* Multiple VPN connections on Android @ 2019-03-26 14:17 Julian Orth 2019-03-26 19:35 ` mikma.wg [not found] ` <911c5ed5-0bf8-80bb-cf15-7b2c6ee896fa@m7n.se> 0 siblings, 2 replies; 5+ messages in thread From: Julian Orth @ 2019-03-26 14:17 UTC (permalink / raw) To: WireGuard mailing list Hello list, I'm currently using WireGuard on Android for two purposes: 1. Routing all traffic via a commercial VPN provider to protect myself on open wireless networks. 2. Connecting to my home network. Unfortunately WireGuard on Android does not allow me to do both of these things at the same time. I assume this is because VpnService [1] only allows 1 VPN connection at a time. Has any thought been put into emulating multiple tun devices in user space? Julian [1] https://developer.android.com/reference/android/net/VpnService.html _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple VPN connections on Android 2019-03-26 14:17 Multiple VPN connections on Android Julian Orth @ 2019-03-26 19:35 ` mikma.wg [not found] ` <911c5ed5-0bf8-80bb-cf15-7b2c6ee896fa@m7n.se> 1 sibling, 0 replies; 5+ messages in thread From: mikma.wg @ 2019-03-26 19:35 UTC (permalink / raw) To: Julian Orth, wireguard On 2019-03-26 15:17, Julian Orth wrote: > Hello list, > > I'm currently using WireGuard on Android for two purposes: > > 1. Routing all traffic via a commercial VPN provider to protect myself on > open wireless networks. > 2. Connecting to my home network. > > Unfortunately WireGuard on Android does not allow me to do both of these > things at the same time. I assume this is because VpnService [1] only allows 1 > VPN connection at a time. Can't you add the peer for your home network to the same configuration (tun device) as the peer for the commercial VPN provider? It seems a straight forward solution to me if you are okay with the IP addresses assigned by the VPN provider. > > Has any thought been put into emulating multiple tun devices in user space? I don't see why you would need multiple tun devices. It is possible to add multiple IPv4 and IPv6 addresses to the tun device, but there may be a problem with the source address selection. Linux allows specifying a preferred address for each route, but it isn't possible in the Android API AFAIK. If you have a rooted device then you can potentially update the routing tables with the preferred source address for each VPN route. /Mikma > > Julian > > [1] https://developer.android.com/reference/android/net/VpnService.html > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <911c5ed5-0bf8-80bb-cf15-7b2c6ee896fa@m7n.se>]
* Re: Multiple VPN connections on Android [not found] ` <911c5ed5-0bf8-80bb-cf15-7b2c6ee896fa@m7n.se> @ 2019-04-07 10:37 ` Julian Orth 2019-04-07 10:55 ` Matthias Urlichs 2019-04-08 1:39 ` Jason A. Donenfeld 0 siblings, 2 replies; 5+ messages in thread From: Julian Orth @ 2019-04-07 10:37 UTC (permalink / raw) To: mikma.wg; +Cc: WireGuard mailing list On 3/26/19 8:49 PM, mikma.wg@lists.m7n.se wrote:> > On 2019-03-26 15:17, Julian Orth wrote: >> Hello list, >> >> I'm currently using WireGuard on Android for two purposes: >> >> 1. Routing all traffic via a commercial VPN provider to protect myself on >> open wireless networks. >> 2. Connecting to my home network. >> >> Unfortunately WireGuard on Android does not allow me to do both of these >> things at the same time. I assume this is because VpnService [1] only allows 1 >> VPN connection at a time. > > Can't you add the peer for your home network to the same configuration (tun > device) as the peer for the commercial VPN provider? It seems a straight > forward solution to me if you are okay with the IP addresses assigned by the > VPN provider. Using the same src IP is not going to work in my case. The VPN provider might also assign me a new IP and then I might have to reconfigure my home network. Not something I want to deal with. But this would also require me to share the same public key between my home network and the VPN provider. For some reason this does not feel right to me. On the other hand, I use the same SSH key on multiple sites so maybe this feeling is not justified. My current provider allows me to generate the key pair locally and to only send them the public key. If they insistet on generating the keys on their servers and sending me the private key, then this solution would be impossible. > >> >> Has any thought been put into emulating multiple tun devices in user space? > > I don't see why you would need multiple tun devices. By "emulating multiple tun devices" I did not mean emulating all of the functionality of tun devices. Packets are processed as follows right now: 1. Kernel chooses the correct route and device 2. Kernel sends the packet via the device 3. If the device is a wireguard tun device: a. Choose the peer and wrap the packet in a wireguard packet b. Goto 1 with the original packet replaced by the wrapped packet What I suggest is emulating steps 1 and 2. An emulated tun devices would therefore only have to consist of a set of assigned routes and an instance of the wireguard core that implements step 3. Let's say the Android app currently processes packets as follows: void process(packet) { peer, packet := wireguard.process(packet); peer.udp_send(packet); } My suggestion is to change this as follows: void process(packet) { seen_peers := { }; // a set while (true) { tap_dev := find_tap_dev(packet.dst); peer, packet := tap_dev.process(packet); if (seen_peers.contains(peer)) { // routing loop return; } seen_peers.add(peer); if (find_tap_dev(packet.dst) == null) { peer.udp_send(packet); return; } } } The Android tun device created via VpnService would then of course contain the union of all routes of the emulated tun devices. > It is possible to add > multiple IPv4 and IPv6 addresses to the tun device, but there may be a problem > with the source address selection. Linux allows specifying a preferred address > for each route, but it isn't possible in the Android API AFAIK. If you have a > rooted device then you can potentially update the routing tables with the > preferred source address for each VPN route. I don't think routing should be necessary for this. Afaik, other VPN apps already support using multiple tunnels at once. > > /Mikma PS: Your mail was classified as spam by gmail. _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple VPN connections on Android 2019-04-07 10:37 ` Julian Orth @ 2019-04-07 10:55 ` Matthias Urlichs 2019-04-08 1:39 ` Jason A. Donenfeld 1 sibling, 0 replies; 5+ messages in thread From: Matthias Urlichs @ 2019-04-07 10:55 UTC (permalink / raw) To: wireguard On 07.04.19 12:37, Julian Orth wrote: > If they insistet on generating the keys on their servers > and sending me the private key A VPN provider who does this obviously has no clue whatsoever, and thus should not be used in the first place. -- -- Matthias Urlichs _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple VPN connections on Android 2019-04-07 10:37 ` Julian Orth 2019-04-07 10:55 ` Matthias Urlichs @ 2019-04-08 1:39 ` Jason A. Donenfeld 1 sibling, 0 replies; 5+ messages in thread From: Jason A. Donenfeld @ 2019-04-08 1:39 UTC (permalink / raw) To: Julian Orth; +Cc: WireGuard mailing list [-- Attachment #1.1: Type: text/plain, Size: 4169 bytes --] That's an interesting point; in theory it's probably possible to multiplex into one tun device, provided the routes for each distinct wg interface don't overlap. On Sun, Apr 7, 2019, 19:37 Julian Orth <ju.orth@gmail.com> wrote: > On 3/26/19 8:49 PM, mikma.wg@lists.m7n.se wrote:> > > On 2019-03-26 15:17, Julian Orth wrote: > >> Hello list, > >> > >> I'm currently using WireGuard on Android for two purposes: > >> > >> 1. Routing all traffic via a commercial VPN provider to protect myself > on > >> open wireless networks. > >> 2. Connecting to my home network. > >> > >> Unfortunately WireGuard on Android does not allow me to do both of these > >> things at the same time. I assume this is because VpnService [1] only > allows 1 > >> VPN connection at a time. > > > > Can't you add the peer for your home network to the same configuration > (tun > > device) as the peer for the commercial VPN provider? It seems a straight > > forward solution to me if you are okay with the IP addresses assigned by > the > > VPN provider. > > Using the same src IP is not going to work in my case. The VPN provider > might > also assign me a new IP and then I might have to reconfigure my home > network. > Not something I want to deal with. > > But this would also require me to share the same public key between my home > network and the VPN provider. For some reason this does not feel right to > me. On > the other hand, I use the same SSH key on multiple sites so maybe this > feeling > is not justified. > > My current provider allows me to generate the key pair locally and to only > send > them the public key. If they insistet on generating the keys on their > servers > and sending me the private key, then this solution would be impossible. > > > > >> > >> Has any thought been put into emulating multiple tun devices in user > space? > > > > I don't see why you would need multiple tun devices. > > By "emulating multiple tun devices" I did not mean emulating all of the > functionality of tun devices. Packets are processed as follows right now: > > 1. Kernel chooses the correct route and device > 2. Kernel sends the packet via the device > 3. If the device is a wireguard tun device: > a. Choose the peer and wrap the packet in a wireguard packet > b. Goto 1 with the original packet replaced by the wrapped packet > > What I suggest is emulating steps 1 and 2. An emulated tun devices would > therefore only have to consist of a set of assigned routes and an instance > of > the wireguard core that implements step 3. > > Let's say the Android app currently processes packets as follows: > > void process(packet) { > peer, packet := wireguard.process(packet); > peer.udp_send(packet); > } > > My suggestion is to change this as follows: > > void process(packet) { > seen_peers := { }; // a set > while (true) { > tap_dev := find_tap_dev(packet.dst); > peer, packet := tap_dev.process(packet); > if (seen_peers.contains(peer)) { > // routing loop > return; > } > seen_peers.add(peer); > if (find_tap_dev(packet.dst) == null) { > peer.udp_send(packet); > return; > } > } > } > > The Android tun device created via VpnService would then of course contain > the > union of all routes of the emulated tun devices. > > > It is possible to > add > > multiple IPv4 and IPv6 addresses to the tun device, but there may be a > problem > > with the source address selection. Linux allows specifying a preferred > address > > for each route, but it isn't possible in the Android API AFAIK. If you > have a > > rooted device then you can potentially update the routing tables with the > > preferred source address for each VPN route. > > I don't think routing should be necessary for this. Afaik, other VPN apps > already support using multiple tunnels at once. > > > > > /Mikma > > PS: Your mail was classified as spam by gmail. > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > [-- Attachment #1.2: Type: text/html, Size: 5256 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-04-08 1:40 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-26 14:17 Multiple VPN connections on Android Julian Orth 2019-03-26 19:35 ` mikma.wg [not found] ` <911c5ed5-0bf8-80bb-cf15-7b2c6ee896fa@m7n.se> 2019-04-07 10:37 ` Julian Orth 2019-04-07 10:55 ` Matthias Urlichs 2019-04-08 1:39 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).