Problem With Android Configuration

Andrea Squeri andrea.squeri at gmail.com
Fri Mar 27 15:38:10 CET 2015


I switch to lollipop 4 months ago and I never had issue. So for my opinion it is ready for daily use.
Before try tinc I had my vpn implemented with openvpn, and it works great on lollipop. I switch to tinc because i prefer a mash vpn topology versus a client/server topology.  


--  
Andrea Squeri
Inviato con Sparrow (http://www.sparrowmailapp.com/?sig)


Il giorno venerdì 27 marzo 2015, alle ore 11:57, Alexander Ypema ha scritto:  

> I think it's more of a routing issue than anything explicitly blocking it, they use a new 'ip rule list' and per user settings that aren't well documented yet either, but where exactly to point I don't know. I haven't messed with android 5 much yet, it seems not ready enough yet for daily use, there isn't a single snapshot in the cyanogenmod repos, for example. So maybe it's worth to just stick with Android 4 for now?
>  
> Met vriendelijke groet / Kind regards,
> Alexander Ypema  
> On 27 March 2015 at 08:16, Andrea Squeri <andrea.squeri at gmail.com (mailto:andrea.squeri at gmail.com)> wrote:
> > I don't know.. It seems that anyone had try to made work tinc with lollipop. Even  googoling i don't found anything about this argoument.  
> > Andrea Squeri
> > Il 27/mar/2015 06:55 "Tatsuyuki Ishi" <ishitatsuyuki at gmail.com (mailto:ishitatsuyuki at gmail.com)> ha scritto:
> >  
> > > SELinux is considered as the biggest problem.  
> > > On Thu, Mar 26, 2015, 22:37 Andrea Squeri <andrea.squeri at gmail.com (mailto:andrea.squeri at gmail.com)> wrote:
> > > > Yes. The problem  is lollipop. I tried to install  tinc on my brother's device which mount a cyano 10.1( android 4.2.2) and  it works.
> > > > I don't understand which is the problem  with lollipop. Is there a firewall that block the packets?  
> > > > Andrea Squeri
> > > > If you are running Lollipop / Android 5.x on your Nexus 5, then you are probably seeing the same issue I was with it. lollipop seems to change networking quite a bit in that it's using iptables / and `ip rule list` extensively for per-user settings.
> > > > I think http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/   is relevant if you see running in to the same issue, it's confusing quite a lot of folks. I was unable to get tinc-gui (or even tincd manually and tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom.  I'm not sure if coming up with a fancy tinc-up is the solution or someone with the ability to get tinc compatible with the official Android VPN API that a lot of the openvpn apps are using now.
> > > > You might be able to draw some inspiration from https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh but I haven't tried it since I've been back on 4.4.2.
> > > >  
> > > > On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com (mailto:andrea.squeri at gmail.com)> wrote:
> > > > > Hi, First sorry for my bad English.  
> > > > > I made a vpn wtih tinc for link my home and my two office. In Addition I want to configure my android device to link with my vpn.
> > > > > The topology of the net is this:
> > > > >  
> > > > > cubox(a linux machine in my home with vpn address 192.168.0.20)
> > > > > groppalbero (a linux machine in my second office with vpn address 192.168.0.40)
> > > > > imac(a mac machine in my first office with vpn address 192.168.0.50)
> > > > > nexus5(my android device with vpn address 192.168.0.80)
> > > > >  
> > > > > I have configurate all machine and now they all works except the android device.
> > > > > On this I use “Tinc Gui” app for configure it. When I start the tinc daemon it connect to the configured host and the tun0 interface in created and configured, but i can ping with any hosts
> > > > > and any host can ping my android device. the result of ping IS NOT a network unavailable response. In fact it block un operation and from the tinc gui log I can see that the packet are received by my android device.
> > > > > I suspect that can be a problem for the route but I can’t understand which the problem is.
> > > > >  
> > > > > For information paste the configuration from cubic and android device:
> > > > >  
> > > > > CUBOX :
> > > > > --------------------------------------------------------------------------------------------------------
> > > > > andre at cubox vpnalma]$ cat tinc.conf
> > > > > # Sample tinc configuration file
> > > > >  
> > > > > # This is a comment.
> > > > > # Spaces and tabs are eliminated.
> > > > > # The = sign isn't strictly necessary any longer, though you may want
> > > > > # to leave it in as it improves readability :)
> > > > > # Variable names are treated case insensitive.
> > > > >  
> > > > > # The name of this tinc host. Required.
> > > > > Name = cubox
> > > > >  
> > > > > # The internet host to connect with.
> > > > > # Comment these out to make yourself a listen-only connection
> > > > > # You must use the name of another tinc host.
> > > > > # May be used multiple times for redundance.
> > > > > #ConnectTo = vaio
> > > > > #ConnectTo = groppalbero
> > > > > #ConnectTo = imac
> > > > > #ConnectTo = servermarcy
> > > > >  
> > > > > # The tap device tinc will use.
> > > > > # Default is /dev/tap0 for ethertap or FreeBSD,
> > > > > # /dev/tun0 for Solaris and OpenBSD,
> > > > > # and /dev/net/tun for Linux tun/tap device.
> > > > > Device = /dev/net/tun
> > > > > [andre at cubox vpnalma]$ cat tinc-up
> > > > > #!/bin/sh
> > > > > # This file sets up the tap device.
> > > > > # It gives you the freedom to do anything you want with it.
> > > > > # Use the correct name for the tap device:
> > > > > # The environment variable $INTERFACE is set to the right name
> > > > > # on most platforms, but if it doesn't work try to set it manually.
> > > > >  
> > > > > # Give it the right ip and netmask. Remember, the subnet of the
> > > > > # tap device must be larger than that of the individual Subnets
> > > > > # as defined in the host configuration file!
> > > > > ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0
> > > > > #ip link set $INTERFACE up
> > > > > #ip addr add  192.168.0.20/32 (http://192.168.0.20/32) dev $INTERFACE
> > > > > #ip route add 192.168.0.0/24 (http://192.168.0.0/24) dev $INTERFACE
> > > > > [andre at cubox vpnalma]$ cat hosts/cubox
> > > > > #iample host configuration file
> > > > > # This file was generated by host beta.
> > > > >  
> > > > > # The real IP address of this tinc host. Can be used by other tinc hosts.
> > > > > Address = 10.0.0.7
> > > > > Address = almaliberty.duckdns.org (http://almaliberty.duckdns.org)
> > > > > # Portnumber for incoming connections. Default is 655.
> > > > > Port = 655
> > > > >  
> > > > > # Subnet on the virtual private network that is local for this host.
> > > > > Subnet = 192.168.0.20/32 (http://192.168.0.20/32)
> > > > > ————————————————————————————————————————————————————
> > > > > The network is so configurated:
> > > > > ——————————————————————————————————————————————————————————————————————————————
> > > > >  
> > > > > [andre at cubox vpnalma]$ ifconfig
> > > > > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
> > > > >         inet 10.0.0.7  netmask 255.255.255.0  broadcast 10.0.0.255
> > > > >         inet6 fe80::d263:b4ff:fe00:6a6b  prefixlen 64  scopeid 0x20<link>
> > > > >         ether d0:63:b4:00:6a:6b  txqueuelen 1000  (Ethernet)
> > > > >         RX packets 63975281  bytes 142504956 (135.9 MiB)
> > > > >         RX errors 0  dropped 2  overruns 0  frame 0
> > > > >         TX packets 35826176  bytes 2648965717 (2.4 GiB)
> > > > >         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> > > > >  
> > > > > lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
> > > > >         inet 127.0.0.1  netmask 255.0.0.0
> > > > >         inet6 ::1  prefixlen 128  scopeid 0x10<host>
> > > > >         loop  txqueuelen 0  (Local Loopback)
> > > > >         RX packets 167609  bytes 76370891 (72.8 MiB)
> > > > >         RX errors 0  dropped 0  overruns 0  frame 0
> > > > >         TX packets 167609  bytes 76370891 (72.8 MiB)
> > > > >         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> > > > >  
> > > > > vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
> > > > >         inet 192.168.0.20  netmask 255.255.255.0  destination 192.168.0.20
> > > > >         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
> > > > >         RX packets 8876  bytes 1765584 (1.6 MiB)
> > > > >         RX errors 0  dropped 0  overruns 0  frame 0
> > > > >         TX packets 5939  bytes 2394177 (2.2 MiB)
> > > > >         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> > > > >  
> > > > > [andre at cubox vpnalma]$ route
> > > > > Kernel IP routing table
> > > > > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > > > > default         router.asus.com (http://router.asus.com) 0.0.0.0         UG    1024   0        0 eth0
> > > > > 10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
> > > > > router.asus.com (http://router.asus.com) *               255.255.255.255 UH    1024   0        0 eth0
> > > > > 192.168.0.0     *               255.255.255.0   U     0      0        0 vpnalma
> > > > > [andre at cubox vpnalma]$
> > > > >  
> > > > >  
> > > > > ——————————————————————————————————————————————————————————————————
> > > > >  
> > > > > ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG:
> > > > >  
> > > > >  
> > > > > u0_a167 at hammerhead:/ $ su
> > > > > root at hammerhead:/ # cd sdcard/tinc/vpnalma
> > > > > at tinc.conf                                              <
> > > > > # Sample tinc configuration file
> > > > > # This is a comment.
> > > > > # Spaces and tabs are eliminated.
> > > > > # The = sign isn't strictly necessary any longer, though you may want
> > > > > # to leave it in as it improves readability :)
> > > > > # Variable names are treated case insensitive.
> > > > > # The name of this tinc host. Required.
> > > > > Name = nexus5
> > > > > # The internet host to connect with.
> > > > > # Comment these out to make yourself a listen-only connection
> > > > > # You must use the name of another tinc host.
> > > > > # May be used multiple times for redundance.
> > > > > ConnectTo = cubox
> > > > > ConnectTo = groppalbero
> > > > > ConnectTo = imac
> > > > > # The tap device tinc will use.
> > > > > # Default is /dev/tap0 for ethertap or FreeBSD,
> > > > > # /dev/tun0 for Solaris and OpenBSD,
> > > > > # and /dev/net/tun for Linux tun/tap device.
> > > > > #Mode = switch
> > > > > Device = /dev/tun
> > > > > #DeviceType = tap
> > > > > #Interface = tap0
> > > > > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> > > > > ScriptsInterpreter = /system/bin/sh
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up
> > > > > #!/bin/sh
> > > > > # This file sets up the tap device.
> > > > > # It gives you the freedom to do anything you want with it.
> > > > > # Use the correct name for the tap device:
> > > > > # The environment variable $INTERFACE is set to the right name
> > > > > # on most platforms, but if it doesn't work try to set it manually.
> > > > > # Give it the right ip and netmask. Remember, the subnet of the
> > > > > # tap device must be larger than that of the individual Subnets
> > > > > # as defined in the host configuration file!
> > > > > ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0
> > > > > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> > > > > #ip link set $INTERFACE up
> > > > > #ip addr add  192.168.0.80/24 (http://192.168.0.80/24) dev $INTERFACE
> > > > > #ip route add 192.168.0.0/24 (http://192.168.0.0/24) dev $INTERFACE
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5
> > > > > sh: hosts/nexus5: can't execute: Permission denied
> > > > > at hosts/nexus5                                           <
> > > > > # Sample host configuration file
> > > > > # The real IP address of this tinc host. Can be used by other tinc hosts.
> > > > > # Portnumber for incoming connections. Default is 655.
> > > > > #Port = 655
> > > > > # Subnet on the virtual private network that is local for this host.
> > > > > Subnet = 192.168.0.80/32 (http://192.168.0.80/32)
> > > > > -----BEGIN RSA PUBLIC KEY-----
> > > > >  
> > > > > -----END RSA PUBLIC KEY-----
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # ip addr
> > > > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> > > > >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > > > >     inet 127.0.0.1/8 (http://127.0.0.1/8) scope host lo
> > > > >     inet6 ::1/128 scope host
> > > > >        valid_lft forever preferred_lft forever
> > > > > 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> > > > >     link/[530]
> > > > >     inet 10.183.70.124/29 (http://10.183.70.124/29) scope global rmnet0
> > > > >     inet6 fe80::7561:c093:ea26:5781/64 scope link
> > > > >        valid_lft forever preferred_lft forever
> > > > > 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/[530]
> > > > > 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff
> > > > > 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff
> > > > > 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff
> > > > > 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff
> > > > > 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff
> > > > > 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff
> > > > > 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff
> > > > > 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff
> > > > > 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
> > > > >     link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff
> > > > > 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
> > > > >     link/sit 0.0.0.0 brd 0.0.0.0
> > > > > 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
> > > > >     link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> > > > > 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
> > > > >     link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> > > > > 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
> > > > >     link/none
> > > > >     inet 192.168.0.80/24 (http://192.168.0.80/24) scope global tun0
> > > > >  
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # ip route
> > > > > 10.183.70.120/29 (http://10.183.70.120/29) dev rmnet0  proto kernel  scope link  src 10.183.70.124
> > > > > 10.206.56.132 via 10.183.70.125 dev rmnet0  src 10.183.70.124
> > > > > 10.207.43.46 via 10.183.70.125 dev rmnet0  src 10.183.70.124
> > > > > 192.168.0.0/24 (http://192.168.0.0/24) dev tun0  proto kernel  scope link  src 192.168.0.80
> > > > >  
> > > > > root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20
> > > > > PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
> > > > > ^C
> > > > > --- 192.168.0.20 ping statistics ---
> > > > > 10 packets transmitted, 0 received, 100% packet loss, time 9003ms
> > > > > 1|root at hammerhead:/sdcard/tinc/vpnalma #
> > > > > ————————————————————————————————————————————————————————————————————————————————
> > > > > From the tinc gui log that I can’t copy and paste , I see that the device in connected to cubic but i can’t ping with it.
> > > > >  
> > > > > --  
> > > > > Andrea Squeri
> > > > > Inviato con Sparrow (http://www.sparrowmailapp.com/?sig)
> > > > >  
> > > > >  
> > > > > _______________________________________________
> > > > > tinc mailing list
> > > > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > > > >  
> > > >  
> > > >  
> > > > _______________________________________________
> > > > tinc mailing list
> > > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > > >  
> > > > _______________________________________________
> > > > tinc mailing list
> > > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > >  
> > > _______________________________________________
> > > tinc mailing list
> > > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> > >  
> >  
> > _______________________________________________
> > tinc mailing list
> > tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> >  
>  
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org (mailto:tinc at tinc-vpn.org)
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>  
>  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150327/4d5e5a3c/attachment-0001.html>


More information about the tinc mailing list