VPN kill switch breaks cellular data

[daradib]

Steps to reproduce:

1. Enable the VPN kill switch - "Block connections without VPN".
2. Turn off Wi-Fi.
3. Mobile data does not work and icon has the x.

Wi-Fi and VPN works fine both with/without the VPN kill switch. Mobile data and VPN only work without the VPN kill switch.

I've tried changing APN settings from IPv4/IPv6 to IPv4 only. Network type is "LTE (recommended)" but I've tried "LTE only" (which would break voice for me, no VoLTE) and "3G". I tried enabling/disabling "Mobile data always active" in Developer options (switched to on when I upgraded to Oreo, is that related to absence of CNEService or upstream change?).

If I use the *#*#4636#*#* secret code, I see:

Voice Service: In Service
Data Service: Connected

but ping test returns "Unknown". If I change the APN name to something wrong, Data Service changes to Disconnected.

My environment:

• Nexus 6P H1511
• Latest CopperheadOS build: OPR6.170623.017.2017.09.19.22
• Latest OpenVPN app: 0.6.73 (F-Droid)
• Carrier is an AT&T MVNO - same APN settings as AT&T except APN name is different
• LTE and 3G (UMTS/HSPA) coverage

I don't see any related bugs filed in the Android tracker.

I can get adb logs or test stock with a friend's phone if you have trouble reproducing.

[thestinger]

Please test on stock with the same SIM card if you can.

[thestinger]

Please test on stock with the same SIM card if you can.

[thestinger]

I think it's supposed to work this way if the VPN doesn't know how to set up a connection over both. If you want to use mobile data you can disable WiFi.

I tried enabling/disabling "Mobile data always active" in Developer options (switched to on when I upgraded to Oreo, is that related to absence of CNEService or upstream change?).

Not related to CNEService.

[thestinger]

I think it's supposed to work this way if the VPN doesn't know how to set up a connection over both. If you want to use mobile data you can disable WiFi.

I tried enabling/disabling "Mobile data always active" in Developer options (switched to on when I upgraded to Oreo, is that related to absence of CNEService or upstream change?).

Not related to CNEService.

[daradib]

With Wi-Fi disabled, it still won't work, e.g., when switching from airplane mode or no cell signal. I have no problems if I enable the kill switch when mobile data is already working.

But same issue on stock, so it's not a Copperhead issue. Probably upstream or OpenVPN client. I'll look into it some more soon.

[daradib]

With Wi-Fi disabled, it still won't work, e.g., when switching from airplane mode or no cell signal. I have no problems if I enable the kill switch when mobile data is already working.

But same issue on stock, so it's not a Copperhead issue. Probably upstream or OpenVPN client. I'll look into it some more soon.

[daradib]

The VPN kill switch prevents Android from adding a default route to the mobile carrier gateway, but not my wifi router.

Excerpt from adb logs - the routing table permission error only shows up when using mobile data with the kill switch:

D ConnectivityService: NetworkAgentInfo [MOBILE (LTE) - 111] EVENT_NETWORK_INFO_CHANGED, going from null to CONNECTED
D ConnectivityService: Adding iface rmnet_data0 to network 111
E Netd    : Error adding route 0.0.0.0/0 -> 10.[redacted] rmnet_data0 to table 1006: Permission denied
E ConnectivityService: Exception in addRoute for gateway: java.lang.IllegalStateException: command '263 network route add 111 rmnet_data0 0.0.0.0/0 10.[redacted]' failed with '400 263 addRoute() failed (Permission denied)'
[connectivitycheck fails]

$ ip route show table 1006 # on mobile, with kill switch
[empty]

$ ip route show table 1006 # on mobile, without kill switch
default via 10.[redacted] dev rmnet_data0  proto static

$ ip route show table 1005 # on wifi, with or without kill switch
default via [redacted] dev wlan0  proto static
[redacted] dev wlan0  proto static  scope link

Good news, looks like we have a fix upstream!

Upstream diff: 463837
Upstream bug: 63662962 (access to view bug is unfortunately restricted)

Now if only Google could make their bugs public.

[daradib]

The VPN kill switch prevents Android from adding a default route to the mobile carrier gateway, but not my wifi router.

Excerpt from adb logs - the routing table permission error only shows up when using mobile data with the kill switch:

D ConnectivityService: NetworkAgentInfo [MOBILE (LTE) - 111] EVENT_NETWORK_INFO_CHANGED, going from null to CONNECTED
D ConnectivityService: Adding iface rmnet_data0 to network 111
E Netd    : Error adding route 0.0.0.0/0 -> 10.[redacted] rmnet_data0 to table 1006: Permission denied
E ConnectivityService: Exception in addRoute for gateway: java.lang.IllegalStateException: command '263 network route add 111 rmnet_data0 0.0.0.0/0 10.[redacted]' failed with '400 263 addRoute() failed (Permission denied)'
[connectivitycheck fails]

$ ip route show table 1006 # on mobile, with kill switch
[empty]

$ ip route show table 1006 # on mobile, without kill switch
default via 10.[redacted] dev rmnet_data0  proto static

$ ip route show table 1005 # on wifi, with or without kill switch
default via [redacted] dev wlan0  proto static
[redacted] dev wlan0  proto static  scope link

Good news, looks like we have a fix upstream!

Upstream diff: 463837
Upstream bug: 63662962 (access to view bug is unfortunately restricted)

Now if only Google could make their bugs public.