Log stupid bug of Samsung telephones to ignore DNS servers outside the VPN range...

author: Arne Schwabe <arne@rfc2549.org> 2015-04-21 15:13:23 +0200
committer: Arne Schwabe <arne@rfc2549.org> 2015-04-21 15:13:23 +0200
commit: 58fcc7a0b426b780a998dcfaf061035001a0ba0a (patch)
tree: 9509b636918a79385192cb56144990d51a8bf6e3
parent: 0ae6d7a0d5f02c536183d65ba1fafbcd790dcd6e (diff)
4 files changed, 27 insertions, 6 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/core/CIDRIP.java b/main/src/main/java/de/blinkt/openvpn/core/CIDRIP.java
index e525abd5..94ed8a0b 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/CIDRIP.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/CIDRIP.java
@@ -54,6 +54,7 @@ class CIDRIP {
         } else {
             return false;
         }
+
     }
 
     static long getInt(String ipaddr) {
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
index 81dea416..113142b7 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
@@ -498,8 +498,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
 
         VpnStatus.logInfo(R.string.last_openvpn_tun_config);
 
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mProfile.mAllowLocalLAN)
-        {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mProfile.mAllowLocalLAN) {
             allowAllAFFamilies(builder);
         }
 
@@ -573,6 +572,26 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
             }
         }
 
+        if ("samsung".equals(Build.BRAND) && Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mDnslist != null && mDnslist.size() >= 1) {
+            // Check if the first DNS Server is in the VPN range
+            try {
+                ipAddress dnsServer = new ipAddress(new CIDRIP(mDnslist.get(0), 32), true);
+                boolean dnsIncluded=false;
+                for (ipAddress net : positiveIPv4Routes) {
+                    if (net.containsNet(dnsServer)) {
+                        dnsIncluded = true;
+                    }
+                }
+                if (!dnsIncluded) {
+                    String samsungwarning = String.format("Warning Samsung Android 5.0+ devices ignore DNS servers outside the VPN range. To enable DNS add a custom route to your DNS Server (%s) or change to a DNS inside your VPN range", mDnslist.get(0));
+                    VpnStatus.logWarning(samsungwarning);
+                }
+            } catch (Exception e) {
+                VpnStatus.logError("Error parsing DNS Server IP: " + mDnslist.get(0));
+            }
+        }
+
+
         if (mDomain != null)
             builder.addSearchDomain(mDomain);
 
@@ -613,7 +632,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
         try {
             //Debug.stopMethodTracing();
             ParcelFileDescriptor tun = builder.establish();
-            if (tun==null)
+            if (tun == null)
                 throw new NullPointerException("Android establish() method returned null (Really broken network configuration?)");
             return tun;
         } catch (Exception e) {
@@ -664,11 +683,11 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
                     intf.startsWith("tun") || intf.startsWith("rmnet"))
                 continue;
 
-            if (ipAddr==null || netMask == null) {
+            if (ipAddr == null || netMask == null) {
                 VpnStatus.logError("Local routes are broken?! (Report to author) " + TextUtils.join("|", localRoutes));
                 continue;
             }
-            
+
             if (ipAddr.equals(mLocalIP.mIp))
                 continue;
 
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
index 91a683b8..5c881f77 100644
--- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
+++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
@@ -155,6 +155,7 @@ public class FaqFragment extends Fragment {
             new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.ab_not_route_to_vpn_title, R.string.ab_not_route_to_vpn),
             new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.tap_mode, R.string.tap_faq3),
 
+            // DNS weirdness in Samsung 5.0: https://plus.google.com/117315704597472009168/posts/g78bZLWmqgD
     };
 
 
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index 7eb1c66c..9312a402 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -377,7 +377,7 @@
     <string name="ab_persist_tun_title">Persist tun mode</string>
     <string name="version_and_later">%s and later</string>
     <string name="tls_cipher_alert_title">Connections fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure</string>
-    <string name="tls_cipher_alert">Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempts to strengthen TLS security by setting tls-cipher on the server.\nTo solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\". To work around the problem on the client add the custom option tls-cipher DEFAULT on the Android client.</string>
+    <string name="tls_cipher_alert">Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempts to strengthen TLS security by setting tls-cipher on the server or some embedded OSes with stripped down SSL (e.g. MikroTik).\nTo solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\". To work around the problem on the client add the custom option tls-cipher DEFAULT on the Android client.</string>
     <string name="message_no_user_edit">This profile has been added from an external app (%s) and has been marked as not user editable.</string>
     <string name="crl_file">Certificate Revocation List</string>
author	Arne Schwabe <arne@rfc2549.org>	2015-04-21 15:13:23 +0200
committer	Arne Schwabe <arne@rfc2549.org>	2015-04-21 15:13:23 +0200
commit	58fcc7a0b426b780a998dcfaf061035001a0ba0a (patch)
tree	9509b636918a79385192cb56144990d51a8bf6e3
parent	0ae6d7a0d5f02c536183d65ba1fafbcd790dcd6e (diff)