Android VPNService Route Exclusion [closed]
Asked Answered
A

2

8

I'm using OpenVPN and the new VpnService API that comes with ICS (Android 4.X)

Is there a way to define an exclusion of an IP address from the VPN tunnel? (so that traffic which is destined to that ip will be routed directly to the network, without passing through the VPN tunnel). We're trying to reduce network load and costs on our VPN, by allowing bandwidth intensive services such as youtube pass unencrypted, while still securing the rest of the traffic.

To my understanding, before Android opens the Tun device it can receive a list of routes that specifies which traffic SHOULD pass in the VPN and not which traffic to exclude:

VPNSerivice.Builder API documentation

Ar answered 27/1, 2013 at 8:41 Comment(0)
S
4

I needed to exclude a local WiFi subnet from the VPN. I used an approach with adding multiple routes instead of 0.0.0.0 / 0. For example, if you need to exclude subnet 192.168.240.90 / 21 (binary representation is 11000000.10101000.11110000.01011010), then you should add following 21 routes to your VpnService (binary representation):

00000000.00000000.00000000.00000000 / 1
10000000.00000000.00000000.00000000 / 2
11100000.00000000.00000000.00000000 / 3
11010000.00000000.00000000.00000000 / 4
11001000.00000000.00000000.00000000 / 5
11000100.00000000.00000000.00000000 / 6
11000010.00000000.00000000.00000000 / 7
11000001.00000000.00000000.00000000 / 8
11000000.00000000.00000000.00000000 / 9
11000000.11000000.00000000.00000000 / 10
11000000.10000000.00000000.00000000 / 11
11000000.10110000.00000000.00000000 / 12
11000000.10100000.00000000.00000000 / 13
11000000.10101100.00000000.00000000 / 14
11000000.10101010.00000000.00000000 / 15
11000000.10101001.00000000.00000000 / 16
11000000.10101000.00000000.00000000 / 17
11000000.10101000.10000000.00000000 / 18
11000000.10101000.11000000.00000000 / 19
11000000.10101000.11100000.00000000 / 20
11000000.10101000.11111000.00000000 / 21

The idea is to invert the bit at the position of prefix (from the right) and make zeros all bits after the position of prefix. As a result, all packages except those that go to the local subnet will match one or another route

Smell answered 22/12, 2016 at 17:59 Comment(0)
D
1

Short answer no.

Long answer. You either have to do multiple routes by (e.g. using 32 routes from /1 to /32 to exclude a ip). And you can parse the packets and proxy these using a new protected socket. (possible cpu intensive)

Danish answered 27/1, 2013 at 11:11 Comment(2)
Thanks! 1. OpenVPN allow adding routes by the following schema: route <ip> <mask> <gateway>. Does your answer is based on the fact that ICS VPN service only allows to add routes to the VPN interface and not to any other interface? (addRoute() function does not receive the destination gateway as a parameter) 2. Do you know where I can find an algorithm for calculating the "reverse" routes given a set of IPsi which to exclude?Ar
No I don't have a algorithm but should be pretty easy. If in doubt open another question on that on SO.Danish

© 2022 - 2024 — McMap. All rights reserved.