Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android VPNService Route Exclusion [closed]

I'm using OpenVPN and the new VpnService API that comes with ICS (Android 4.X)

Is there a way to define an exclusion of an IP address from the VPN tunnel? (so that traffic which is destined to that ip will be routed directly to the network, without passing through the VPN tunnel). We're trying to reduce network load and costs on our VPN, by allowing bandwidth intensive services such as youtube pass unencrypted, while still securing the rest of the traffic.

To my understanding, before Android opens the Tun device it can receive a list of routes that specifies which traffic SHOULD pass in the VPN and not which traffic to exclude:

VPNSerivice.Builder API documentation

like image 321
Sheronz18 Avatar asked Jan 27 '13 08:01

Sheronz18


Video Answer


2 Answers

I needed to exclude a local WiFi subnet from the VPN. I used an approach with adding multiple routes instead of 0.0.0.0 / 0. For example, if you need to exclude subnet 192.168.240.90 / 21 (binary representation is 11000000.10101000.11110000.01011010), then you should add following 21 routes to your VpnService (binary representation):

00000000.00000000.00000000.00000000 / 1
10000000.00000000.00000000.00000000 / 2
11100000.00000000.00000000.00000000 / 3
11010000.00000000.00000000.00000000 / 4
11001000.00000000.00000000.00000000 / 5
11000100.00000000.00000000.00000000 / 6
11000010.00000000.00000000.00000000 / 7
11000001.00000000.00000000.00000000 / 8
11000000.00000000.00000000.00000000 / 9
11000000.11000000.00000000.00000000 / 10
11000000.10000000.00000000.00000000 / 11
11000000.10110000.00000000.00000000 / 12
11000000.10100000.00000000.00000000 / 13
11000000.10101100.00000000.00000000 / 14
11000000.10101010.00000000.00000000 / 15
11000000.10101001.00000000.00000000 / 16
11000000.10101000.00000000.00000000 / 17
11000000.10101000.10000000.00000000 / 18
11000000.10101000.11000000.00000000 / 19
11000000.10101000.11100000.00000000 / 20
11000000.10101000.11111000.00000000 / 21

The idea is to invert the bit at the position of prefix (from the right) and make zeros all bits after the position of prefix. As a result, all packages except those that go to the local subnet will match one or another route

like image 165
Eugene Avatar answered Sep 17 '22 11:09

Eugene


Short answer no.

Long answer. You either have to do multiple routes by (e.g. using 32 routes from /1 to /32 to exclude a ip). And you can parse the packets and proxy these using a new protected socket. (possible cpu intensive)

like image 28
plaisthos Avatar answered Sep 18 '22 11:09

plaisthos