Problem With Android Configuration

Vil Brekin vilbrekin at gmail.com
Mon Mar 30 02:12:59 CEST 2015


Hi there,

I've finally had a deeper look and found the Lollipop routing issues root
cause: Lollipop uses several routing tables instead of the default one for
previous Android versions. The main routing table is used with lowest
priority per default:

root at hammerhead:/ # ip rule show
0:      from all lookup local
10000:  from all fwmark 0xc0000/0xd0000 lookup legacy_system
13000:  from all fwmark 0x10063/0x1ffff lookup local_network
13000:  from all fwmark 0x10064/0x1ffff lookup wlan0
14000:  from all oif wlan0 lookup wlan0
15000:  from all fwmark 0x0/0x10000 lookup legacy_system
16000:  from all fwmark 0x0/0x10000 lookup legacy_network
17000:  from all fwmark 0x0/0x10000 lookup local_network
19000:  from all fwmark 0x64/0x1ffff lookup wlan0
22000:  from all fwmark 0x0/0xffff lookup wlan0
23000:  from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000:  from all unreachable

root at hammerhead:/ # ip route show
# As in your example, there's no default route here
192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.42

root at hammerhead:/ # ip route show table wlan0
#But here you find it in the wlan0 table
default via 192.168.0.253 dev wlan0  proto static
192.168.0.0/24 dev wlan0  proto static  scope link


The useful routing table depends on your network conenctivity (wlan0 on
wifi, rmnet0 on 3G in my case), and thus the simplest solution is to put
tinc's routing in a new table with higher priority:

# Use new routing table 100, to have higher priority than lollipop's ones
ip rule add prio 100 from all lookup 100
ip route add table 100 $REMOTEADDRESS $ORIGINAL_GATEWAY
ip route add table 100 $VPN_GATEWAY dev $INTERFACE


I've updated the examples from Tinc GUI's documentation accordingly:
http://tinc_gui.poirsouille.org/

Hope this helps,
V

2015-03-27 15:38 GMT+01:00 Andrea Squeri <andrea.squeri at gmail.com>:

> I switch to lollipop 4 months ago and I never had issue. So for my opinion
> it is ready for daily use.
> Before try tinc I had my vpn implemented with openvpn, and it works great
> on lollipop. I switch to tinc because i prefer a mash vpn topology versus a
> client/server topology.
>
> --
> Andrea Squeri
> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig>
>
> Il giorno venerdì 27 marzo 2015, alle ore 11:57, Alexander Ypema ha
> scritto:
>
> I think it's more of a routing issue than anything explicitly blocking it,
> they use a new 'ip rule list' and per user settings that aren't well
> documented yet either, but where exactly to point I don't know. I haven't
> messed with android 5 much yet, it seems not ready enough yet for daily
> use, there isn't a single snapshot in the cyanogenmod repos, for example.
> So maybe it's worth to just stick with Android 4 for now?
>
> Met vriendelijke groet / Kind regards,
> Alexander Ypema
>
> On 27 March 2015 at 08:16, Andrea Squeri <andrea.squeri at gmail.com> wrote:
>
> I don't know.. It seems that anyone had try to made work tinc with
> lollipop. Even  googoling i don't found anything about this argoument.
>
> Andrea Squeri
> Il 27/mar/2015 06:55 "Tatsuyuki Ishi" <ishitatsuyuki at gmail.com> ha
> scritto:
>
> SELinux is considered as the biggest problem.
>
> On Thu, Mar 26, 2015, 22:37 Andrea Squeri <andrea.squeri at gmail.com> wrote:
>
> Yes. The problem  is lollipop. I tried to install  tinc on my brother's
> device which mount a cyano 10.1( android 4.2.2) and  it works.
> I don't understand which is the problem  with lollipop. Is there a
> firewall that block the packets?
>
> Andrea Squeri
> If you are running Lollipop / Android 5.x on your Nexus 5, then you are
> probably seeing the same issue I was with it. lollipop seems to change
> networking quite a bit in that it's using iptables / and `ip rule list`
> extensively for per-user settings.
> I think
> http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/
> is relevant if you see running in to the same issue, it's confusing quite a
> lot of folks. I was unable to get tinc-gui (or even tincd manually and
> tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom.
> I'm not sure if coming up with a fancy tinc-up is the solution or someone
> with the ability to get tinc compatible with the official Android VPN API
> that a lot of the openvpn apps are using now.
> You might be able to draw some inspiration from
> https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh
> but I haven't tried it since I've been back on 4.4.2.
>
> On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com>
> wrote:
>
>  Hi, First sorry for my bad English.
> I made a vpn wtih tinc for link my home and my two office. In Addition I
> want to configure my android device to link with my vpn.
> The topology of the net is this:
>
> cubox(a linux machine in my home with vpn address 192.168.0.20)
> groppalbero (a linux machine in my second office with vpn address
> 192.168.0.40)
> imac(a mac machine in my first office with vpn address 192.168.0.50)
> nexus5(my android device with vpn address 192.168.0.80)
>
> I have configurate all machine and now they all works except the android
> device.
> On this I use “Tinc Gui” app for configure it. When I start the tinc
> daemon it connect to the configured host and the tun0 interface in created
> and configured, but i can ping with any hosts
> and any host can ping my android device. the result of ping IS NOT a
> network unavailable response. In fact it block un operation and from the
> tinc gui log I can see that the packet are received by my android device.
> I suspect that can be a problem for the route but I can’t understand which
> the problem is.
>
> For information paste the configuration from cubic and android device:
>
> CUBOX :
>
> --------------------------------------------------------------------------------------------------------
> andre at cubox vpnalma]$ cat tinc.conf
> # Sample tinc configuration file
>
> # This is a comment.
> # Spaces and tabs are eliminated.
> # The = sign isn't strictly necessary any longer, though you may want
> # to leave it in as it improves readability :)
> # Variable names are treated case insensitive.
>
> # The name of this tinc host. Required.
> Name = cubox
>
> # The internet host to connect with.
> # Comment these out to make yourself a listen-only connection
> # You must use the name of another tinc host.
> # May be used multiple times for redundance.
> #ConnectTo = vaio
> #ConnectTo = groppalbero
> #ConnectTo = imac
> #ConnectTo = servermarcy
>
> # The tap device tinc will use.
> # Default is /dev/tap0 for ethertap or FreeBSD,
> # /dev/tun0 for Solaris and OpenBSD,
> # and /dev/net/tun for Linux tun/tap device.
> Device = /dev/net/tun
> [andre at cubox vpnalma]$ cat tinc-up
> #!/bin/sh
> # This file sets up the tap device.
> # It gives you the freedom to do anything you want with it.
> # Use the correct name for the tap device:
> # The environment variable $INTERFACE is set to the right name
> # on most platforms, but if it doesn't work try to set it manually.
>
> # Give it the right ip and netmask. Remember, the subnet of the
> # tap device must be larger than that of the individual Subnets
> # as defined in the host configuration file!
> ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0
> #ip link set $INTERFACE up
> #ip addr add  192.168.0.20/32 dev $INTERFACE
> #ip route add 192.168.0.0/24 dev $INTERFACE
> [andre at cubox vpnalma]$ cat hosts/cubox
> #iample host configuration file
> # This file was generated by host beta.
>
> # The real IP address of this tinc host. Can be used by other tinc hosts.
> Address = 10.0.0.7
> Address = almaliberty.duckdns.org
> # Portnumber for incoming connections. Default is 655.
> Port = 655
>
> # Subnet on the virtual private network that is local for this host.
> Subnet = 192.168.0.20/32
> ————————————————————————————————————————————————————
> The network is so configurated:
>
> ——————————————————————————————————————————————————————————————————————————————
>
> [andre at cubox vpnalma]$ ifconfig
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 10.0.0.7  netmask 255.255.255.0  broadcast 10.0.0.255
>         inet6 fe80::d263:b4ff:fe00:6a6b  prefixlen 64  scopeid 0x20<link>
>         ether d0:63:b4:00:6a:6b  txqueuelen 1000  (Ethernet)
>         RX packets 63975281  bytes 142504956 (135.9 MiB)
>         RX errors 0  dropped 2  overruns 0  frame 0
>         TX packets 35826176  bytes 2648965717 (2.4 GiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>         inet 127.0.0.1  netmask 255.0.0.0
>         inet6 ::1  prefixlen 128  scopeid 0x10<host>
>         loop  txqueuelen 0  (Local Loopback)
>         RX packets 167609  bytes 76370891 (72.8 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 167609  bytes 76370891 (72.8 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
>         inet 192.168.0.20  netmask 255.255.255.0  destination 192.168.0.20
>         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen
> 500  (UNSPEC)
>         RX packets 8876  bytes 1765584 (1.6 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 5939  bytes 2394177 (2.2 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> [andre at cubox vpnalma]$ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> default         router.asus.com 0.0.0.0         UG    1024   0        0
> eth0
> 10.0.0.0        *               255.255.255.0   U     0      0        0
> eth0
> router.asus.com *               255.255.255.255 UH    1024   0        0
> eth0
> 192.168.0.0     *               255.255.255.0   U     0      0        0
> vpnalma
> [andre at cubox vpnalma]$
>
> ——————————————————————————————————————————————————————————————————
>
> ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG:
>
>
> u0_a167 at hammerhead:/ $ su
> root at hammerhead:/ # cd sdcard/tinc/vpnalma
> at tinc.conf                                              <
> # Sample tinc configuration file
>
> # This is a comment.
> # Spaces and tabs are eliminated.
> # The = sign isn't strictly necessary any longer, though you may want
> # to leave it in as it improves readability :)
> # Variable names are treated case insensitive.
>
> # The name of this tinc host. Required.
> Name = nexus5
>
> # The internet host to connect with.
> # Comment these out to make yourself a listen-only connection
> # You must use the name of another tinc host.
> # May be used multiple times for redundance.
> ConnectTo = cubox
> ConnectTo = groppalbero
> ConnectTo = imac
> # The tap device tinc will use.
> # Default is /dev/tap0 for ethertap or FreeBSD,
> # /dev/tun0 for Solaris and OpenBSD,
> # and /dev/net/tun for Linux tun/tap device.
> #Mode = switch
> Device = /dev/tun
> #DeviceType = tap
> #Interface = tap0
> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> ScriptsInterpreter = /system/bin/sh
> root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up
> #!/bin/sh
> # This file sets up the tap device.
> # It gives you the freedom to do anything you want with it.
> # Use the correct name for the tap device:
> # The environment variable $INTERFACE is set to the right name
> # on most platforms, but if it doesn't work try to set it manually.
>
> # Give it the right ip and netmask. Remember, the subnet of the
> # tap device must be larger than that of the individual Subnets
> # as defined in the host configuration file!
> ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0
> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> #ip link set $INTERFACE up
> #ip addr add  192.168.0.80/24 dev $INTERFACE
> #ip route add 192.168.0.0/24 dev $INTERFACE
> root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5
> sh: hosts/nexus5: can't execute: Permission denied
> at hosts/nexus5                                           <
> # Sample host configuration file
>
> # The real IP address of this tinc host. Can be used by other tinc hosts.
>
> # Portnumber for incoming connections. Default is 655.
> #Port = 655
>
> # Subnet on the virtual private network that is local for this host.
> Subnet = 192.168.0.80/32
>
> -----BEGIN RSA PUBLIC KEY-----
>
> -----END RSA PUBLIC KEY-----
>
> root at hammerhead:/sdcard/tinc/vpnalma # ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
>     link/[530]
>     inet 10.183.70.124/29 scope global rmnet0
>     inet6 fe80::7561:c093:ea26:5781/64 scope link
>        valid_lft forever preferred_lft forever
> 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff
> 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff
> 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff
> 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff
> 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff
> 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff
> 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff
> 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff
> 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff
> 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
>     link/sit 0.0.0.0 brd 0.0.0.0
> 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
> 1000
>     link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
> 1000
>     link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UNKNOWN qlen 500
>     link/none
>     inet 192.168.0.80/24 scope global tun0
>
>
> root at hammerhead:/sdcard/tinc/vpnalma # ip route
> 10.183.70.120/29 dev rmnet0  proto kernel  scope link  src 10.183.70.124
> 10.206.56.132 via 10.183.70.125 dev rmnet0  src 10.183.70.124
> 10.207.43.46 via 10.183.70.125 dev rmnet0  src 10.183.70.124
> 192.168.0.0/24 dev tun0  proto kernel  scope link  src 192.168.0.80
>
>
> root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20
> PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
> ^C
> --- 192.168.0.20 ping statistics ---
> 10 packets transmitted, 0 received, 100% packet loss, time 9003ms
>
> 1|root at hammerhead:/sdcard/tinc/vpnalma #
>
>
> ————————————————————————————————————————————————————————————————————————————————
>
> From the tinc gui log that I can’t copy and paste , I see that the device
> in connected to cubic but i can’t ping with it.
> --
> Andrea Squeri
> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150330/1a1eb099/attachment-0001.html>


More information about the tinc mailing list