diff options
author | Arne Schwabe <arne@rfc2549.org> | 2022-08-02 01:25:40 +0200 |
---|---|---|
committer | Arne Schwabe <arne@rfc2549.org> | 2022-08-02 01:25:40 +0200 |
commit | 2ea430e30bb5078d52c783018eeb364e6e108138 (patch) | |
tree | bcb48a6db5c393c4135ef2a37c514cc840d75334 /main/src | |
parent | 1b6616661683cea71bcab21c3bb75b3520c5b501 (diff) |
Use route exclusion API available in API 33
Diffstat (limited to 'main/src')
-rw-r--r-- | main/src/main/cpp/CMakeLists.txt | 2 | ||||
m--------- | main/src/main/cpp/openvpn3 | 0 | ||||
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java | 30 | ||||
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java | 83 | ||||
-rw-r--r-- | main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java | 1 |
5 files changed, 88 insertions, 28 deletions
diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt index 0921e807..c0222151 100644 --- a/main/src/main/cpp/CMakeLists.txt +++ b/main/src/main/cpp/CMakeLists.txt @@ -45,6 +45,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s -c++ -java -package net.openvpn.ovpn3 -outcurrentdir + -DOPENVPN_PLATFORM_ANDROID -I${CMAKE_SOURCE_DIR}/openvpn3/client -I${CMAKE_SOURCE_DIR}/openvpn3 ${CMAKE_SOURCE_DIR}/openvpn3/client/ovpncli.i) @@ -92,7 +93,6 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s -DASIO_STANDALONE -DUSE_ASIO -DGIT_VERSION_STRING=\"${OPENVPN3_GIT}\" - -DNO_ROUTE_EXCLUDE_EMULATION -DOPENVPN_SHOW_SESSION_TOKEN -DOPENSSL_API_COMPAT=0x10200000L -DOPENVPN_ALLOW_INSECURE_CERTPROFILE diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3 -Subproject 9f02ce1670f75d8f3b9eb903394368fee53cd05 +Subproject a6296185ec5d6f604ed2c66a3e1c81ff99e387f diff --git a/main/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java b/main/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java index 5876ead5..9c8cf363 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java +++ b/main/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java @@ -5,11 +5,17 @@ package de.blinkt.openvpn.core; -import android.os.Build; +import android.net.IpPrefix; + import androidx.annotation.NonNull; +import java.lang.reflect.Array; import java.math.BigInteger; +import java.net.Inet4Address; import java.net.Inet6Address; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.Arrays; import java.util.Collection; import java.util.Locale; import java.util.PriorityQueue; @@ -203,6 +209,28 @@ public class NetworkSpace { return a && b; } + + public IpPrefix getPrefix() throws UnknownHostException { + if (isV4){ + /* add 0x01 00 00 00 00, so that all representations are 5 byte otherwise + /* numbers that are above 0x7fffffff get a leading 0x00 byte to not be negative + and small number 1-3 bytes*/ + byte[] ipBytes = netAddress.add(BigInteger.valueOf(0x0100000000L)).toByteArray(); + ipBytes = Arrays.copyOfRange(ipBytes, 1, 5); + + InetAddress inet4addr = Inet4Address.getByAddress(ipBytes); + return new IpPrefix(inet4addr, networkMask); + } + else + { + /* same dance for IPv6 */ + byte[] ipBytes = netAddress.add(BigInteger.ONE.shiftLeft(128)).toByteArray(); + ipBytes = Arrays.copyOfRange(ipBytes, 1, 17); + + InetAddress inet6addr = Inet6Address.getByAddress(ipBytes); + return new IpPrefix(inet6addr, networkMask); + } + } } diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java index 8d8ea145..d3de35f9 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java +++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java @@ -5,9 +5,11 @@ package de.blinkt.openvpn.core; +import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_CONNECTED; +import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_WAITING_FOR_USER_INPUT; +import static de.blinkt.openvpn.core.NetworkSpace.IpAddress; + import android.Manifest.permission; -import android.annotation.TargetApi; -import android.app.Activity; import android.app.Notification; import android.app.NotificationManager; import android.app.PendingIntent; @@ -21,6 +23,7 @@ import android.content.pm.ShortcutManager; import android.content.res.Configuration; import android.content.res.Resources; import android.net.ConnectivityManager; +import android.net.IpPrefix; import android.net.ProxyInfo; import android.net.Uri; import android.net.VpnService; @@ -62,10 +65,6 @@ import de.blinkt.openvpn.api.ExternalAppDatabase; import de.blinkt.openvpn.core.VpnStatus.ByteCountListener; import de.blinkt.openvpn.core.VpnStatus.StateListener; -import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_CONNECTED; -import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_WAITING_FOR_USER_INPUT; -import static de.blinkt.openvpn.core.NetworkSpace.IpAddress; - public class OpenVPNService extends VpnService implements StateListener, Callback, ByteCountListener, IOpenVPNServiceInternal { public static final String START_SERVICE = "de.blinkt.openvpn.START_SERVICE"; public static final String START_SERVICE_STICKY = "de.blinkt.openvpn.START_SERVICE_STICKY"; @@ -813,26 +812,12 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } } - IpAddress multicastRange = new IpAddress(new CIDRIP("224.0.0.0", 3), true); - - for (IpAddress route : positiveIPv4Routes) { - try { - if (multicastRange.containsNet(route)) - VpnStatus.logDebug(R.string.ignore_multicast_route, route.toString()); - else - builder.addRoute(route.getIPv4Address(), route.networkMask); - } catch (IllegalArgumentException ia) { - VpnStatus.logError(getString(R.string.route_rejected) + route + " " + ia.getLocalizedMessage()); - } - } - - for (IpAddress route6 : positiveIPv6Routes) { - try { - builder.addRoute(route6.getIPv6Address(), route6.networkMask); - } catch (IllegalArgumentException ia) { - VpnStatus.logError(getString(R.string.route_rejected) + route6 + " " + ia.getLocalizedMessage()); - } + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) { + installRoutesExcluded(builder, mRoutes); + installRoutesExcluded(builder, mRoutesv6); + } else { + installRoutesPostiveOnly(builder, positiveIPv4Routes, positiveIPv6Routes); } @@ -872,7 +857,10 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac if (mProxyInfo != null) { VpnStatus.logInfo(R.string.proxy_info, mProxyInfo.getHost(), mProxyInfo.getPort()); } - VpnStatus.logDebug(R.string.routes_debug, TextUtils.join(", ", positiveIPv4Routes), TextUtils.join(", ", positiveIPv6Routes)); + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.TIRAMISU) { + /* On Tiramisu we install the routes exactly like promised */ + VpnStatus.logDebug(R.string.routes_debug, TextUtils.join(", ", positiveIPv4Routes), TextUtils.join(", ", positiveIPv6Routes)); + } setAllowedVpnPackages(builder); if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) { // VPN always uses the default network @@ -928,6 +916,49 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } + private void installRoutesExcluded(Builder builder, NetworkSpace routes) + { + for(IpAddress ipIncl: routes.getNetworks(true)) + { + try { + builder.addRoute(ipIncl.getPrefix()); + } catch (UnknownHostException|IllegalArgumentException ia) { + VpnStatus.logError(getString(R.string.route_rejected) + ipIncl + " " + ia.getLocalizedMessage()); + } + } + for(IpAddress ipExcl: routes.getNetworks(false)) + { + try { + builder.excludeRoute(ipExcl.getPrefix()); + } catch (UnknownHostException|IllegalArgumentException ia) { + VpnStatus.logError(getString(R.string.route_rejected) + ipExcl + " " + ia.getLocalizedMessage()); + } + } + } + + private void installRoutesPostiveOnly(Builder builder, Collection<IpAddress> positiveIPv4Routes, Collection<IpAddress> positiveIPv6Routes) { + IpAddress multicastRange = new IpAddress(new CIDRIP("224.0.0.0", 3), true); + + for (IpAddress route : positiveIPv4Routes) { + try { + if (multicastRange.containsNet(route)) + VpnStatus.logDebug(R.string.ignore_multicast_route, route.toString()); + else + builder.addRoute(route.getIPv4Address(), route.networkMask); + } catch (IllegalArgumentException ia) { + VpnStatus.logError(getString(R.string.route_rejected) + route + " " + ia.getLocalizedMessage()); + } + } + + for (IpAddress route6 : positiveIPv6Routes) { + try { + builder.addRoute(route6.getIPv6Address(), route6.networkMask); + } catch (IllegalArgumentException ia) { + VpnStatus.logError(getString(R.string.route_rejected) + route6 + " " + ia.getLocalizedMessage()); + } + } + } + private void setHttpProxy(Builder builder) { if (mProxyInfo != null && Build.VERSION.SDK_INT >= 29) { builder.setHttpProxy(mProxyInfo); diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java index 0cbd7ce5..75093e14 100644 --- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java +++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java @@ -195,6 +195,7 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT; config.setRetryOnAuthFailed(retryOnAuthFailed); config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider); + config.setEnableRouteEmulation(false); if (mVp.mCompatMode > 0 && mVp.mCompatMode < 20500) config.setEnableNonPreferredDCAlgorithms(true); if (!TextUtils.isEmpty(mVp.mTlSCertProfile)) |