Project

General

Profile

Bug #2420

Android client split-tunelling does not work on some devices

Added by Ivan Churkin 12 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Category:
android
Target version:
Start date:
Due date:
Estimated time:
Affected version:
5.6.0
Resolution:
Fixed

Description

Android client versions 1.9.2 and 1.9.3 affected

Phone: Xiaomi Mi 4i (ferrari)
MIUI: 8.1.7.0 Stable
SDK: 5.0.2

IKE_v2, certificate authentication

1) Excluding any network by mask like 192.168.0.0/24 causes VPN start failure

...
[IKE] installing DNS server 8.8.8.8
[IKE] installing DNS server 8.8.4.4
[IKE] installing new virtual IP 10.127.0.148
[IKE] CHILD_SA android{2} established with SPIs b5e9b9df_i c9c735e0_o and TS 10.127.0.148/32 === 0.0.0.0/0
[DMN] setting up TUN device for CHILD_SA android{2}
[LIB] builder: failed to build TUN device
[DMN] failed to setup TUN device

2) Per-app VPN does not work - all traffic routed to VPN
(Nothing interesting in the log)

[IKE] installing DNS server 8.8.8.8
[IKE] installing DNS server 8.8.4.4
[IKE] installing new virtual IP 10.127.0.165
[IKE] CHILD_SA android{5} established with SPIs 49a5a4e6_i c0210e5f_o and TS 10.127.0.165/32 === 0.0.0.0/0
[DMN] setting up TUN device for CHILD_SA android{5}
[DMN] successfully created TUN device
[IKE] received AUTH_LIFETIME of 10165s, scheduling reauthentication in 9565s
[IKE] peer supports MOBIKE

Associated revisions

Revision 66b7a088 (diff)
Added by Tobias Brunner 11 months ago

android: Ignore IllegalArgumentException for multicast addresses

Some Android versions seem to reject routes that use multicast addresses.

Fixes #2420.

History

#1 Updated by Tobias Brunner 12 months ago

  • Status changed from New to Feedback

What do you expect us to do about this? Or is this just an informative posting for other users of these defective devices/systems?

#2 Updated by Ivan Churkin 12 months ago

Mainly of course its just an information that it happens sometimes. I'm sure that its not the only device with the problem and it's not easy to realise for user why VPN is not working.
Probably its possible to detect somehow that VPN cannot be split on device and to disable UI.

#3 Updated by Tobias Brunner 12 months ago

Probably its possible to detect somehow that VPN cannot be split on device and to disable UI.

I don't think so.

In the first case a possible reason for the failure is that you'll end up with lots of routes via TUN device, which might be a problem for some systems (one for every subnet except the excluded one, i.e. in your example routes to these 24 subnets: 0.0.0.0/1,128.0.0.0/2,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.168.1.0/24,192.168.2.0/23,192.168.4.0/22,192.168.8.0/21,192.168.16.0/20,192.168.32.0/19,192.168.64.0/18,192.168.128.0/17,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3). We can't know that beforehand and there is also no feedback other than what you see in the log (i.e. the creation of the TUN device failed, we don't get any feedback why - there might be additional errors logged in the system log, though, which you can access via adb logcat).

In the second case we really have no indication that anything is wrong. The addAllowedApplication/addDisallowedApplication methods on VpnService.Builder are available since Android 5/API level 21 and they don't provide any feedback. And here the installation of the TUN device apparently does not fail. So there really is no way to detect that anything is wrong.

#4 Updated by Ivan Churkin 12 months ago

There is an error in the system log if subnet excluded.

I/charon  ( 6722): 16[DMN] setting up TUN device for CHILD_SA android{7}
W/System.err( 6722): java.lang.IllegalArgumentException: Bad LinkAddress params /224.0.0.0/3
W/System.err( 6722):     at android.net.LinkAddress.init(LinkAddress.java:104)
W/System.err( 6722):     at android.net.LinkAddress.<init>(LinkAddress.java:124)
W/System.err( 6722):     at android.net.LinkAddress.<init>(LinkAddress.java:135)
W/System.err( 6722):     at android.net.VpnService$Builder.addRoute(VpnService.java:436)
W/System.err( 6722):     at org.strongswan.android.logic.CharonVpnService$BuilderCache.applyData(CharonVpnService.java:937)
W/System.err( 6722):     at org.strongswan.android.logic.CharonVpnService$BuilderAdapter.establish(CharonVpnService.java:770)
I/charon  ( 6722): 16[LIB] builder: failed to build TUN device

#5 Updated by Tobias Brunner 11 months ago

There is an error in the system log if subnet excluded.

Thanks. Looks like it doesn't like that 224.0.0.0 is a multicast address. I guess we can catch that exception for this particular case. I did so in the 2420-android-multicast branch. It's interesting that this apparently was changed with newer Android versions (at least with Android 7.1.1 I can't reproduce it).

#6 Updated by Ivan Churkin 11 months ago

Yep, I don't have any problems with my Xiaomi Mi4 with MIUI built on Android 6.0.1
Maybe it's better to expect that any call to VpnService$Builder.addRoute may fails.

#7 Updated by Tobias Brunner 11 months ago

Maybe it's better to expect that any call to VpnService$Builder.addRoute may fails.

It should not fail, so I'd rather know if it does for some reason.

#8 Updated by Tobias Brunner 11 months ago

  • Tracker changed from Issue to Bug
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.6.1
  • Resolution set to Fixed

Also available in: Atom PDF