Could you add support for VPN service for android?

[crocket]

People ported openvpn to android as ics-openvpn.
Perhaps, tinc could be ported to android with support for VPN service, too.

With built-in VPN service, I wouldn't have to root my device.

[Vilbrekin]

Interesting idea indeed. However it would require an important amount of work which I can't deal with right now.
There's also a limitation on Android's VPN interface, which limit's it to TUN mode, while I mainly use TAP mode.

[Vilbrekin]

Interesting idea indeed. However it would require an important amount of work which I can't deal with right now.
There's also a limitation on Android's VPN interface, which limit's it to TUN mode, while I mainly use TAP mode.

[msva]

So, as far as I understand your comments from #6 and here — it is impossible to just give a vpn-group permission for application in android?

[msva]

So, as far as I understand your comments from #6 and here — it is impossible to just give a vpn-group permission for application in android?

[Vilbrekin]

Indeed, I tried yesterday and the process didn't get access to /dev/tun either.
Looking at the documentation, I don't think this is the purpose of the BIND_VPN_SERVICE permission.

[Vilbrekin]

Indeed, I tried yesterday and the process didn't get access to /dev/tun either.
Looking at the documentation, I don't think this is the purpose of the BIND_VPN_SERVICE permission.

[sandymac]

My untested, unreliable understanding is this:

• Adding android.permission.BIND_VPN_SERVICE to the app's service give it's access to the vpn group and thus access to /dev/tun http://developer.android.com/reference/android/net/VpnService.html
• This would not grant root privileges so that ifconfig/route/ip could be executed. There apears to be a Builder inferface for this http://developer.android.com/reference/android/net/VpnService.Builder.html Sadly they only include add commands.
• It tinc_gui were to insert provided stub ifconfig/route/ip commands to the PATH for the tinc-up scripts and these commands communicated back to tinc_gui which add* command to execute you may be able to get a non-root tinc working correctly until a subnet-down was needed.

[sandymac]

My untested, unreliable understanding is this:

• Adding android.permission.BIND_VPN_SERVICE to the app's service give it's access to the vpn group and thus access to /dev/tun http://developer.android.com/reference/android/net/VpnService.html
• This would not grant root privileges so that ifconfig/route/ip could be executed. There apears to be a Builder inferface for this http://developer.android.com/reference/android/net/VpnService.Builder.html Sadly they only include add commands.
• It tinc_gui were to insert provided stub ifconfig/route/ip commands to the PATH for the tinc-up scripts and these commands communicated back to tinc_gui which add* command to execute you may be able to get a non-root tinc working correctly until a subnet-down was needed.

[gujiejie]

very well thanks

[gujiejie]

very well thanks

[Vilbrekin]

@sandymac: thanks for your comments. However as per my testing, the BIND_VPN_SERVICE permission doesn't give the app access to /dev/tun device, which is needed for the standalone daemon to use it.

[Vilbrekin]

@sandymac: thanks for your comments. However as per my testing, the BIND_VPN_SERVICE permission doesn't give the app access to /dev/tun device, which is needed for the standalone daemon to use it.

[stv0g]

Hi,
Probably we can work around tun/tap devices at all.
I think we can use tinc's "DeviceType" option to implement an alternative.
There's already a device type called "uml" which send/receive IP packets over standard Unix sockets.

TincGui would need to register an Android VPN service via android.net.VpnService and create a Unix socket via android.net.LocalSocket.

Androids VPN service interface provides a file descriptor for sending/receiving IP packets. This file descriptor must then be forwarded to the local Unix socket.

Unfortunately my Java skills are somehow limited to implement this. But I' willing to put some effort in creating the socket support for tinc.

Cheers,
Steffen

[stv0g]

Hi,
Probably we can work around tun/tap devices at all.
I think we can use tinc's "DeviceType" option to implement an alternative.
There's already a device type called "uml" which send/receive IP packets over standard Unix sockets.

TincGui would need to register an Android VPN service via android.net.VpnService and create a Unix socket via android.net.LocalSocket.

Androids VPN service interface provides a file descriptor for sending/receiving IP packets. This file descriptor must then be forwarded to the local Unix socket.

Unfortunately my Java skills are somehow limited to implement this. But I' willing to put some effort in creating the socket support for tinc.

Cheers,
Steffen

[culugyx]

I have created a patchset for non-root/VpnService use. The repo is at https://github.com/culugyx/tinc_gui

It's not intensively tested/documented and might be unstable, but at least works here, on android M.

[culugyx]

I have created a patchset for non-root/VpnService use. The repo is at https://github.com/culugyx/tinc_gui

It's not intensively tested/documented and might be unstable, but at least works here, on android M.

[culugyx]

@stv0g I think ics-openvpn has a similar architecture to your idea (sending/receiving file descriptors). Here I avoided fd transferring by linking tinc directly to tinc_gui and use JNI. Passing fds is much easier in a single process.

[culugyx]

@stv0g I think ics-openvpn has a similar architecture to your idea (sending/receiving file descriptors). Here I avoided fd transferring by linking tinc directly to tinc_gui and use JNI. Passing fds is much easier in a single process.

[Vilbrekin]

Thanks for sharing. I'm surprised how few java code is actually required for this change.
Would be nice keeping both possibilities however (root + non root), as I think Android VPN services do not support TAP mode.

[Vilbrekin]

Thanks for sharing. I'm surprised how few java code is actually required for this change.
Would be nice keeping both possibilities however (root + non root), as I think Android VPN services do not support TAP mode.

[culugyx]

VpnService appears only to support TUN mode (IFF_TUN | IFF_NO_PI):
https://android.googlesource.com/platform/frameworks/base/+/android-6.0.1_r77/services/core/jni/com_android_server_connectivity_Vpn.cpp

If both modes are to be kept, maybe we can use pref_key_super_user to determine which mode to use. A few more Java code will be necessary (of which I'm not quite familiar). On the JNI side, tinc can be compiled twice as both shared lib and executable with different flags.

Currently, I tried to add reconnect_on_net_change function, but it still crashes occasionally on network changes.

[culugyx]

VpnService appears only to support TUN mode (IFF_TUN | IFF_NO_PI):
https://android.googlesource.com/platform/frameworks/base/+/android-6.0.1_r77/services/core/jni/com_android_server_connectivity_Vpn.cpp

If both modes are to be kept, maybe we can use pref_key_super_user to determine which mode to use. A few more Java code will be necessary (of which I'm not quite familiar). On the JNI side, tinc can be compiled twice as both shared lib and executable with different flags.

Currently, I tried to add reconnect_on_net_change function, but it still crashes occasionally on network changes.

[msva]

It will definitely be nice to have possibility to use Mode=switch (tap) without root.
And, unfortunatelly, I can't see a way for that except like @stv0g said :(

[msva]

It will definitely be nice to have possibility to use Mode=switch (tap) without root.
And, unfortunatelly, I can't see a way for that except like @stv0g said :(

[culugyx]

I've made changes so that both root and non-root mode can co-exist and switch depend on use_super_user.

[culugyx]

I've made changes so that both root and non-root mode can co-exist and switch depend on use_super_user.

[codemac]

@culugyx do you have an apk or anything? Would really love this feature!

[codemac]

@culugyx do you have an apk or anything? Would really love this feature!

[culugyx]

@codemac
Hi, I've uploaded an apk to my repository for preview.

https://github.com/culugyx/tinc_gui/wiki
https://github.com/culugyx/tinc_gui/releases (please read the warnings before trying it)

[culugyx]

@codemac
Hi, I've uploaded an apk to my repository for preview.

https://github.com/culugyx/tinc_gui/wiki
https://github.com/culugyx/tinc_gui/releases (please read the warnings before trying it)

[rkeene]

Is this still "wontfix" ? It would be real handy if it was fixed, even if only supporting mode = route

[rkeene]

Is this still "wontfix" ? It would be real handy if it was fixed, even if only supporting mode = route