ndk-samples icon indicating copy to clipboard operation
ndk-samples copied to clipboard

Published 20 hours ago verified publisher icon android

VPN service: Tunnel interface write() from native lib does not fwd pkt to end applications ?

Open nanayak opened this issue 3 years ago • 3 comments

Hi,

I am coding an app with a native (C/C++) lib to create a tunnel interface and inspect read/write pkts prior to forwarding via the actual physical interface. I am interfacing via JNI to create and manage tunnel as described in the documentation at: https://developer.android.com/reference/android/net/VpnService.

The current situation: The tun0 interface gets created with IP and route's are setup. The native lib does receive the pkt on read(tun_fd). The issue is: write(tun_fd) succeeds, however the end application (e.g ping) does not receive the response. The interface counters on tunnel interface does show "RX" incrementing and no drops!!

Am I running into any policy based routing issues ? Appreciate any pointers! Please redirect if this is not the correct forum for this issue. Thank you!

Android Version: 11

gta7litewifi:/ $ ifconfig tun0 tun0 Link encap:UNSPEC inet addr:10.10.20.3 P-t-P:10.10.20.3 Mask:255.255.255.255 inet6 addr: fe80::24cd:7b38:a0b1:90e7/64 Scope: Link UP POINTOPOINT RUNNING MTU:1500 Metric:1 RX packets:218 errors:0 dropped:0 overruns:0 frame:0 >>>> no drops RX increments when data is written into tun_fd TX packets:135 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:29184 TX bytes:18936

gta7litewifi:/ $ ip route show table 1056 >>>> 1056 is the table created for the tun interface. default dev tun0 proto static scope link 10.10.20.3 dev tun0 proto static scope link

gta7litewifi:/ $ ip route get 8.8.8.8 >>> to make sure the route is pointing to tun0 IF for outgoing traffic 8.8.8.8 dev tun0 table 1056 src 10.10.20.3 uid 2000 cache gta7litewifi:/ $ ip route get 10.10.20.3 local 10.10.20.3 dev lo table local src 10.10.20.3 uid 2000 cache

nanayak avatar Oct 26 '21 02:10 nanayak

I need to ask domain experts to give comments, might also take some time before get to this one. You may also try on stack overflow in the mean time.

ggfan avatar Oct 26 '21 03:10 ggfan

Thanks for the response. Posted on stack overflow as well. No inputs so far. Can you please help get in touch with domain experts ? Thanks in advance.

nanayak avatar Oct 27 '21 20:10 nanayak

Hi Gerry,

I used the ToyVPN app and see the same issue as well. The reverse/response pkts do get written to the tun0 interface and interface stats increment, but app is left waiting for the response. Not adding any routes in builder.

Debug logs (for ping to 8.8.8.8 going through tunnel) from the VPN client main-loop code (Uknown(1) == ICMP): 14:06:55.632 13484-14141/com.example.android.toyvpn V/ToyVpnService: [TX] S: /10.10.20.1, D: /8.8.8.8, Unknown(1), hdr: 20 14:06:55.750 13484-14141/com.example.android.toyvpn V/ToyVpnService: [RX] S: /8.8.8.8, D: /10.10.20.1, Unknown(1), hdr: 20

ifconfig tun0 Link encap:UNSPEC inet addr:10.10.20.1 P-t-P:10.10.20.1 Mask:255.255.255.255 inet6 addr: fe80::e1e3:19ae:c25:5178/64 Scope: Link UP POINTOPOINT RUNNING MTU:1500 Metric:1 RX packets:183 errors:0 dropped:0 overruns:0 frame:0 TX packets:374 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:14124 TX bytes:30135

Appreciate any pointers.

nanayak avatar Oct 29 '21 00:10 nanayak

I don't understand what this has to do with the samples? Which sample are you talking about? Can reopen when that's clarified.

DanAlbert avatar May 03 '24 22:05 DanAlbert