sahlouls commented Jun 19, 2019

Hi @ameshkov,

Help wanted.

I wish to enable voWIFI on my Oneplus device (voLTE already working). The issue is that this handset is not supported by SFR (France carrier).

From differnt issues, the IPv4 and IPv6 addresses for SFR VPN servers are publicly known:

  • IPv4: 92.90.28.1/24
  • IPV6: 2a02:8400::/25

But how to configure my device in the 1st place to add/configure VPN access and enable voWIFI (later I will whiteliste then in the Android app)

Many thanks,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.