diff options
Diffstat (limited to 'main/openvpn/doc/android.txt')
m--------- | main/openvpn | 0 | ||||
-rw-r--r-- | main/openvpn/doc/android.txt | 91 |
2 files changed, 0 insertions, 91 deletions
diff --git a/main/openvpn b/main/openvpn new file mode 160000 +Subproject 7aaf01766f9718375986600216607aeb6397200 diff --git a/main/openvpn/doc/android.txt b/main/openvpn/doc/android.txt deleted file mode 100644 index 137edfc5..00000000 --- a/main/openvpn/doc/android.txt +++ /dev/null @@ -1,91 +0,0 @@ -This file documents the support in OpenVPN for Android 4.0 and up. - -This support is primarily used in the "OpenVPN for Android" app -(http://code.google.com/p/ics-openvpn/). For building see the developer -README: http://code.google.com/p/ics-openvpn/source/browse/doc/README.txt. - -Android provides the VPNService API -(http://developer.android.com/reference/android/net/VpnService.html) -which allows establishing VPN connections without rooting the device. - -Since all the interfaces are are Android specific the calls to this -interface are made from the UI instead of OpenVPN directly. The API -needs the following parameters: - -- IP and netmask of tun interface -- Networks that should be routed to the tun interface -- DNS Servers and DNS Domain -- MTU - -All IPs/Routes are in CIDR style. Non CIDR routes are not supported. -Notable is the lack of support for setting routes to other interfaces -usually used to avoid the server connection going over the tun -interface. The Android VPNService API has the concept of protecting -a socket from being routed over a interface. Calling protect (fd) -will internally bind the socket to the interface used for the -external connection (usually WiFi or mobile data). - -To use OpenVPN with the VPNService API OpenVPN must be build with -the TARGET_ANDROID compile option. Also the UI must use a UNIX -domain socket to connect to OpenVPN. When compiled as TARGET_ANDROID -OpenVPN will use management callbacks instead of executing traditional -ifconfig/route commands use the need-ok callback mechanism which -will ask - -> NEED-OK command - -where command can be: - -IFCONFIG6 IPv6/netmask -IFCONFIG local remoteOrNetmask MTU topology - -To tell the UI which IPs addresses OpenVPN expects on the interface. -Topology is one of "net30","p2p","subnet" or "undef". - -ROUTE6 network/netmask -ROUTE network netmask - -To tell the UI which routes should be set on the tun interface. - -DNSSERVER serverip -DNSDOMAIN searchdomain - -To set the DNS server and search domain. - -The GUI will then respond with a "needok 'command' ok' or "needok -'command' cancel', e.g. "needok 'IFCONFIG' ok". - -PERSIST_TUN_ACTION - -In Android 4.4-4.4.2 a bug exists that does not allow to open a new tun fd -while a tun fd is still open. When OpenVPN wants to open an fd it will do -this query. The UI should compare the last configuration of -the tun device with the current tun configuration and reply with either (or -always respond with OPEN_AFTER_BEFORE/OPEN_BEFORE_CLOSE) - -- NOACTION: Keep using the old fd -- OPEN_AFTER_CLOSE: First close the old fd and then open a new to workaround the bug -- OPEN_BEFORE_CLOSE: the normal behaviour when the VPN configuration changed - -For example the UI could respond with -needok 'PERSIST_TUN_ACTION' OPEN_AFTER_CLOSE - -To protect a socket the OpenVPN will send a PROTECTFD to the UI. -When sending the PROTECTFD command command to the UI it will send -the fd of the socket as ancillary message over the UNIX socket. -The UI will then call protect(fd) on the received socket protecting -it from being routed over the VPN. - -When opening a tun device the OpenVPN process will first send all -route, ifconfig and DNS related configuration to the UI and after -that calls the OPENTUN command to receive a tun fd with the requested -configuration. The UI will than use the collected information to -call the VPNService's establish() method to receive a fd which in -turn is send to the OpenVPN process as ancillary message to the -"needok 'OPENTUN' ok' response. - -The OpenVPN for Android UI extensively uses other features that -are not specific to Android but are rarely used on other platform. -For example using SIGUSR1 and management-hold to restart, pause, -continue the VPN on network changes or the external key management ---management-external-key option and inline files. |