-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: Split tunneling on Android #6912
Comments
I don't think this will work directly since both ios and android allow only one vpn to be active at a time. There are only two ways I can think of for this to be done.
|
I'm not asking for supporting running two VPNs at once. I'm saying there's a feature that Mullvad VPN on Android has that should be added to Tailscale VPN also. |
Yeah, that would make sense as a feature, I think. Thanks for the suggestion! |
One guy started working on this feature, but no updates since the end of summer tailscale/tailscale-android#56 |
The lack of this feature breaks Android Auto. I.e. if I have Tailscale enabled, Android Auto won't be able to connect to the network until I disable VPN. "Most other" VPN clients have support for split tunneling on Android precisely for this reason. |
I ran into this while crafting an Automate flow to trigger Wake-on-LAN. The packet fails to send with:
I am able to split-tunnel the Automate app through e.g. Mullvad and it sends the packet properly, but the only mechanism for Tailscale is currently hardcoded (like Android Auto), which isn't necessarily a viable method for tasking apps like Automate or Tasker because one may want tasks to go through the VPN depending on workflow. It's worth noting that the above occurs even without an active exit node. This is also relevant for apps such as Netflix that explicitly block data center IPs, though this is only applicable for an exit node with a blocked IP. I can take a look at that PR to see what needs to be done to make that process interactive, but any direction would be greatly appreciated. Also @Ged-fi, the issue with Android Auto should have been solved with v1.30.0. #3828 may need to be reopened if that's not the case. |
@myned I am on 1.36.1, experiencing issues with Android Auto just in the last week. I will try to reproduce the issue. It may be a local device problem, as often with Android - but perhaps worth checking that there isn't a feature regression somewhere? |
I wasn't able to reproduce the problem with Android Auto using the latest master (v1.37.0-dev20230306) and the Android Studio desktop head unit. Internet access functions correctly on the device. |
@myned I can confirm that this works under most conditions, but seems to occasionally break when networks change. I have not been able to reliably reproduce what might be triggering the error condition, and it may also be device-specific. My initial hunch is that the device switching between WIFI, 3G and LTE seems to sometimes cause DNS resolution to not work as expected. However, troubleshooting this with only a standard handset is challenging at best. I will update the ticket if I somehow manage to identify a way to reliably reproduce what I am seeing. |
I could see what you're experiencing being related to #915, in that case. It may also be #5783. Setting a DNS override in the admin console for Tailscale is the workaround for that. Regardless, this is perhaps a bit off-topic for this issue with split tunneling. |
I keep running into the same problem. If I have tailscale enabled on my Android phone I currently need to turn this off whenever I am in my car for apps that want to communicate with the car over the built in Wifi (Android auto itself works fine finally) and when using payment app in stores (no.coop.members). We really need to be able to specify apps that are excluded instead of having to create bug reports to get them added to the hardcoded exclude list like Android Auto. |
Similarly to the Android Auto issue, the Google Home app lists all devices as offline while I am connected to TS. Disabling TS and all apps come back online again. This only happens when I have the TS VPN connection set to block all non-VPN connections. So, again, a per-app whitelist allowing certain apps like Android Auto and Google Home would be greatly beneficial to TS Android users. |
How is the development progress of this feature? I feel that this feature is very necessary. Why has there been no corresponding progress for such a long time? Have there been any issues encountered? |
Yeah hopefully we can see this feature get added at some point. |
Looking into this. |
Updates tailscale/tailscale#6912 Adds UI and models that provide the ability to add/remove apps which should be excluded from going through the VPN tunnel. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds UI and models that provide the ability to add/remove apps which should be excluded from going through the VPN tunnel. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds UI and models that provide the ability to add/remove apps which should be excluded from going through the VPN tunnel. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds UI and models that provide the ability to add/remove apps which should be excluded from going through the VPN tunnel. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds UI and models that provide the ability to add/remove apps which should be excluded from going through the VPN tunnel. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds UI and models that provide the ability to add/remove apps which should be excluded from going through the VPN tunnel. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds two new Android-only MDM policies: IncludedPackageNames and ExcludedPackageNames. These are comma-separated string values that contain Android package names to configure app-based split tunneling programmatically. If ExcludedPackageNames is non-empty, Tailscale will exclude the given apps from the VPN tunnel. If IncludedPackageNames is non-empty, Tailscale will configure the VPN tunnel to only route the given apps via Tailscale. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds two new Android-only MDM policies: IncludedPackageNames and ExcludedPackageNames. These are comma-separated string values that contain Android package names to configure app-based split tunneling programmatically. If ExcludedPackageNames is non-empty, Tailscale will exclude the given apps from the VPN tunnel. If IncludedPackageNames is non-empty, Tailscale will configure the VPN tunnel to only route the given apps via Tailscale. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds two new Android-only MDM policies: IncludedPackageNames and ExcludedPackageNames. These are comma-separated string values that contain Android package names to configure app-based split tunneling programmatically. If ExcludedPackageNames is non-empty, Tailscale will exclude the given apps from the VPN tunnel. If IncludedPackageNames is non-empty, Tailscale will configure the VPN tunnel to only route the given apps via Tailscale. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Updates tailscale/tailscale#6912 Adds two new Android-only MDM policies: IncludedPackageNames and ExcludedPackageNames. These are comma-separated string values that contain Android package names to configure app-based split tunneling programmatically. If ExcludedPackageNames is non-empty, Tailscale will exclude the given apps from the VPN tunnel. If IncludedPackageNames is non-empty, Tailscale will configure the VPN tunnel to only route the given apps via Tailscale. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
I have installed the git version of the app and much appreciate this work. I would like to additionally request the option to reverse the logic around app selection to support "included apps" as opposed to excluded apps. For my use case I would like to select a few banking apps to route over the VPN, but allow all other apps to use the standard network. |
Shipped in v1.70! 🎉 Details and instructions at https://tailscale.com/kb/1444/android-app-split-tunneling |
Great to have this, would also love to see this on Linux too. |
@agottardo this still isn't working for me. On connection to Android Auto, I still get the same "please disconnect from VPN" message. I've confirmed that split tunneling is enabled and Android Auto is on the exclude list. Tailscale version 1.70.0-td601f16e1-g6deb61a20e5 |
Please open a new issue detailing which application is failing to work. This issue has been closed and should not be used anymore. |
What are you trying to do?
Currently I use Mullvad VPN and it allows me to use the split tunneling feature to exclude multiple apps from being routed via the VPN. When I instead use Tailscale + the exit node feature to replicate Mullvad functionality I don't see any way I can exclude specific apps from being routed via the VPN.
How should we solve this?
Implement split tunneling like Mullvad.
What is the impact of not solving this?
Still using Mullvad VPN instead.
Anything else?
No response
The text was updated successfully, but these errors were encountered: