I'm using OpenVPN and the new VpnService API that comes with ICS (Android 4.X)
Is there a way to define an exclusion of an IP address from the VPN tunnel? (so that traffic which is destined to that ip will be routed directly to the network, without passing through the VPN tunnel). We're trying to reduce network load and costs on our VPN, by allowing bandwidth intensive services such as youtube pass unencrypted, while still securing the rest of the traffic.
To my understanding, before Android opens the Tun device it can receive a list of routes that specifies which traffic SHOULD pass in the VPN and not which traffic to exclude:
VPNSerivice.Builder API documentation
I needed to exclude a local WiFi subnet from the VPN. I used an approach with adding multiple routes instead of 0.0.0.0 / 0. For example, if you need to exclude subnet 192.168.240.90 / 21 (binary representation is 11000000.10101000.11110000.01011010), then you should add following 21 routes to your VpnService (binary representation):
00000000.00000000.00000000.00000000 / 1
10000000.00000000.00000000.00000000 / 2
11100000.00000000.00000000.00000000 / 3
11010000.00000000.00000000.00000000 / 4
11001000.00000000.00000000.00000000 / 5
11000100.00000000.00000000.00000000 / 6
11000010.00000000.00000000.00000000 / 7
11000001.00000000.00000000.00000000 / 8
11000000.00000000.00000000.00000000 / 9
11000000.11000000.00000000.00000000 / 10
11000000.10000000.00000000.00000000 / 11
11000000.10110000.00000000.00000000 / 12
11000000.10100000.00000000.00000000 / 13
11000000.10101100.00000000.00000000 / 14
11000000.10101010.00000000.00000000 / 15
11000000.10101001.00000000.00000000 / 16
11000000.10101000.00000000.00000000 / 17
11000000.10101000.10000000.00000000 / 18
11000000.10101000.11000000.00000000 / 19
11000000.10101000.11100000.00000000 / 20
11000000.10101000.11111000.00000000 / 21
The idea is to invert the bit at the position of prefix (from the right) and make zeros all bits after the position of prefix. As a result, all packages except those that go to the local subnet will match one or another route
Short answer no.
Long answer. You either have to do multiple routes by (e.g. using 32 routes from /1 to /32 to exclude a ip). And you can parse the packets and proxy these using a new protected socket. (possible cpu intensive)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With