From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Julian Orth <ju.orth@gmail.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Multiple VPN connections on Android
Date: Mon, 8 Apr 2019 10:39:48 +0900 [thread overview]
Message-ID: <CAHmME9r3rb1ib6c03=z5662ZdP4O2sPTyvGikpWAPKOUChkY=A@mail.gmail.com> (raw)
In-Reply-To: <d46cbe36-887a-d7ab-4daa-3aea02b78e8c@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 4169 bytes --]
That's an interesting point; in theory it's probably possible to multiplex
into one tun device, provided the routes for each distinct wg interface
don't overlap.
On Sun, Apr 7, 2019, 19:37 Julian Orth <ju.orth@gmail.com> wrote:
> On 3/26/19 8:49 PM, mikma.wg@lists.m7n.se wrote:>
> > On 2019-03-26 15:17, Julian Orth wrote:
> >> Hello list,
> >>
> >> I'm currently using WireGuard on Android for two purposes:
> >>
> >> 1. Routing all traffic via a commercial VPN provider to protect myself
> on
> >> open wireless networks.
> >> 2. Connecting to my home network.
> >>
> >> Unfortunately WireGuard on Android does not allow me to do both of these
> >> things at the same time. I assume this is because VpnService [1] only
> allows 1
> >> VPN connection at a time.
> >
> > Can't you add the peer for your home network to the same configuration
> (tun
> > device) as the peer for the commercial VPN provider? It seems a straight
> > forward solution to me if you are okay with the IP addresses assigned by
> the
> > VPN provider.
>
> Using the same src IP is not going to work in my case. The VPN provider
> might
> also assign me a new IP and then I might have to reconfigure my home
> network.
> Not something I want to deal with.
>
> But this would also require me to share the same public key between my home
> network and the VPN provider. For some reason this does not feel right to
> me. On
> the other hand, I use the same SSH key on multiple sites so maybe this
> feeling
> is not justified.
>
> My current provider allows me to generate the key pair locally and to only
> send
> them the public key. If they insistet on generating the keys on their
> servers
> and sending me the private key, then this solution would be impossible.
>
> >
> >>
> >> Has any thought been put into emulating multiple tun devices in user
> space?
> >
> > I don't see why you would need multiple tun devices.
>
> By "emulating multiple tun devices" I did not mean emulating all of the
> functionality of tun devices. Packets are processed as follows right now:
>
> 1. Kernel chooses the correct route and device
> 2. Kernel sends the packet via the device
> 3. If the device is a wireguard tun device:
> a. Choose the peer and wrap the packet in a wireguard packet
> b. Goto 1 with the original packet replaced by the wrapped packet
>
> What I suggest is emulating steps 1 and 2. An emulated tun devices would
> therefore only have to consist of a set of assigned routes and an instance
> of
> the wireguard core that implements step 3.
>
> Let's say the Android app currently processes packets as follows:
>
> void process(packet) {
> peer, packet := wireguard.process(packet);
> peer.udp_send(packet);
> }
>
> My suggestion is to change this as follows:
>
> void process(packet) {
> seen_peers := { }; // a set
> while (true) {
> tap_dev := find_tap_dev(packet.dst);
> peer, packet := tap_dev.process(packet);
> if (seen_peers.contains(peer)) {
> // routing loop
> return;
> }
> seen_peers.add(peer);
> if (find_tap_dev(packet.dst) == null) {
> peer.udp_send(packet);
> return;
> }
> }
> }
>
> The Android tun device created via VpnService would then of course contain
> the
> union of all routes of the emulated tun devices.
>
> > It is possible to
> add
> > multiple IPv4 and IPv6 addresses to the tun device, but there may be a
> problem
> > with the source address selection. Linux allows specifying a preferred
> address
> > for each route, but it isn't possible in the Android API AFAIK. If you
> have a
> > rooted device then you can potentially update the routing tables with the
> > preferred source address for each VPN route.
>
> I don't think routing should be necessary for this. Afaik, other VPN apps
> already support using multiple tunnels at once.
>
> >
> > /Mikma
>
> PS: Your mail was classified as spam by gmail.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
[-- Attachment #1.2: Type: text/html, Size: 5256 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
prev parent reply other threads:[~2019-04-08 1:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 14:17 Julian Orth
2019-03-26 19:35 ` mikma.wg
[not found] ` <911c5ed5-0bf8-80bb-cf15-7b2c6ee896fa@m7n.se>
2019-04-07 10:37 ` Julian Orth
2019-04-07 10:55 ` Matthias Urlichs
2019-04-08 1:39 ` Jason A. Donenfeld [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9r3rb1ib6c03=z5662ZdP4O2sPTyvGikpWAPKOUChkY=A@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=ju.orth@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).