Problem With Android Configuration
Andrea Squeri
andrea.squeri at gmail.com
Mon Mar 30 11:49:26 CEST 2015
Thanks for reply.. I'll try and then i'll advise you if it woks
Andrea Squeri
Il 30/mar/2015 11:38 "Vil Brekin" <vilbrekin at gmail.com> ha scritto:
> Hi there,
>
> I've finally had a deeper look and found the Lollipop routing issues root
> cause: Lollipop uses several routing tables instead of the default one for
> previous Android versions. The main routing table is used with lowest
> priority per default:
>
> root at hammerhead:/ # ip rule show
> 0: from all lookup local
> 10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system
> 13000: from all fwmark 0x10063/0x1ffff lookup local_network
> 13000: from all fwmark 0x10064/0x1ffff lookup wlan0
> 14000: from all oif wlan0 lookup wlan0
> 15000: from all fwmark 0x0/0x10000 lookup legacy_system
> 16000: from all fwmark 0x0/0x10000 lookup legacy_network
> 17000: from all fwmark 0x0/0x10000 lookup local_network
> 19000: from all fwmark 0x64/0x1ffff lookup wlan0
> 22000: from all fwmark 0x0/0xffff lookup wlan0
> 23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main
> 32000: from all unreachable
>
> root at hammerhead:/ # ip route show
> # As in your example, there's no default route here
> 192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.42
>
> root at hammerhead:/ # ip route show table wlan0
> #But here you find it in the wlan0 table
> default via 192.168.0.253 dev wlan0 proto static
> 192.168.0.0/24 dev wlan0 proto static scope link
>
>
> The useful routing table depends on your network conenctivity (wlan0 on
> wifi, rmnet0 on 3G in my case), and thus the simplest solution is to put
> tinc's routing in a new table with higher priority:
>
> # Use new routing table 100, to have higher priority than lollipop's ones
> ip rule add prio 100 from all lookup 100
> ip route add table 100 $REMOTEADDRESS $ORIGINAL_GATEWAY
> ip route add table 100 $VPN_GATEWAY dev $INTERFACE
>
>
> I've updated the examples from Tinc GUI's documentation accordingly:
> http://tinc_gui.poirsouille.org/
>
> Hope this helps,
> V
>
> 2015-03-27 15:38 GMT+01:00 Andrea Squeri <andrea.squeri at gmail.com>:
>
>> I switch to lollipop 4 months ago and I never had issue. So for my
>> opinion it is ready for daily use.
>> Before try tinc I had my vpn implemented with openvpn, and it works great
>> on lollipop. I switch to tinc because i prefer a mash vpn topology versus a
>> client/server topology.
>>
>> --
>> Andrea Squeri
>> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig>
>>
>> Il giorno venerdì 27 marzo 2015, alle ore 11:57, Alexander Ypema ha
>> scritto:
>>
>> I think it's more of a routing issue than anything explicitly blocking
>> it, they use a new 'ip rule list' and per user settings that aren't well
>> documented yet either, but where exactly to point I don't know. I haven't
>> messed with android 5 much yet, it seems not ready enough yet for daily
>> use, there isn't a single snapshot in the cyanogenmod repos, for example.
>> So maybe it's worth to just stick with Android 4 for now?
>>
>> Met vriendelijke groet / Kind regards,
>> Alexander Ypema
>>
>> On 27 March 2015 at 08:16, Andrea Squeri <andrea.squeri at gmail.com> wrote:
>>
>> I don't know.. It seems that anyone had try to made work tinc with
>> lollipop. Even googoling i don't found anything about this argoument.
>>
>> Andrea Squeri
>> Il 27/mar/2015 06:55 "Tatsuyuki Ishi" <ishitatsuyuki at gmail.com> ha
>> scritto:
>>
>> SELinux is considered as the biggest problem.
>>
>> On Thu, Mar 26, 2015, 22:37 Andrea Squeri <andrea.squeri at gmail.com>
>> wrote:
>>
>> Yes. The problem is lollipop. I tried to install tinc on my brother's
>> device which mount a cyano 10.1( android 4.2.2) and it works.
>> I don't understand which is the problem with lollipop. Is there a
>> firewall that block the packets?
>>
>> Andrea Squeri
>> If you are running Lollipop / Android 5.x on your Nexus 5, then you are
>> probably seeing the same issue I was with it. lollipop seems to change
>> networking quite a bit in that it's using iptables / and `ip rule list`
>> extensively for per-user settings.
>> I think
>> http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/
>> is relevant if you see running in to the same issue, it's confusing quite a
>> lot of folks. I was unable to get tinc-gui (or even tincd manually and
>> tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom.
>> I'm not sure if coming up with a fancy tinc-up is the solution or someone
>> with the ability to get tinc compatible with the official Android VPN API
>> that a lot of the openvpn apps are using now.
>> You might be able to draw some inspiration from
>> https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh
>> but I haven't tried it since I've been back on 4.4.2.
>>
>> On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com>
>> wrote:
>>
>> Hi, First sorry for my bad English.
>> I made a vpn wtih tinc for link my home and my two office. In Addition I
>> want to configure my android device to link with my vpn.
>> The topology of the net is this:
>>
>> cubox(a linux machine in my home with vpn address 192.168.0.20)
>> groppalbero (a linux machine in my second office with vpn address
>> 192.168.0.40)
>> imac(a mac machine in my first office with vpn address 192.168.0.50)
>> nexus5(my android device with vpn address 192.168.0.80)
>>
>> I have configurate all machine and now they all works except the android
>> device.
>> On this I use “Tinc Gui” app for configure it. When I start the tinc
>> daemon it connect to the configured host and the tun0 interface in created
>> and configured, but i can ping with any hosts
>> and any host can ping my android device. the result of ping IS NOT a
>> network unavailable response. In fact it block un operation and from the
>> tinc gui log I can see that the packet are received by my android device.
>> I suspect that can be a problem for the route but I can’t understand
>> which the problem is.
>>
>> For information paste the configuration from cubic and android device:
>>
>> CUBOX :
>>
>> --------------------------------------------------------------------------------------------------------
>> andre at cubox vpnalma]$ cat tinc.conf
>> # Sample tinc configuration file
>>
>> # This is a comment.
>> # Spaces and tabs are eliminated.
>> # The = sign isn't strictly necessary any longer, though you may want
>> # to leave it in as it improves readability :)
>> # Variable names are treated case insensitive.
>>
>> # The name of this tinc host. Required.
>> Name = cubox
>>
>> # The internet host to connect with.
>> # Comment these out to make yourself a listen-only connection
>> # You must use the name of another tinc host.
>> # May be used multiple times for redundance.
>> #ConnectTo = vaio
>> #ConnectTo = groppalbero
>> #ConnectTo = imac
>> #ConnectTo = servermarcy
>>
>> # The tap device tinc will use.
>> # Default is /dev/tap0 for ethertap or FreeBSD,
>> # /dev/tun0 for Solaris and OpenBSD,
>> # and /dev/net/tun for Linux tun/tap device.
>> Device = /dev/net/tun
>> [andre at cubox vpnalma]$ cat tinc-up
>> #!/bin/sh
>> # This file sets up the tap device.
>> # It gives you the freedom to do anything you want with it.
>> # Use the correct name for the tap device:
>> # The environment variable $INTERFACE is set to the right name
>> # on most platforms, but if it doesn't work try to set it manually.
>>
>> # Give it the right ip and netmask. Remember, the subnet of the
>> # tap device must be larger than that of the individual Subnets
>> # as defined in the host configuration file!
>> ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0
>> #ip link set $INTERFACE up
>> #ip addr add 192.168.0.20/32 dev $INTERFACE
>> #ip route add 192.168.0.0/24 dev $INTERFACE
>> [andre at cubox vpnalma]$ cat hosts/cubox
>> #iample host configuration file
>> # This file was generated by host beta.
>>
>> # The real IP address of this tinc host. Can be used by other tinc hosts.
>> Address = 10.0.0.7
>> Address = almaliberty.duckdns.org
>> # Portnumber for incoming connections. Default is 655.
>> Port = 655
>>
>> # Subnet on the virtual private network that is local for this host.
>> Subnet = 192.168.0.20/32
>> ————————————————————————————————————————————————————
>> The network is so configurated:
>>
>> ——————————————————————————————————————————————————————————————————————————————
>>
>> [andre at cubox vpnalma]$ ifconfig
>> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255
>> inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link>
>> ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet)
>> RX packets 63975281 bytes 142504956 (135.9 MiB)
>> RX errors 0 dropped 2 overruns 0 frame 0
>> TX packets 35826176 bytes 2648965717 (2.4 GiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
>> inet 127.0.0.1 netmask 255.0.0.0
>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
>> loop txqueuelen 0 (Local Loopback)
>> RX packets 167609 bytes 76370891 (72.8 MiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 167609 bytes 76370891 (72.8 MiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
>> inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20
>> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> txqueuelen 500 (UNSPEC)
>> RX packets 8876 bytes 1765584 (1.6 MiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 5939 bytes 2394177 (2.2 MiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> [andre at cubox vpnalma]$ route
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> default router.asus.com 0.0.0.0 UG 1024 0 0
>> eth0
>> 10.0.0.0 * 255.255.255.0 U 0 0 0
>> eth0
>> router.asus.com * 255.255.255.255 UH 1024 0 0
>> eth0
>> 192.168.0.0 * 255.255.255.0 U 0 0 0
>> vpnalma
>> [andre at cubox vpnalma]$
>>
>> ——————————————————————————————————————————————————————————————————
>>
>> ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG:
>>
>>
>> u0_a167 at hammerhead:/ $ su
>> root at hammerhead:/ # cd sdcard/tinc/vpnalma
>> at tinc.conf <
>> # Sample tinc configuration file
>>
>> # This is a comment.
>> # Spaces and tabs are eliminated.
>> # The = sign isn't strictly necessary any longer, though you may want
>> # to leave it in as it improves readability :)
>> # Variable names are treated case insensitive.
>>
>> # The name of this tinc host. Required.
>> Name = nexus5
>>
>> # The internet host to connect with.
>> # Comment these out to make yourself a listen-only connection
>> # You must use the name of another tinc host.
>> # May be used multiple times for redundance.
>> ConnectTo = cubox
>> ConnectTo = groppalbero
>> ConnectTo = imac
>> # The tap device tinc will use.
>> # Default is /dev/tap0 for ethertap or FreeBSD,
>> # /dev/tun0 for Solaris and OpenBSD,
>> # and /dev/net/tun for Linux tun/tap device.
>> #Mode = switch
>> Device = /dev/tun
>> #DeviceType = tap
>> #Interface = tap0
>> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
>> ScriptsInterpreter = /system/bin/sh
>> root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up
>> #!/bin/sh
>> # This file sets up the tap device.
>> # It gives you the freedom to do anything you want with it.
>> # Use the correct name for the tap device:
>> # The environment variable $INTERFACE is set to the right name
>> # on most platforms, but if it doesn't work try to set it manually.
>>
>> # Give it the right ip and netmask. Remember, the subnet of the
>> # tap device must be larger than that of the individual Subnets
>> # as defined in the host configuration file!
>> ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0
>> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
>> #ip link set $INTERFACE up
>> #ip addr add 192.168.0.80/24 dev $INTERFACE
>> #ip route add 192.168.0.0/24 dev $INTERFACE
>> root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5
>> sh: hosts/nexus5: can't execute: Permission denied
>> at hosts/nexus5 <
>> # Sample host configuration file
>>
>> # The real IP address of this tinc host. Can be used by other tinc hosts.
>>
>> # Portnumber for incoming connections. Default is 655.
>> #Port = 655
>>
>> # Subnet on the virtual private network that is local for this host.
>> Subnet = 192.168.0.80/32
>>
>> -----BEGIN RSA PUBLIC KEY-----
>>
>> -----END RSA PUBLIC KEY-----
>>
>> root at hammerhead:/sdcard/tinc/vpnalma # ip addr
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
>> link/[530]
>> inet 10.183.70.124/29 scope global rmnet0
>> inet6 fe80::7561:c093:ea26:5781/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
>> link/[530]
>> 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff
>> 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff
>> 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff
>> 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff
>> 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff
>> 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff
>> 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff
>> 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff
>> 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen
>> 1000
>> link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff
>> 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
>> link/sit 0.0.0.0 brd 0.0.0.0
>> 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
>> 1000
>> link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
>> 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN
>> qlen 1000
>> link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff
>> 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
>> pfifo_fast state UNKNOWN qlen 500
>> link/none
>> inet 192.168.0.80/24 scope global tun0
>>
>>
>> root at hammerhead:/sdcard/tinc/vpnalma # ip route
>> 10.183.70.120/29 dev rmnet0 proto kernel scope link src 10.183.70.124
>> 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124
>> 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124
>> 192.168.0.0/24 dev tun0 proto kernel scope link src 192.168.0.80
>>
>>
>> root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20
>> PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
>> ^C
>> --- 192.168.0.20 ping statistics ---
>> 10 packets transmitted, 0 received, 100% packet loss, time 9003ms
>>
>> 1|root at hammerhead:/sdcard/tinc/vpnalma #
>>
>>
>> ————————————————————————————————————————————————————————————————————————————————
>>
>> From the tinc gui log that I can’t copy and paste , I see that the device
>> in connected to cubic but i can’t ping with it.
>> --
>> Andrea Squeri
>> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig>
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150330/9920d2c2/attachment-0001.html>
More information about the tinc
mailing list