Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could you add support for VPN service for android? #5

Open
crocket opened this issue Dec 16, 2013 · 16 comments
Open

Could you add support for VPN service for android? #5

crocket opened this issue Dec 16, 2013 · 16 comments
Labels
enhancement wontfix

Comments

@crocket
Copy link

crocket commented Dec 16, 2013

People ported openvpn to android as ics-openvpn.
Perhaps, tinc could be ported to android with support for VPN service, too.

With built-in VPN service, I wouldn't have to root my device.
@Vilbrekin
Copy link
Owner

Interesting idea indeed. However it would require an important amount of work which I can't deal with right now.
There's also a limitation on Android's VPN interface, which limit's it to TUN mode, while I mainly use TAP mode.

@Vilbrekin Vilbrekin mentioned this issue Mar 11, 2014
Closed
@msva
Copy link

msva commented Mar 12, 2014

So, as far as I understand your comments from #6 and here — it is impossible to just give a vpn-group permission for application in android?

@Vilbrekin
Copy link
Owner

Indeed, I tried yesterday and the process didn't get access to /dev/tun either.
Looking at the documentation, I don't think this is the purpose of the BIND_VPN_SERVICE permission.

@sandymac
Copy link

My untested, unreliable understanding is this:

  • Adding android.permission.BIND_VPN_SERVICE to the app's service give it's access to the vpn group and thus access to /dev/tun http://developer.android.com/reference/android/net/VpnService.html
  • This would not grant root privileges so that ifconfig/route/ip could be executed. There apears to be a Builder inferface for this http://developer.android.com/reference/android/net/VpnService.Builder.html Sadly they only include add commands.
  • It tinc_gui were to insert provided stub ifconfig/route/ip commands to the PATH for the tinc-up scripts and these commands communicated back to tinc_gui which add* command to execute you may be able to get a non-root tinc working correctly until a subnet-down was needed.

@gujiejie
Copy link

very well thanks

@Vilbrekin
Copy link
Owner

@sandymac: thanks for your comments. However as per my testing, the BIND_VPN_SERVICE permission doesn't give the app access to /dev/tun device, which is needed for the standalone daemon to use it.

@stv0g
Copy link

stv0g commented Jul 6, 2014

Hi,
Probably we can work around tun/tap devices at all.
I think we can use tinc's "DeviceType" option to implement an alternative.
There's already a device type called "uml" which send/receive IP packets over standard Unix sockets.

TincGui would need to register an Android VPN service via android.net.VpnService and create a Unix socket via android.net.LocalSocket.

Androids VPN service interface provides a file descriptor for sending/receiving IP packets. This file descriptor must then be forwarded to the local Unix socket.

Unfortunately my Java skills are somehow limited to implement this. But I' willing to put some effort in creating the socket support for tinc.

Cheers,
Steffen

@Vilbrekin Vilbrekin mentioned this issue Jul 28, 2014
Closed
@ghost
Copy link

ghost commented Jan 7, 2017

I have created a patchset for non-root/VpnService use. The repo is at https://github.com/culugyx/tinc_gui

It's not intensively tested/documented and might be unstable, but at least works here, on android M.

@ghost
Copy link

ghost commented Jan 7, 2017

@stv0g I think ics-openvpn has a similar architecture to your idea (sending/receiving file descriptors). Here I avoided fd transferring by linking tinc directly to tinc_gui and use JNI. Passing fds is much easier in a single process.

@Vilbrekin
Copy link
Owner

Thanks for sharing. I'm surprised how few java code is actually required for this change.
Would be nice keeping both possibilities however (root + non root), as I think Android VPN services do not support TAP mode.

@ghost
Copy link

ghost commented Jan 8, 2017

VpnService appears only to support TUN mode (IFF_TUN | IFF_NO_PI):
https://android.googlesource.com/platform/frameworks/base/+/android-6.0.1_r77/services/core/jni/com_android_server_connectivity_Vpn.cpp

If both modes are to be kept, maybe we can use pref_key_super_user to determine which mode to use. A few more Java code will be necessary (of which I'm not quite familiar). On the JNI side, tinc can be compiled twice as both shared lib and executable with different flags.

Currently, I tried to add reconnect_on_net_change function, but it still crashes occasionally on network changes.

@msva
Copy link

msva commented Jan 11, 2017

It will definitely be nice to have possibility to use Mode=switch (tap) without root.
And, unfortunatelly, I can't see a way for that except like @stv0g said :(

@ghost
Copy link

ghost commented Jan 19, 2017

I've made changes so that both root and non-root mode can co-exist and switch depend on use_super_user.

@codemac
Copy link

codemac commented Feb 25, 2017

@culugyx do you have an apk or anything? Would really love this feature!

@ghost
Copy link

ghost commented Feb 27, 2017

@codemac
Hi, I've uploaded an apk to my repository for preview.

https://github.com/culugyx/tinc_gui/wiki
https://github.com/culugyx/tinc_gui/releases (please read the warnings before trying it)

@rkeene
Copy link

rkeene commented Jun 23, 2017

Is this still "wontfix" ? It would be real handy if it was fixed, even if only supporting mode = route

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@codemac @msva @Vilbrekin @stv0g @crocket @sandymac @rkeene @gujiejie