Problem With Android Configuration
Andrea Squeri
andrea.squeri at gmail.com
Fri Mar 27 15:38:10 CET 2015
I switch to lollipop 4 months ago and I never had issue. So for my opinion it is ready for daily use.
Before try tinc I had my vpn implemented with openvpn, and it works great on lollipop. I switch to tinc because i prefer a mash vpn topology versus a client/server topology.
--
Andrea Squeri
Inviato con Sparrow (http://www.sparrowmailapp.com/?sig)
Il giorno venerdì 27 marzo 2015, alle ore 11:57, Alexander Ypema ha scritto:
> I think it's more of a routing issue than anything explicitly blocking it, they use a new 'ip rule list' and per user settings that aren't well documented yet either, but where exactly to point I don't know. I haven't messed with android 5 much yet, it seems not ready enough yet for daily use, there isn't a single snapshot in the cyanogenmod repos, for example. So maybe it's worth to just stick with Android 4 for now?
>
> Met vriendelijke groet / Kind regards,
> Alexander Ypema
> On 27 March 2015 at 08:16, Andrea Squeri <andrea.squeri at gmail.com (mailto:andrea.squeri at gmail.com)> wrote:
> > I don't know.. It seems that anyone had try to made work tinc with lollipop. Even googoling i don't found anything about this argoument.
> > Andrea Squeri
> > Il 27/mar/2015 06:55 "Tatsuyuki Ishi" <ishitatsuyuki at gmail.com (mailto:ishitatsuyuki at gmail.com)> ha scritto:
> >
> > > SELinux is considered as the biggest problem.
> > > On Thu, Mar 26, 2015, 22:37 Andrea Squeri <andrea.squeri at gmail.com (mailto:andrea.squeri at gmail.com)> wrote:
> > > > Yes. The problem is lollipop. I tried to install tinc on my brother's device which mount a cyano 10.1( android 4.2.2) and it works.
> > > > I don't understand which is the problem with lollipop. Is there a firewall that block the packets?
> > > > Andrea Squeri
> > > > If you are running Lollipop / Android 5.x on your Nexus 5, then you are probably seeing the same issue I was with it. lollipop seems to change networking quite a bit in that it's using iptables / and `ip rule list` extensively for per-user settings.
> > > > I think http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/ is relevant if you see running in to the same issue, it's confusing quite a lot of folks. I was unable to get tinc-gui (or even tincd manually and tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom. I'm not sure if coming up with a fancy tinc-up is the solution or someone with the ability to get tinc compatible with the official Android VPN API that a lot of the openvpn apps are using now.
> > > > You might be able to draw some inspiration from https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh but I haven't tried it since I've been back on 4.4.2.
> > > >
> > > > On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com (mailto:andrea.squeri at gmail.com)> wrote:
> > > > > Hi, First sorry for my bad English.
> > > > > I made a vpn wtih tinc for link my home and my two office. In Addition I want to configure my android device to link with my vpn.
> > > > > The topology of the net is this:
> > > > >
> > > > > cubox(a linux machine in my home with vpn address 192.168.0.20)
> > > > > groppalbero (a linux machine in my second office with vpn address 192.168.0.40)
> > > > > imac(a mac machine in my first office with vpn address 192.168.0.50)
> > > > > nexus5(my android device with vpn address 192.168.0.80)
> > > > >
> > > > > I have configurate all machine and now they all works except the android device.
> > > > > On this I use “Tinc Gui” app for configure it. When I start the tinc daemon it connect to the configured host and the tun0 interface in created and configured, but i can ping with any hosts
> > > > > and any host can ping my android device. the result of ping IS NOT a network unavailable response. In fact it block un operation and from the tinc gui log I can see that the packet are received by my android device.
> > > > > I suspect that can be a problem for the route but I can’t understand which the problem is.
> > > > >
> > > > > For information paste the configuration from cubic and android device:
> > > > >
> > > > > CUBOX :
> > > > > --------------------------------------------------------------------------------------------------------
> > > > > andre at cubox vpnalma]$ cat tinc.conf
> > > > > # Sample tinc configuration file
> > > > >
> > > > > # This is a comment.
> > > > > # Spaces and tabs are eliminated.
> > > > > # The = sign isn't strictly necessary any longer, though you may want
> > > > > # to leave it in as it improves readability :)
> > > > > # Variable names are treated case insensitive.
> > > > >
> > > > > # The name of this tinc host. Required.
> > > > > Name = cubox
> > > > >
> > > > > # The internet host to connect with.
> > > > > # Comment these out to make yourself a listen-only connection
> > > > > # You must use the name of another tinc host.
> > > > > # May be used multiple times for redundance.
> > > > > #ConnectTo = vaio
> > > > > #ConnectTo = groppalbero
> > > > > #ConnectTo = imac
> > > > > #ConnectTo = servermarcy
> > > > >
> > > > > # The tap device tinc will use.
> > > > > # Default is /dev/tap0 for ethertap or FreeBSD,
> > > > > # /dev/tun0 for Solaris and OpenBSD,
> > > > > # and /dev/net/tun for Linux tun/tap device.
> > > > > Device = /dev/net/tun
> > > > > [andre at cubox vpnalma]$ cat tinc-up
> > > > > #!/bin/sh
> > > > > # This file sets up the tap device.
> > > > > # It gives you the freedom to do anything you want with it.
> > > > > # Use the correct name for the tap device:
> > > > > # The environment variable $INTERFACE is set to the right name
> > > > > # on most platforms, but if it doesn't work try to set it manually.
> > > > >
> > > > > # Give it the right ip and netmask. Remember, the subnet of the
> > > > > # tap device must be larger than that of the individual Subnets
> > > > > # as defined in the host configuration file!
> > > > > ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0
> > > > > #ip link set $INTERFACE up
> > > > > #ip addr add 192.168.0.20/32 (http://192.168.0.20/32) dev $INTERFACE
> > > > > #ip route add 192.168.0.0/24 (http://192.168.0.0/24) dev $INTERFACE
> > > > > [andre at cubox vpnalma]$ cat hosts/cubox
> > > > > #iample host configuration file
> > > > > # This file was generated by host beta.
> > > > >
> > > > > # The real IP address of this tinc host. Can be used by other tinc hosts.
> > > > > Address = 10.0.0.7
> > > > > Address = almaliberty.duckdns.org (http://almaliberty.duckdns.org)
> > > > > # Portnumber for incoming connections. Default is 655.
> > > > > Port = 655
> > > > >
> > > > > # Subnet on the virtual private network that is local for this host.
> > > > > Subnet = 192.168.0.20/32 (http://192.168.0.20/32)
> > > > > ————————————————————————————————————————————————————
> > > > > The network is so configurated:
> > > > > ——————————————————————————————————————————————————————————————————————————————
> > > > >
> > > > > [andre at cubox vpnalma]$ ifconfig
> > > > > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> > > > > inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255
> > > > > inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link>
> > > > > ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet)
> > > > > RX packets 63975281 bytes 142504956 (135.9 MiB)
> > > > > RX errors 0 dropped 2 overruns 0 frame 0
> > > > > TX packets 35826176 bytes 2648965717 (2.4 GiB)
> > > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > >
> > > > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> > > > > inet 127.0.0.1 netmask 255.0.0.0
> > > > > inet6 ::1 prefixlen 128 scopeid 0x10<host>
> > > > > loop txqueuelen 0 (Local Loopback)
> > > > > RX packets 167609 bytes 76370891 (72.8 MiB)
> > > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > > TX packets 167609 bytes 76370891 (72.8 MiB)
> > > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > >
> > > > > vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
> > > > > inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20
> > > > > unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
> > > > > RX packets 8876 bytes 1765584 (1.6 MiB)
> > > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > > TX packets 5939 bytes 2394177 (2.2 MiB)
> > > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > >
> > > > > [andre at cubox vpnalma]$ route
> > > > > Kernel IP routing table
> > > > > Destination Gateway Genmask Flags Metric Ref Use Iface
> > > > > default router.asus.com (http://router.asus.com) 0.0.0.0 UG 1024 0 0 eth0
> > > > > 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
> > > > > router.asus.com (http://router.asus.com) * 255.255.255.255 UH 1024 0 0 eth0
> > > > > 192.168.0.0 * 255.255.255.0 U 0 0 0 vpnalma
> > > > > [andre at cubox vpnalma]$
> > > > >
> > > > >
> > > > > ——————————————————————————————————————————————————————————————————
> > > > >
> > > > > ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG:
> > > > >
> > > > >
> > > > > u0_a167 at hammerhead:/ $ su
> > > > > root at hammerhead:/ # cd sdcard/tinc/vpnalma
> > > > > at tinc.conf <
> > > > > # Sample tinc configuration file
> > > > > # This is a comment.
> > > > > # Spaces and tabs are eliminated.
> > > > > # The = sign isn't strictly necessary any longer, though you may want
> > > > > # to leave it in as it improves readability :)
> > > > > # Variable names are treated case insensitive.
> > > > > # The name of this tinc host. Required.
> > > > > Name = nexus5
> > > > > # The internet host to connect with.
> > > > > # Comment these out to make yourself a listen-only connection
> > > > > # You must use the name of another tinc host.
> > > > > # May be used multiple times for redundance.
> > > > > ConnectTo = cubox
> > > > > ConnectTo = groppalbero
> > > > > ConnectTo = imac
> > > > > # The tap device tinc will use.
> > > > > # Default is /dev/tap0 for ethertap or FreeBSD,
> > > > > # /dev/tun0 for Solaris and OpenBSD,
> > > > > # and /dev/net/tun for Linux tun/tap device.
> > > > > #Mode = switch
> > > > > Device = /dev/tun
> > > > > #DeviceType = tap
> > > > > #Interface = tap0
> > > > > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> > > > > ScriptsInterpreter = /system/bin/sh
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up
> > > > > #!/bin/sh
> > > > > # This file sets up the tap device.
> > > > > # It gives you the freedom to do anything you want with it.
> > > > > # Use the correct name for the tap device:
> > > > > # The environment variable $INTERFACE is set to the right name
> > > > > # on most platforms, but if it doesn't work try to set it manually.
> > > > > # Give it the right ip and netmask. Remember, the subnet of the
> > > > > # tap device must be larger than that of the individual Subnets
> > > > > # as defined in the host configuration file!
> > > > > ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0
> > > > > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> > > > > #ip link set $INTERFACE up
> > > > > #ip addr add 192.168.0.80/24 (http://192.168.0.80/24) dev $INTERFACE
> > > > > #ip route add 192.168.0.0/24 (http://192.168.0.0/24) dev $INTERFACE
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5
> > > > > sh: hosts/nexus5: can't execute: Permission denied
> > > > > at hosts/nexus5 <
> > > > > # Sample host configuration file
> > > > > # The real IP address of this tinc host. Can be used by other tinc hosts.
> > > > > # Portnumber for incoming connections. Default is 655.
> > > > > #Port = 655
> > > > > # Subnet on the virtual private network that is local for this host.
> > > > > Subnet = 192.168.0.80/32 (http://192.168.0.80/32)
> > > > > -----BEGIN RSA PUBLIC KEY-----
> > > > >
> > > > > -----END RSA PUBLIC KEY-----
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # ip addr
> > > > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > > > > inet 127.0.0.1/8 (http://127.0.0.1/8) scope host lo
> > > > > inet6 ::1/128 scope host
> > > > > valid_lft forever preferred_lft forever
> > > > > 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> > > > > link/[530]
> > > > > inet 10.183.70.124/29 (http://10.183.70.124/29) scope global rmnet0
> > > > > inet6 fe80::7561:c093:ea26:5781/64 scope link
> > > > > valid_lft forever preferred_lft forever
> > > > > 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/[530]
> > > > > 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff
> > > > > 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff
> > > > > 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff
> > > > > 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff
> > > > > 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff
> > > > > 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff
> > > > > 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff
> > > > > 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff
> > > > > 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > > link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff
> > > > > 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
> > > > > link/sit 0.0.0.0 brd 0.0.0.0
> > > > > 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
> > > > > link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> > > > > 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
> > > > > link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> > > > > 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
> > > > > link/none
> > > > > inet 192.168.0.80/24 (http://192.168.0.80/24) scope global tun0
> > > > >
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # ip route
> > > > > 10.183.70.120/29 (http://10.183.70.120/29) dev rmnet0 proto kernel scope link src 10.183.70.124
> > > > > 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124
> > > > > 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124
> > > > > 192.168.0.0/24 (http://192.168.0.0/24) dev tun0 proto kernel scope link src 192.168.0.80
> > > > >
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20
> > > > > PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
> > > > > ^C
> > > > > --- 192.168.0.20 ping statistics ---
> > > > > 10 packets transmitted, 0 received, 100% packet loss, time 9003ms
> > > > > 1|root at hammerhead:/sdcard/tinc/vpnalma #
> > > > > ————————————————————————————————————————————————————————————————————————————————
> > > > > From the tinc gui log that I can’t copy and paste , I see that the device in connected to cubic but i can’t ping with it.
> > > > >
> > > > > --
> > > > > Andrea Squeri
> > > > > Inviato con Sparrow (http://www.sparrowmailapp.com/?sig)
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > tinc mailing list
> > > > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > tinc mailing list
> > > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > > >
> > > > _______________________________________________
> > > > tinc mailing list
> > > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > >
> > > _______________________________________________
> > > tinc mailing list
> > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > >
> >
> > _______________________________________________
> > tinc mailing list
> > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150327/4d5e5a3c/attachment-0001.html>
More information about the tinc
mailing list