Problem With Android Configuration

Darren Mobley corpdecker at gmail.com
Wed Mar 25 13:46:16 CET 2015


If you are running Lollipop / Android 5.x on your Nexus 5, then you are
probably seeing the same issue I was with it. lollipop seems to change
networking quite a bit in that it's using iptables / and `ip rule list`
extensively for per-user settings.
I think
http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/
is relevant if you see running in to the same issue, it's confusing quite a
lot of folks. I was unable to get tinc-gui (or even tincd manually and
tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom.
I'm not sure if coming up with a fancy tinc-up is the solution or someone
with the ability to get tinc compatible with the official Android VPN API
that a lot of the openvpn apps are using now.
You might be able to draw some inspiration from
https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh
but I haven't tried it since I've been back on 4.4.2.

On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com>
wrote:

>  Hi, First sorry for my bad English.
> I made a vpn wtih tinc for link my home and my two office. In Addition I
> want to configure my android device to link with my vpn.
> The topology of the net is this:
>
> cubox(a linux machine in my home with vpn address 192.168.0.20)
> groppalbero (a linux machine in my second office with vpn address
> 192.168.0.40)
> imac(a mac machine in my first office with vpn address 192.168.0.50)
> nexus5(my android device with vpn address 192.168.0.80)
>
> I have configurate all machine and now they all works except the android
> device.
> On this I use “Tinc Gui” app for configure it. When I start the tinc
> daemon it connect to the configured host and the tun0 interface in created
> and configured, but i can ping with any hosts
> and any host can ping my android device. the result of ping IS NOT a
> network unavailable response. In fact it block un operation and from the
> tinc gui log I can see that the packet are received by my android device.
> I suspect that can be a problem for the route but I can’t understand which
> the problem is.
>
> For information paste the configuration from cubic and android device:
>
> CUBOX :
>
> --------------------------------------------------------------------------------------------------------
> andre at cubox vpnalma]$ cat tinc.conf
> # Sample tinc configuration file
>
> # This is a comment.
> # Spaces and tabs are eliminated.
> # The = sign isn't strictly necessary any longer, though you may want
> # to leave it in as it improves readability :)
> # Variable names are treated case insensitive.
>
> # The name of this tinc host. Required.
> Name = cubox
>
> # The internet host to connect with.
> # Comment these out to make yourself a listen-only connection
> # You must use the name of another tinc host.
> # May be used multiple times for redundance.
> #ConnectTo = vaio
> #ConnectTo = groppalbero
> #ConnectTo = imac
> #ConnectTo = servermarcy
>
> # The tap device tinc will use.
> # Default is /dev/tap0 for ethertap or FreeBSD,
> # /dev/tun0 for Solaris and OpenBSD,
> # and /dev/net/tun for Linux tun/tap device.
> Device = /dev/net/tun
> [andre at cubox vpnalma]$ cat tinc-up
> #!/bin/sh
> # This file sets up the tap device.
> # It gives you the freedom to do anything you want with it.
> # Use the correct name for the tap device:
> # The environment variable $INTERFACE is set to the right name
> # on most platforms, but if it doesn't work try to set it manually.
>
> # Give it the right ip and netmask. Remember, the subnet of the
> # tap device must be larger than that of the individual Subnets
> # as defined in the host configuration file!
> ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0
> #ip link set $INTERFACE up
> #ip addr add  192.168.0.20/32 dev $INTERFACE
> #ip route add 192.168.0.0/24 dev $INTERFACE
> [andre at cubox vpnalma]$ cat hosts/cubox
> #iample host configuration file
> # This file was generated by host beta.
>
> # The real IP address of this tinc host. Can be used by other tinc hosts.
> Address = 10.0.0.7
> Address = almaliberty.duckdns.org
> # Portnumber for incoming connections. Default is 655.
> Port = 655
>
> # Subnet on the virtual private network that is local for this host.
> Subnet = 192.168.0.20/32
> ————————————————————————————————————————————————————
> The network is so configurated:
>
> ——————————————————————————————————————————————————————————————————————————————
>
> [andre at cubox vpnalma]$ ifconfig
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 10.0.0.7  netmask 255.255.255.0  broadcast 10.0.0.255
>         inet6 fe80::d263:b4ff:fe00:6a6b  prefixlen 64  scopeid 0x20<link>
>         ether d0:63:b4:00:6a:6b  txqueuelen 1000  (Ethernet)
>         RX packets 63975281  bytes 142504956 (135.9 MiB)
>         RX errors 0  dropped 2  overruns 0  frame 0
>         TX packets 35826176  bytes 2648965717 (2.4 GiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>         inet 127.0.0.1  netmask 255.0.0.0
>         inet6 ::1  prefixlen 128  scopeid 0x10<host>
>         loop  txqueuelen 0  (Local Loopback)
>         RX packets 167609  bytes 76370891 (72.8 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 167609  bytes 76370891 (72.8 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
>         inet 192.168.0.20  netmask 255.255.255.0  destination 192.168.0.20
>         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen
> 500  (UNSPEC)
>         RX packets 8876  bytes 1765584 (1.6 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 5939  bytes 2394177 (2.2 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> [andre at cubox vpnalma]$ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> default         router.asus.com 0.0.0.0         UG    1024   0        0
> eth0
> 10.0.0.0        *               255.255.255.0   U     0      0        0
> eth0
> router.asus.com *               255.255.255.255 UH    1024   0        0
> eth0
> 192.168.0.0     *               255.255.255.0   U     0      0        0
> vpnalma
> [andre at cubox vpnalma]$
>
> ——————————————————————————————————————————————————————————————————
>
> ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG:
>
>
> u0_a167 at hammerhead:/ $ su
> root at hammerhead:/ # cd sdcard/tinc/vpnalma
> at tinc.conf                                              <
> # Sample tinc configuration file
>
> # This is a comment.
> # Spaces and tabs are eliminated.
> # The = sign isn't strictly necessary any longer, though you may want
> # to leave it in as it improves readability :)
> # Variable names are treated case insensitive.
>
> # The name of this tinc host. Required.
> Name = nexus5
>
> # The internet host to connect with.
> # Comment these out to make yourself a listen-only connection
> # You must use the name of another tinc host.
> # May be used multiple times for redundance.
> ConnectTo = cubox
> ConnectTo = groppalbero
> ConnectTo = imac
> # The tap device tinc will use.
> # Default is /dev/tap0 for ethertap or FreeBSD,
> # /dev/tun0 for Solaris and OpenBSD,
> # and /dev/net/tun for Linux tun/tap device.
> #Mode = switch
> Device = /dev/tun
> #DeviceType = tap
> #Interface = tap0
> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> ScriptsInterpreter = /system/bin/sh
> root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up
> #!/bin/sh
> # This file sets up the tap device.
> # It gives you the freedom to do anything you want with it.
> # Use the correct name for the tap device:
> # The environment variable $INTERFACE is set to the right name
> # on most platforms, but if it doesn't work try to set it manually.
>
> # Give it the right ip and netmask. Remember, the subnet of the
> # tap device must be larger than that of the individual Subnets
> # as defined in the host configuration file!
> ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0
> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
> #ip link set $INTERFACE up
> #ip addr add  192.168.0.80/24 dev $INTERFACE
> #ip route add 192.168.0.0/24 dev $INTERFACE
> root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5
> sh: hosts/nexus5: can't execute: Permission denied
> at hosts/nexus5                                           <
> # Sample host configuration file
>
> # The real IP address of this tinc host. Can be used by other tinc hosts.
>
> # Portnumber for incoming connections. Default is 655.
> #Port = 655
>
> # Subnet on the virtual private network that is local for this host.
> Subnet = 192.168.0.80/32
>
> -----BEGIN RSA PUBLIC KEY-----
>
> -----END RSA PUBLIC KEY-----
>
> root at hammerhead:/sdcard/tinc/vpnalma # ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
>     link/[530]
>     inet 10.183.70.124/29 scope global rmnet0
>     inet6 fe80::7561:c093:ea26:5781/64 scope link
>        valid_lft forever preferred_lft forever
> 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
>     link/[530]
> 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff
> 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff
> 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff
> 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff
> 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff
> 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff
> 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff
> 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff
> 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
> 1000
>     link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff
> 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
>     link/sit 0.0.0.0 brd 0.0.0.0
> 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
> 1000
>     link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
> 1000
>     link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
> 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UNKNOWN qlen 500
>     link/none
>     inet 192.168.0.80/24 scope global tun0
>
>
> root at hammerhead:/sdcard/tinc/vpnalma # ip route
> 10.183.70.120/29 dev rmnet0  proto kernel  scope link  src 10.183.70.124
> 10.206.56.132 via 10.183.70.125 dev rmnet0  src 10.183.70.124
> 10.207.43.46 via 10.183.70.125 dev rmnet0  src 10.183.70.124
> 192.168.0.0/24 dev tun0  proto kernel  scope link  src 192.168.0.80
>
>
> root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20
> PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
> ^C
> --- 192.168.0.20 ping statistics ---
> 10 packets transmitted, 0 received, 100% packet loss, time 9003ms
>
> 1|root at hammerhead:/sdcard/tinc/vpnalma #
>
>
> ————————————————————————————————————————————————————————————————————————————————
>
> From the tinc gui log that I can’t copy and paste , I see that the device
> in connected to cubic but i can’t ping with it.
> --
> Andrea Squeri
> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150325/68b5c6a9/attachment-0001.html>


More information about the tinc mailing list