Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow apps to bypass the VPN #24

Merged
merged 1 commit into from
Aug 2, 2018
Merged

Allow apps to bypass the VPN #24

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion Android/app/src/main/java/app/intra/DnsVpnService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,7 +436,11 @@ private ParcelFileDescriptor establishVpn() {
.addDnsServer(privateIpv6Address.router);

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
builder = builder.setBlocking(true); // Only available in API >= 21
// Only available in API >= 21
builder = builder.setBlocking(true);
// Some WebRTC apps rely on the ability to bind to specific interfaces, which is only
// possible if we allow bypass.
builder = builder.allowBypass();
Copy link
Contributor

@ignoramous ignoramous Mar 19, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't allowBypass required only for apps that don't offer full routing (unlike Intra which does route all of the IPv4 space)?

I read the source and I see either RULE_PRIORITY_SECURE_VPN or RULE_PRIORITY_BYPASSABLE_VPN fwmarks set on netId and sockets depending on if the VPN is secure (which it is when allowBypass is not set or the VPN is in "lockdown mode" aka the "Block connections without VPN" mode settable by the user through Android's VPN settings), which (I am not sure) are used to make routing decisions later?

Regardless, it remains unclear to me whether webrtc ICE sessions benefit from allowBypass? Is there a way to validate this?

An unintended effect of setting allowBypass is the VPN is without Internet connectivity if the user also chooses to start it in "lockdown mode": Ref; and so, allowBypass must be unset when the VPN is locked-down, like so celzero/rethink-app@71e1a840b, to unblock connectivity to the Internet.

Copy link
Contributor

@ignoramous ignoramous Mar 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't allowBypass required only for apps that don't offer full routing (unlike Intra which does route all of the IPv4 space)?

In addition to this, it might be worth taking a look at IntraVpnService#setUnderlyingNetworks which only adds one network, the current active-network, but could also add all other networks the OS is connected to (with active-network in the first position in the array).

Also: allowBypass, from the documentation, lets an app bind its sockets to any network, but if all networks are also bound to VPN, then they might not need to bypass the VPN in the first place?


try {
// Workaround for any app incompatibility bugs.
Expand Down