LocalVPN icon indicating copy to clipboard operation
LocalVPN copied to clipboard

Published 20 hours ago verified publisher icon hexene

Trouble with UDP

Open chim1005 opened this issue 8 years ago • 6 comments

Hi Mohamed,

Thanks so much for sharing your work. I am a newbie to both Android and Java, but learning as I read your code. So this could very well be my issue.

I built an apk image with Android Studio 2.1RC and ran on ASUS (4.1.1) tablet with USB debugging enabled and connected to my Ubuntu box where Android Studio is running.

I can see logcat output. I have added more Log.i() into both TCP/UDP input/output to track.

With LocalVPN started, UDP packets to DNS server (port 53) are captured, but no reply packet is seen. With LocalVPN stop, Web browing works fine. So I think it is not DNS server connectivity issue.

I assume this should work. Thanks for any suggestion that you may have.

Here is a part of logcat output.

04-27 11:23:43.486 29098-29189/xyz.hexene.localvpn I/UDPOutput: UDP out:208.67.220.220:53:24941 04-27 11:23:43.486 29098-29189/xyz.hexene.localvpn I/UDPOutput: packet=Packet{ip4Header=IP4Header{version=4, IHL=5, typeOfService=0, totalLength=62, identificationAndFlagsAndFragmentOffset=-1001308160, TTL=64, protocol=17:UDP, headerChecksum=48955, sourceAddress=10.0.0.2, destinationAddress=208.67.220.220}, udpHeader=UDPHeader{sourcePort=24941, destinationPort=53, length=42, checksum=500}, payloadSize=34} 04-27 11:23:43.506 29098-29188/xyz.hexene.localvpn I/UDPInput: UDP in sleep 10 04-27 11:23:43.536 29098-29189/xyz.hexene.localvpn I/UDPOutput: UDP out write:208.67.220.220:53:24941 04-27 11:23:43.566 29098-29188/xyz.hexene.localvpn I/UDPInput: UDP in sleep 10

Thanks. -chang

chim1005 avatar Apr 27 '16 18:04 chim1005

I believe this is a bug in the Android VPN: https://code.google.com/p/android/issues/detail?id=64819. UDP packets are not transmitted properly because the source IP address is not correctly rewritten. My pull request attempts to fix this: https://github.com/hexene/LocalVPN/pull/4

imhotepisinvisible avatar Apr 27 '16 19:04 imhotepisinvisible

I tried the patch suggested. DNS is working now and moves further. Thanks.

A few observations.

  1. Unknown packet type with ICMP (protocol 1)

04-28 09:54:38.647 22072-22212/xyz.hexene.localvpn W/VPNRunnable: Unknown packet type 04-28 09:54:38.647 22072-22212/xyz.hexene.localvpn W/VPNRunnable: IP4Header{version=4, IHL=5, typeOfService=192, totalLength=576, identificationAndFlagsAndFragmentOffset=-198770688, TTL=64, protocol=1:Other, headerChecksum=4325, sourceAddress=192.168.1.107, destinationAddress=216.58.216.162}

  1. Source and destination IP addresses are swapped in TCP/UDPOutput Why? .. outputChannel.configureBlocking(false); currentPacket.swapSourceAndDestination();

  2. Occasionally see TCP ECONNRESET error Could this be due to excessive logging?

04-28 09:54:38.017 22072-22211/xyz.hexene.localvpn E/TCPOutput: Network write error: 216.58.216.162:443:37013 java.net.SocketException: sendto failed: ECONNRESET (Connection reset by peer) at libcore.io.IoBridge.maybeThrowAfterSendto(IoBridge.java:506) at libcore.io.IoBridge.sendto(IoBridge.java:489) at java.nio.SocketChannelImpl.writeImpl(SocketChannelImpl.java:369) at java.nio.SocketChannelImpl.write(SocketChannelImpl.java:327) at xyz.hexene.localvpn.TCPOutput.processACK(TCPOutput.java:244) at xyz.hexene.localvpn.TCPOutput.run(TCPOutput.java:101)

chim1005 avatar Apr 28 '16 18:04 chim1005

  1. Forwarding ICMP packets requires use of raw sockets which in turn requires root access. If root access was already available, the current implementation would be moot.
  2. The first packet for each connection from the device is cached and its modified header (with the source and destination addresses swapped, etc.) is used for form the complete IP packet for server responses to send back to the device.
  3. This is probably a timing issue, might need further investigation.

hexene avatar Apr 29 '16 08:04 hexene

Hi Mohamed,

Thanks for sharing your thoughts.

So on Android app level without root access, only TCP and UDP packets can be forwarded. This limitation should apply to all Apps. So any traffic initiated from Apps should be limited to either TCP or UDP and nothing else. In other words, these ICMP packets are not from Apps.

Do you see any possibility to restrict the packet capture to only those initiated by other Apps? Maybe through route setup or some sort of packet filter?

Thanks. -chang

chim1005 avatar Apr 29 '16 18:04 chim1005

Apologies for the delay.

With root access, yes, packet filters can be set up directly (using iptables, etc.). Please see adblockplusandroid for an example. In the absence of root, the approach used in LocalVPN is the only one I'm aware of. The packets generated by other apps will be forwarded to LocalVPN (through VpnService) from where it could be captured/filtered.

Hope this answers your question.

hexene avatar May 12 '16 04:05 hexene

hey @hexene , I set the dedicated IP address but what about the route address, have to keep "0.0.0.0" for any dedicated IP address?

AuxanoWeb avatar Nov 09 '17 14:11 AuxanoWeb