Project

General

Profile

Issue #2227

Integrate always-on VPN functionality on Android

Added by Noel Kuntze over 2 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
Resolution:
Fixed

Description

I've had several instances where the strongSwan Android app was terminated when it had an established tunnel.
That's quite bad, because the network I was in was not trustworthy. I'd like to see the integration of always-on VPN
in the Android app for that reason.


Related issues

Related to Feature #2179: Always-on support in Android NougatClosed2016-12-01

History

#1 Updated by Tobias Brunner over 2 years ago

  • Tracker changed from Feature to Issue
  • Status changed from New to Feedback

I've had several instances where the strongSwan Android app was terminated when it had an established tunnel.

Terminated how? If there was a crash check logcat for potential reasons. Otherwise, check the app's log for possible problems e.g. during a rekeying/reauthentication.

I'd like to see the integration of always-on VPN
in the Android app for that reason.

That would not help at all as the only thing this does is starting the app (or rather binding the VpnService instance) when the system boots and persisting the permission the user granted. It does not change anything regarding the TUN devices or what happens if the app crashes or the connection is disconnected for other serious reasons.

#2 Updated by Tobias Brunner over 2 years ago

  • Related to Feature #2179: Always-on support in Android Nougat added

#3 Updated by Noel Kuntze over 2 years ago

Tobias Brunner wrote:

I've had several instances where the strongSwan Android app was terminated when it had an established tunnel.

Terminated how? If there was a crash check logcat for potential reasons. Otherwise, check the app's log for possible problems e.g. during a rekeying/reauthentication.

If I remember correctly, the logs of the application indicated that it was terminated normally. The IKE_SA and the CHILD_SA were deleted by the app.
I don't have logcat logs from that time and acquiring them now is also very difficult, because I have a very recent Android version, which is locked down. I don't have real developer access, as far as I know.

I'd like to see the integration of always-on VPN
in the Android app for that reason.

That would not help at all as the only thing this does is starting the app (or rather binding the VpnService instance) when the system boots and persisting the permission the user granted. It does not change anything regarding the TUN devices or what happens if the app crashes or the connection is disconnected for other serious reasons.

Okay, so that would not change anything, I guess. Can something be done about making sure that the VPN is established when an application tries to communicate with the Internet?

#4 Updated by Tobias Brunner over 2 years ago

I've had several instances where the strongSwan Android app was terminated when it had an established tunnel.

Terminated how? If there was a crash check logcat for potential reasons. Otherwise, check the app's log for possible problems e.g. during a rekeying/reauthentication.

If I remember correctly, the logs of the application indicated that it was terminated normally. The IKE_SA and the CHILD_SA were deleted by the app.

That should only happen if the user explicitly disconnects the connection. The app otherwise has no reason to terminate the SAs (unless something serious occurs, I guess, like a rekeying failure). You should check the logs should it happen again.

I don't have logcat logs from that time and acquiring them now is also very difficult, because I have a very recent Android version, which is locked down. I don't have real developer access, as far as I know.

Try with adb logcat from the SDK (not sure if you have to enable the developer settings for this to work, tap 7 times on the Android build number in the settings to do so).

Can something be done about making sure that the VPN is established when an application tries to communicate with the Internet?

Not really (unless you have a rooted phone, I guess, with full access to iptables). But once we do add support for the always-on VPN functionality we'd probably have to change some things regarding the TUN devices anyway. So we could maybe keep one around constantly to make sure no traffic leaves even when no connection is established.

But as I mentioned once connected that should already be the case. That is, the connection should stay up (i.e. get reestablished) until manually disconnected (while a TUN device is always around). So, again, please try to get the logs next time this happens.

#5 Updated by Tobias Brunner 12 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

Also available in: Atom PDF