> -----Original Message----- > From: Alon Bar-Lev [mailto:alon.bar...@gmail.com] > Sent: donderdag 10 mei 2012 2:10 > To: Arne Schwabe > Cc: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH] Openvpn for Android 4.0 Changeset > > On Thu, May 10, 2012 at 3:01 AM, Arne Schwabe <a...@rfc2549.org> wrote: > > Am 10.05.12 01:39, schrieb Alon Bar-Lev: > >> On Thu, May 10, 2012 at 2:24 AM, Arne Schwabe <a...@rfc2549.org> > wrote: > >>>> I need a better description of the tun process... so far I did not > >>>> understand why you cannot use standard approach of creating > >>>> persistent tun with non root access and then use the iproute2 > >>>> wrapper with suid or sudo to setup its configuration. > >>>> > >>>> Alon. > >>> I have no root access on the telephone. But Android 4.0 provides an > >>> API for VPNs > >>> > (http://developer.android.com/reference/android/net/VpnService.html). > >>> Looking at my method at the method that opens the tun device to > >>> passed over managment socket might also give an idea how it is done > in Android: > >>> http://code.google.com/p/ics- > openvpn/source/browse/src/de/blinkt/ope > >>> nvpn/OpenVpnService.java#220 > >>> > >>> Arne > >> I understand. > >> > >> But... let's discuss another approach... > >> > >> Implement android-ip program that uses the Android API, and put > >> "iproute2 android-ip" in configuration. > >> > >> Now, the interface of the program is similar to what iproute is > >> receiving, but instead of netlink it does android API. > >> > >> So actually you can receive requests from openvpn via this interface > >> without modifying openvpn... > >> > >> Maybe I am missing something, please bear with me. > >> > > The android API in this case is Java. There is no C API that can be > > used. Opening the tun device requires passing the fd of the tun > device > > to openvpn. Also the for sockets that should not be routed over the > > tun device the Java API provides a protect(int fd) API. That means > the > > socket from openvpn needs to passed to the Java GUI to call the > > protect method. > > > > I see 2 way to accomplish this: > > > > - Using the the java native interface to directly call into java from > > c and vice versa. This worked but since openvpn was not really usable > > as a library I got other problem (the google code repository has > > earlier version of the code which uses this.) > > - Keep openvpn as seperate process and pass the fd over a unix > socket. > > (One of the more obscure Unix apis) > > > > The requirement that all information as ip addresses, dns and routes > > must be available means that the persist-tun device cannot be used if > > I also want to be to use pull. > > > > Calling an external programs could eliminate the "ROUTE" , "DNS", > > "DOMAIN" , "IFCONFIG" management commands I have introduced. But the > > patched implements also two fd passing managment commands "PROTECT- > FD" > > (passes fd from openvpn to GUI) and "OPENTUN" (passes fd from GUI to > > openvpn). > > > > Arne > > > > Great, so we can first shrink the patch! > > So two features you implied... > > 1. pass pre-opened tun device > > are you sure there are no alternatives to this? how does the java api > receives the handle anyway? >
I agree with Arne's approach of letting the tun driver be passed through the management interface. This is the way things work in Android VPNService land. I still need to go through the code though. > 2. the "protect" API. > > Can you please explain more about the functionality of the "protect" > API? why is this actually required? maybe there are alternatives. > About the protect API: The VPNService API routes all traffic through the VPN by default. The socket used by OpenVPN needs to be "protected" from this, using a special function call. Therefore, Android Java needs this call. Adriaan
