From patchwork Sun Sep 11 04:48:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2749 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6F7+I4D1HWOrCQAAIUCqbw (envelope-from ) for ; Sun, 11 Sep 2022 10:49:36 -0400 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id 4NWeI4D1HWNmFgAAfY0hYg (envelope-from ) for ; Sun, 11 Sep 2022 10:49:36 -0400 Received: from smtp35.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id aMS5I4D1HWMuJAAAGdz6CA (envelope-from ) for ; Sun, 11 Sep 2022 10:49:36 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: f3f00fc4-31e0-11ed-a326-525400a7b7b4-1-1 Received: from [216.105.38.7] ([216.105.38.7:42200] helo=lists.sourceforge.net) by smtp35.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8F/E4-31816-F75FD136; Sun, 11 Sep 2022 10:49:35 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oXOGG-0005QD-9j; Sun, 11 Sep 2022 14:48:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oXOGE-0005Q7-JX for openvpn-devel@lists.sourceforge.net; Sun, 11 Sep 2022 14:48:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=S1OCmsJtbepmUd4K/V/CzZ/FTC3h/CRBANqhXm16zBE=; b=DwdPBUgshqW6hav2+S9N57PKFA NRo3nAqivWkXipq2F37E+cMb53VEyNcVHVjsp1J1oqOqz3taYQSo8VRIpRhoHypHwMnFaPie4/cPC LB5SSnaaT/YVffFYr/ziSuSi8sBNe5a2j8I3QoyHrBLzyeG/hrtP5fFW6uyVImb+2wpw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=S1OCmsJtbepmUd4K/V/CzZ/FTC3h/CRBANqhXm16zBE=; b=S fGfmZYLET3Y0z9r+rFVEUf/dEqLjKq6juXR5SILrEM8hwu6qXMfttGyZKnkAl/qFPW+FcR6adj0lw zjUZn+qQcdJHczUE8gW5kG2neEQaddsyNRKcCqJeIOe6GCq7Kk7dsTunuJ4bKNSdu/utc5JtMDg0u O2STlZzsk3rKRQa4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oXOGP-0053JG-LN for openvpn-devel@lists.sourceforge.net; Sun, 11 Sep 2022 14:48:50 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oXOGA-000632-8H for openvpn-devel@lists.sourceforge.net; Sun, 11 Sep 2022 16:48:34 +0200 Received: (nullmailer pid 2220095 invoked by uid 10006); Sun, 11 Sep 2022 14:48:34 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 11 Sep 2022 16:48:34 +0200 Message-Id: <20220911144834.2220049-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- doc/android.txt | 40 ++++++++++++++++++++ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/doc/android.txt b/doc/android.txt index e287be0a8..e143e3342 100644 --- a/doc/android.txt +++ b/doc/android.txt @@ -1,4 +1,6 @@ -This file documents the support in OpenVPN for Android 4.0 [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: android.com] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1oXOGP-0053JG-LN Subject: [Openvpn-devel] [PATCH] Update android.txt to reflect more recent changes. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- doc/android.txt | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/doc/android.txt b/doc/android.txt index e287be0a8..e143e3342 100644 --- a/doc/android.txt +++ b/doc/android.txt @@ -1,4 +1,6 @@ -This file documents the support in OpenVPN for Android 4.0 and up. +This file documents the support in OpenVPN for Android using the +VPNService API (https://developer.android.com/reference/android/net/VpnService) +that has been introduced in Android 4.0 (API 14). This support is primarily used in the "OpenVPN for Android" app (https://github.com/schwabe/ics-openvpn). For building see the developer @@ -8,26 +10,26 @@ Android provides the VPNService API (http://developer.android.com/reference/android/net/VpnService.html) which allows establishing VPN connections without rooting the device. -Since all the interfaces are are Android specific the calls to this -interface are made from the UI instead of OpenVPN directly. The API -needs the following parameters: +Unlike on other platform, the tun device is openend by UI instead of +OpenVPN itself. The VpnService API needs the following parameters: - IP and netmask of tun interface - Networks that should be routed to the tun interface - DNS Servers and DNS Domain - MTU -All IPs/Routes are in CIDR style. Non CIDR routes are not supported. +All IPs/Routes are in CIDR style. Non-CIDR routes are not supported. Notable is the lack of support for setting routes to other interfaces usually used to avoid the server connection going over the tun -interface. The Android VPNService API has the concept of protecting -a socket from being routed over a interface. Calling protect (fd) -will internally bind the socket to the interface used for the +interface. However, Android 13 adds support for exclusion routes that +serve the same purpose. The Android VPNService API has the concept +of protecting a socket from being routed over a interface. Calling +protect (fd) will internally bind the socket to the interface used for the external connection (usually WiFi or mobile data). To use OpenVPN with the VPNService API OpenVPN must be build with -the TARGET_ANDROID compile option. Also the UI must use a UNIX -domain socket to connect to OpenVPN. When compiled as TARGET_ANDROID +the TARGET_ANDROID compile option. Also the UI must use a UNIX +domain socket to connect to OpenVPN. When compiled as TARGET_ANDROID OpenVPN will use management callbacks instead of executing traditional ifconfig/route commands use the need-ok callback mechanism which will ask @@ -58,18 +60,16 @@ The GUI will then respond with a "needok 'command' ok' or "needok PERSIST_TUN_ACTION -In Android 4.4-4.4.2 a bug exists that does not allow to open a new tun fd -while a tun fd is still open. When OpenVPN wants to open an fd it will do -this query. The UI should compare the last configuration of -the tun device with the current tun configuration and reply with either (or -always respond with OPEN_AFTER_BEFORE/OPEN_BEFORE_CLOSE) +When OpenVPN wants to open an fd it will do this query via management. +The UI should compare the last configuration of the tun device with the current +tun configuration and reply with either NOACTION (or always respond with +OPEN_BEFORE_CLOSE). - NOACTION: Keep using the old fd -- OPEN_AFTER_CLOSE: First close the old fd and then open a new to workaround the bug - OPEN_BEFORE_CLOSE: the normal behaviour when the VPN configuration changed For example the UI could respond with -needok 'PERSIST_TUN_ACTION' OPEN_AFTER_CLOSE +needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE To protect a socket the OpenVPN will send a PROTECTFD to the UI. When sending the PROTECTFD command command to the UI it will send @@ -80,7 +80,7 @@ it from being routed over the VPN. When opening a tun device the OpenVPN process will first send all route, ifconfig and DNS related configuration to the UI and after that calls the OPENTUN command to receive a tun fd with the requested -configuration. The UI will than use the collected information to +configuration. The UI will than use the collected information to call the VPNService's establish() method to receive a fd which in turn is send to the OpenVPN process as ancillary message to the "needok 'OPENTUN' ok' response. @@ -95,7 +95,7 @@ To better support handover between networks, a the management command network-change [samenetwork] -is used on the Android platform. It tells OpenVPN to do the necessary -action when the network changes. Currently this is just calling +is used on the Android platform. It tells OpenVPN to do the necessary +action when the network changes. Currently this is just calling the protect callback when using peer-id regardless of the samenetwork. Without peer-id OpenVPN will generate USR1 when samenetwork is not set.