[Q] Nexus 5 and Always-on VPN - Nexus 5 Q&A, Help & Troubleshooting

Hey guys,
I was just wondering if anyone else has had issues with VPNs on their Nexus 5? I should add that every one of these settings works flawlessly on my Nexus 7. So anyway, here's my situation:
L2TP/IPSec PSK
Works fine for a while but will eventually time out, anywhere from a few minutes to over an hour after connecting (yet still remains "connected" according to the phone - have to reboot to fix it).
L2TP/IPSec PSK "Always-on"
I get "connected" yet no data is transmitted, at all. Could this have something to do with it (can't post links - code dot google dot com/p/android/issues/detail?id=61948)?
OpenVPN (same result with various clients)
Connects fine for a while - anywhere from a few minutes to over an hour, just as with L2TP - but eventually times out. Here is part of a recent log file from when it starts to go wrong (looks like it gets an 'inactivity timeout'). The red text is where the problem begins. Note that the same thing happens even when plugged in & with the 'always-on screen' developer setting enabled so my phone isn't going to sleep.
Code:
Running on Nexus 5 (hammerhead) google, Android API 19, version 0.5.46, official build
Building configuration…
started Socket Thread
P:Initializing Google Breakpad!
P:eek:penVPN 2.3.2+dspatch4 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Sep 12 2013
P:MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
Network Status: CONNECTED to WIFI "redacted"
P:MANAGEMENT: CMD 'username 'Auth' redacted'
P:MANAGEMENT: CMD 'password [...]'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:MANAGEMENT: >STATE:1383797854,RESOLVE,,,
P:Socket Buffers: R=[163840->131072] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383797854,WAIT,,,
P:MANAGEMENT: >STATE:1383797854,AUTH,,,
P:TLS: Initial packet from [AF_INET]173.245.209.2:443, sid=5baec2e6 9c0dfbdd
P:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
P:VERIFY OK: depth=1, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=IPVanish CA, [email protected]
P:VERIFY X509NAME OK: C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:VERIFY OK: depth=0, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
P:[syd-a01.ipvanish.com] Peer Connection Initiated with [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383797857,GET_CONFIG,,,
P:SENT CONTROL [syd-a01.ipvanish.com]: 'PUSH_REQUEST' (status=1)
P:PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.32.206 255.255.248.0'
P:eek:PTIONS IMPORT: timers and/or timeouts modified
P:eek:PTIONS IMPORT: explicit notify parm(s) modified
P:eek:PTIONS IMPORT: --sndbuf/--rcvbuf options modified
P:Socket Buffers: R=[131072->524288] S=[131072->131072]
P:eek:PTIONS IMPORT: --ifconfig/up options modified
P:eek:PTIONS IMPORT: route options modified
P:eek:PTIONS IMPORT: route-related options modified
P:eek:PTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
P:ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=bc:f5:ac:f2:a5:c2
P:ROUTE6: default_gateway=UNDEF
P:eek:penVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
P:eek:penVPN ROUTE: failed to parse/resolve route for host/network: ::/0
P:do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
P:MANAGEMENT: >STATE:1383797858,ASSIGN_IP,,172.20.32.206,
P:MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: >STATE:1383797858,ADD_ROUTES,,,
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
Opening tun interface:
Local IPv4: 172.20.32.206/21 IPv6: null MTU: 1500
DNS Server: 198.18.0.1, 198.18.0.2, Domain: null
Routes: 173.245.209.2/32, 0.0.0.0/1, 128.0.0.0/1, 0.0.0.0/0
Routes IPv6:
P:MANAGEMENT: CMD 'needok 'OPENTUN' ok'
P:Initialization Sequence Completed
P:MANAGEMENT: >STATE:1383797859,CONNECTED,SUCCESS,172.20.32.206,173.245.209.2
[COLOR="Red"]P:[syd-a01.ipvanish.com] Inactivity timeout (--ping-restart), restarting[/COLOR]
P:SIGUSR1[soft,ping-restart] received, process restarting
P:MANAGEMENT: >STATE:1383799065,RECONNECTING,ping-restart,,
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:TCP/UDP: Preserving recently used remote address: [AF_INET]173.245.209.2:443
P:Socket Buffers: R=[163840->524288] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799081,WAIT,,,
P:[UNDEF] Inactivity timeout (--ping-restart), restarting
P:SIGUSR1[soft,ping-restart] received, process restarting
P:MANAGEMENT: >STATE:1383799152,RECONNECTING,ping-restart,,
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:TCP/UDP: Preserving recently used remote address: [AF_INET]173.245.209.2:443
P:Socket Buffers: R=[163840->524288] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799153,WAIT,,,
P:[UNDEF] Inactivity timeout (--ping-restart), restarting
P:SIGUSR1[soft,ping-restart] received, process restarting
P:MANAGEMENT: >STATE:1383799213,RECONNECTING,ping-restart,,
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:TCP/UDP: Preserving recently used remote address: [AF_INET]173.245.209.2:443
P:Socket Buffers: R=[163840->524288] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799214,WAIT,,,
P:MANAGEMENT: >STATE:1383799230,AUTH,,,
P:TLS: Initial packet from [AF_INET]173.245.209.2:443, sid=a3743100 cabdef57
P:VERIFY OK: depth=1, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=IPVanish CA, [email protected]
P:VERIFY X509NAME OK: C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:VERIFY OK: depth=0, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
P:[syd-a01.ipvanish.com] Peer Connection Initiated with [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799243,GET_CONFIG,,,
P:SENT CONTROL [syd-a01.ipvanish.com]: 'PUSH_REQUEST' (status=1)
P:PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.32.206 255.255.248.0'
P:eek:PTIONS IMPORT: timers and/or timeouts modified
P:eek:PTIONS IMPORT: explicit notify parm(s) modified
P:eek:PTIONS IMPORT: --sndbuf/--rcvbuf options modified
P:Socket Buffers: R=[524288->524288] S=[131072->131072]
P:eek:PTIONS IMPORT: --ifconfig/up options modified
P:eek:PTIONS IMPORT: route options modified
P:eek:PTIONS IMPORT: route-related options modified
P:eek:PTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
P:ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=bc:f5:ac:f2:a5:c2
P:ROUTE6: default_gateway=UNDEF
P:eek:penVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
P:eek:penVPN ROUTE: failed to parse/resolve route for host/network: ::/0
P:do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
P:MANAGEMENT: >STATE:1383799244,ASSIGN_IP,,172.20.32.206,
P:MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: >STATE:1383799244,ADD_ROUTES,,,
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
Opening tun interface:
Local IPv4: 172.20.32.206/21 IPv6: null MTU: 1500
DNS Server: 198.18.0.1, 198.18.0.2, Domain: null
Routes: 173.245.209.2/32, 0.0.0.0/1, 128.0.0.0/1, 0.0.0.0/0
Routes IPv6:
Failed to open the tun interface
Error: command '86 interface fwmark uid add tun1 0 99999' failed with '400 86 Failed to add uid rule (Invalid argument)'
On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings
P:MANAGEMENT: CMD 'needok 'OPENTUN' cancel'
P:MANAGEMENT: Client disconnected
P:ERROR: Cannot open TUN
P:Exiting due to fatal error
P:Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
P:Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
P:Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
P:Closing TUN/TAP interface
MGMT:Got unrecognized command>FATAL:ERROR: Cannot open TUN
Process exited with exit value 1
Any help would be greatly appreciated. Cheers.

Not sure exactly what you are looking for. But here is my thought.
1. It's quite impractical to do an always on VPN for mobile device because aa you move around, you switch from tower to tower and you IP address change, or at least the route established from one tower need to change. So, it would be more like redialing VPN every time you switch tower.
2. if you meant the VPN get time out, you could just go on the terminal amd do a continuous ping to an address on the VPN network.

someone0 said:
Not sure exactly what you are looking for. But here is my thought.
1. It's quite impractical to do an always on VPN for mobile device because aa you move around, you switch from tower to tower and you IP address change, or at least the route established from one tower need to change. So, it would be more like redialing VPN every time you switch tower.
Click to expand...
Click to collapse
That's true; I was just hoping for a VPN connection that would not time out while on the same WiFi connection. Seems to work fine on my older Android devices, just not the Nexus 5 which cannot hold a persistent connection.
someone0 said:
2. if you meant the VPN get time out, you could just go on the terminal amd do a continuous ping to an address on the VPN network.
Click to expand...
Click to collapse
Thanks but I just don't see why this should be necessary. It should work 'out of the box'. Also even if that did work that still wouldn't fix the "Always-on" feature of the phone that never allows a data connection to begin with even when connected, a feature that works on my other (non-4.4) Android devices. support[dot]google[dot]com/nexus/answer/2819573

Looks like it's certainly an issue for others too. I'm just surprised it's not more prevalent; I guess not many people use a VPN on their phone?
Due to a bug in Android 4.4 (KitKat) reported to Google under Issue #61948, AnyConnect users will experience High Packet Loss over their VPN connection (users will experience timeouts when attempting to access certain network resources). In the ASA logs, a syslog message will appear with text similar to "Transmitting large packet 1420 (threshold 1405)."
This has been reported to Google under Issue #61948
Android 4.4 TCP advertises incorrect MSS over VPN (using VpnService)
https://code.google.com/p/android/issues/detail?id=61948
End users may log in with their Google ID and flag the importance of the request as well as enter comments at the link above.
Conditions:
Android 4.4 (KitKat) including the Google Nexus 5
AnyConnect ICS+
Workaround:
Until Google produces a fix for Android 4.4, VPN administrators may temporarily reduce the maximum segment size for TCP connections on the ASA with the configuration command "sysopt connection tcpmss <mss size>". The default for this parameter is 1380 bytes. Reduce this value by the difference between the values seen in the ASA logs. In the above example, the difference is 15 bytes; the value should thus be no more than 1365. Reducing this value will negatively impact performance for connected VPN users where large packets are transmitted.
Click to expand...
Click to collapse
supportforums.cisco.com/thread/2250185

Thank you posting this, I thought I was the only one with this problem judging from Google results.
This really sucks, it breaks openvpn completely. How did Google screw up this bad? I hope they fix it soon.

SHAWDAH said:
Thank you posting this, I thought I was the only one with this problem judging from Google results.
This really sucks, it breaks openvpn completely. How did Google screw up this bad? I hope they fix it soon.
Click to expand...
Click to collapse
Encountered the same issue on Omni's 4.4 build on Nexus 4, hopefully, they will fix that soon enough, as this is a major issue for corporate work.

I usually avoid using proprietary VPN anyway. I'm still trying to get OpenVPN working back up again in my house, but it was always a mess getting OVPN to work with many mobile devices due to tunnel drivers. Atleast I still have L2TP and it always work solidly.

someone0 said:
I usually avoid using proprietary VPN anyway. I'm still trying to get OpenVPN working back up again in my house, but it was always a mess getting OVPN to work with many mobile devices due to tunnel drivers. Atleast I still have L2TP and it always work solidly.
Click to expand...
Click to collapse
What do you mean proprietary VPN? The official OpenVPN android client is proprietary (which is a joke) but OpenVPN for Android is open source.

I was referring to the AnyConnect which is Cisco proprietary VPN. But as far as OpenVPN on Android goes, it is kinda hit and miss. But I know I can always count on L2TP which is build into just almost all Android and iOS. I would still build OpenVPN as you can just route it through any port you want, including TCP port 80 and 443. Which I don't think any wifi hotspot will block those two ports.

bruceau said:
Looks like it's certainly an issue for others too. I'm just surprised it's not more prevalent; I guess not many people use a VPN on their phone?
Click to expand...
Click to collapse
I use VPN all time on my Android phone.I sold all of my Nexus devices so i think im safe for now.

I know this thread's been inactive for a few months now but I'm still having this problem. Manually connecting my VPN through the android settings wLvorks but does eventually drop connections sometimes.
I know of the issues on the AOSP tracker and have them starred.
A comment on one of the issues lists what claims to be working iptables that fix the bug with the VPN.
https://code.google.com/p/android/issues/detail?id=63450#c4
Code:
Chain fw_FORWARD (1 references) target prot opt source destination Chain fw_INPUT (1 references) target prot opt source destination Chain fw_OUTPUT (1 references) target prot opt source destination ============================================================================================================ Always-on VPN iptables: Chain fw_FORWARD (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain fw_INPUT (1 references) target prot opt source destination RETURN all -- anywhere 192.168.2.11 RETURN all -- anywhere anywhere RETURN udp -- VPN-SERVERS anywhere udp spt:l2f RETURN tcp -- VPN-SERVERS anywhere tcp spt:l2f RETURN udp -- VPN-SERVERS anywhere udp spt:4500 RETURN tcp -- VPN-SERVERS anywhere tcp spt:4500 RETURN udp -- VPN-SERVERS anywhere udp spt:isakmp RETURN tcp -- VPN-SERVERS anywhere tcp spt:isakmp RETURN all -- anywhere anywhere DROP all -- anywhere anywhere Chain fw_OUTPUT (1 references) target prot opt source destination RETURN all -- 192.168.2.11 anywhere RETURN all -- anywhere anywhere RETURN udp -- anywhere VPN-SERVERS udp dpt:l2f RETURN tcp -- anywhere VPN-SERVERS tcp dpt:l2f RETURN udp -- anywhere VPN-SERVERS udp dpt:4500 RETURN tcp -- anywhere VPN-SERVERS tcp dpt:4500 RETURN udp -- anywhere VPN-SERVERS udp dpt:isakmp RETURN tcp -- anywhere VPN-SERVERS tcp dpt:isakmp RETURN all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I pasted the iptables and they're also at the link but I don't know how to apply them since I don't know the syntax.

VPN Root connects every time, and stays connected.

PhilipTD said:
VPN Root connects every time, and stays connected.
Click to expand...
Click to collapse
Except my connection uses L2TP and there's no apps for that.
Sent from my Nexus 5 using Tapatalk

Hopefully will be fixed on 4.4.3...

The guys at Google are surely taking their time to roll out this fix...
Why couldn't they simply re-issue a patch based on the working code from 4.3?

Right? What the heck....It just baffles me.
eKeith said:
The guys at Google are surely taking their time to roll out this fix...
Why couldn't they simply re-issue a patch based on the working code from 4.3?
Click to expand...
Click to collapse

Related

[Q] Networking (netmask) issues on a Captivate

I've got a shiny new Samsung Captivate (Galaxy S) on AT&T.. working fairly well so far, besides the annoyances with the phone being locked down and the crappy bundled mail client (I've got loooots of email in my imap box, grin.) Phone is still stock; haven't had a chance to root it yet.
In any case, the issue I'm having is that the phone is setting an invalid netmask (255.0.0.0) on the wifi interface, instead of the proper one as served by dhcp (255.255.255.0).. this is preventing the phone from talking to other devices in 10/8.
Here's the DHCP response sent to the phone by my DHCP server:
Code:
Client-IP 10.20.0.120
Your-IP 10.20.0.120
Client-Ethernet-Address 00:26:37:xx:xx:xx
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.20.0.254
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 10.20.0.254
Domain-Name-Server Option 6, length 8: 10.20.0.254,10.20.0.1
BR Option 28, length 4: 10.20.0.255
RN Option 58, length 4: 43200
RB Option 59, length 4: 75600
END Option 255, length 0
PAD Option 0, length 0, occurs 4
As you can see from the above, the phone was assigned 10.20.0.120 with a netmask of 255.255.255.0. I finally set up the android sdk, and fired up a shell with adb.. here's what it thinks its ip is:
Code:
$ ifconfig eth0
eth0: ip 10.20.0.120 mask 255.0.0.0 flags [up broadcast running multicast]
even odder, the properties on the phone has the correct netmask; output from 'getprop':
Code:
[dhcp.eth0.pid]: [3350]
[dhcp.eth0.reason]: [BOUND]
[dhcp.eth0.dns1]: [10.20.0.254]
[dhcp.eth0.dns2]: [10.20.0.1]
[dhcp.eth0.dns3]: []
[dhcp.eth0.dns4]: []
[dhcp.eth0.ipaddress]: [10.20.0.120]
[dhcp.eth0.gateway]: [10.20.0.254]
[dhcp.eth0.mask]: [255.255.255.0]
[dhcp.eth0.leasetime]: [86400]
[dhcp.eth0.server]: [10.20.0.254]
I suspect a firmware bug, but don't know for sure - anyone run into this before?
Appreciate any thoughts!
Same issue here. I posted about it here and on the ATT forums and sadly nobody has any suggestions other than reporting the bug to samsung. I did a bit of poking around in the console grepping 255.0.0.0 but didnt find any files. Im just gonna weather the storm and wait for the next firmware to be released. I have a shortcut to wifi settings and I just toggle the "static ip" option as needed.
FYI, there's also a post on ATT's forums about this.. I'm not allowed to link to it, but a Google search for "Samsung Captivate WiFi DHCP netmask issue" will get you to it..
Generally I dislike reviving old threads, but this appears unresolved and I've been encountering it on my Samsung Vibrant.
Can anyone confirm whether this happens with Froyo, or other Eclair-based handsets, or is it specific to Android 2.1 on Samsung GalaxyS?
When the Wifi DHCP assigns an IP in the 10.x.x.x block, (which is actually assigned with a /24 netmask) android puts the IP on the interface TWICE, with both /24 and an incorrect /8 subnet mask. ("ifconfig" is essentially a legacy command from linux kernel 2.2 era, when multiple IPs required aliased interfaces - with two IPs on one interface today "ifconfig" will only show the first one. Since kernel 2.4 days "ip" is the preferred tool)
$ busybox ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 5e:38:e9:7b:aa:6d brd ff:ff:ff:ff:ff:ff
3: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
4: gre0: <NOARP> mtu 1476 qdisc noop state DOWN
link/gre 0.0.0.0 brd 0.0.0.0
30: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 5c:da:d4:09:fb:f3 brd ff:ff:ff:ff:ff:ff
inet 10.200.10.28/8 brd 10.255.255.255 scope global eth0
inet 10.200.10.28/24 brd 10.200.10.255 scope global eth0
inet6 2001:470:e130:98:5eda:d4ff:fe09:fbf3/64 scope global dynamic
valid_lft 2591705sec preferred_lft 604505sec
inet6 fe80::5eda:d4ff:fe09:fbf3/64 scope link
valid_lft forever preferred_lft forever
$
This causes me significant problems, as 10.200.10.0/24 is the wifi subnet, but 50 other 10.x.x.x subnets exist on the local network, and because it erroneously applies a /8 mask on the local interface I'm unable to reach anything on the 10.x.x.x networks outside of 10.200.10.x. (I have to manually go in and remove the first IP with the /8 subnet)
(Aside, as you might notice it correctly autoconfigured an ipv6 address, with 2001:470:e130::1/64 gateway running radvd - now if only apps like web browser understood ipv6...)
j

[Q] OpenVPN on SGS works, but traffic is not routed over VPN

Hey guys,
I have successfully installed OpenVPN on my SGS I9000. Establishing a connection to the OpenVPN Server is no problem, but after this the traffic isn't routed through the VPN-connection and I don't know why
OpenVPN config:
Code:
client
dev tun
proto udp
remote 193.197.62.35 1195
remote 193.197.62.35 1196
remote 193.197.62.35 1197
remote 193.197.62.35 1198
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca dhbw-openvpnca.txt
comp-lzo
verb 3
auth-user-pass
Can someone help me please?
Does nobody have an idea?
Hi
I'm using openvpn in tap mode, I had problems trying to set it up as tun. This is how the server is configured:
Code:
port 1194
proto udp
dev tap
dev-node tap-bridge
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
dev-node tap-bridge
server-bridge 10.0.0.1 255.255.255.0 10.0.0.192 10.0.0.255
push "redirect-gateway def1"
keepalive 15 90
comp-lzo
persist-key
persist-tun
Modify server-bridge according to your local network configuration.
I excluded all certificate configuration
In addition to this I change the DNS after the VPN starts, otherwise I can't browse the internet. If you just need to connect to your local network the this is not required.
Client config is as follows:
Code:
client
dev tap
<connection>
remote VPN_IP 1194 udp
</connection>
nobind
user nobody
group nobody
persist-key
persist-tun
ca /sdcard/ca.crt
cert /sdcard/android.crt
key /sdcard/android.key
ns-cert-type server
tls-auth /system/etc/openvpn/ta.key 1
comp-lzo
Trouble routing traffic through OpenVPN
I have the same problem and need help resolving it. I use Samsung Infuse 4G, rooted, with the "Infused ROM" installed. I also installed OpenVPN by using "OpenVPN Installer" and use "OpenVPN Settings" for my connection settings. Everything seems to be nice and smooth. One thing I found is that on the Infused ROM, tun.ko that sits in /system/lib/modules does not work, but there is another one in /lib/modules/ which does work. Also, OpenVPN Settings inserts tun.ko module by using insmod, not modeprobe. If I tried to use modeprobe option, it is not working.
Anyway...
My OpenVPN connects without problems to my Tomato router at home. The problem is, that it does not route any traffic though the VPN tunnel. Any browsing that I do, I do outside of VPN, which is not what I expected.
I would appreciate any help with this.

[Q] Android devices cannot connect to Windows' PPTP VPN service

I own a few Android devices (an Android 2.3 mobile, an Android 4.0.4 tablet, and an Android 4.1.1 tablet). All of them cannot connect to a PPTP VPN server (it's Windows Server 2008 based, using MS CHAP2 for authentication) with MPPE (PPP encryption) option selected in the client side. Even that a device was rooted and VPNroot (the latest version) is used, the connection still fails. From the log of VPNroot, the error log is "MPPE required but peer negotiation failed". However, if the MPPE option is deselected, devices can connect the PPTP VPN server. Besides, the same can be connected from Windows XP & Windows 7 (with MPPE option enabled).
Due to security issue, I have to connect the PPTP VPN service with MPPE. It makes me unhappy as I cannot use a new tablet due to VPN connection problem. What can I do?
daemongmong said:
I own a few Android devices (an Android 2.3 mobile, an Android 4.0.4 tablet, and an Android 4.1.1 tablet). All of them cannot connect to a PPTP VPN server (it's Windows Server 2008 based, using MS CHAP2 for authentication) with MPPE (PPP encryption) option selected in the client side. Even that a device was rooted and VPNroot (the latest version) is used, the connection still fails. From the log of VPNroot, the error log is "MPPE required but peer negotiation failed". However, if the MPPE option is deselected, devices can connect the PPTP VPN server. Besides, the same can be connected from Windows XP & Windows 7 (with MPPE option enabled).
Due to security issue, I have to connect the PPTP VPN service with MPPE. It makes me unhappy as I cannot use a new tablet due to VPN connection problem. What can I do?
Click to expand...
Click to collapse
VPNroot log attached:
Code:
Connecting to xxxxx port 1723 via wlan0
Connection established (socket = 14)
Sending SCCRQ
Received SCCRP -> Sending OCRQ (local = xxxxx)
Tunnel established
Received OCRQ (remote = xxxxx)
Session established
Creating PPPoX socket
Starting pppd (pppox = 15)
Pppd started (pid = xxxxx)
Using PPPoX (socket = 15)
using channel 3
Using interface ppp100
Connect: ppp100 <-->
Received SLI
MPPE required but peer negotiation failed
Discard non-LCP packet when LCP not open
Discard non-LCP packet when LCP not open
Received SLI
Connection terminated
Received signal 17
Pppd is terminated (status = 10)
Mtpd is terminated (status = 42)
Have you tried open vpn? Cheap vpn service ive been using is http://xtreamvpnworld.blogspot.com
Sent from my WT19i using xda premium

routing difference between linux and Android (Lollipop)

I'm trying to set up a lollipop-TV-box with wlan and lan adapter as a router the way I did it with a Linux-box, but it doesn't work
I tried it the Linux-way on a linux-Machine with a shell-script. The wlan-net is 192.168.0.x the lan is 192.168.1.x. The wlan-ip in the Android/Linux router is 192.168.0.13 the lan in the same device is 192.168.1.2, the connected lan-client-ip is 192.168.2.4
the routing is Internet-(Wifi)-Gateway 192.168.0.1->Android/Linux-Box 192.168.0.13/192.168.1.2->192.168.2.4 and vice-versa
on lan-client:
ip route:
default via 192.168.1.2 dev eth0 proto static metric 1024
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.4
on Android/Linux-Router
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.13 metric 600
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 100
I also enabled forwarding and set the forward-tables with iptables
With the Linux-Box as a router everything works like a charm, with Android not, when I ping the lan-ip of the client from the Android box (ping 192.168.1.4) the reply is network unreachable from the external internet-server
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
From 84.116.198.82: icmp_seq=7 Destination Net Unreachable
From 84.116.198.82: icmp_seq=8 Destination Net Unreachable
From 84.116.198.82: icmp_seq=17 Destination Net Unreachable
I have to specify the interface with ping -I eth0 192.168.1.4, then it works, although this should already be specified by the local routes, like if the local request is routed over the public gateway. Looks like in Android the local routing is overriden by a hidden route to the default gateway.
So, what is the difference?

Android 11 'couldn't connect to network' NPS with PEAP/MS-CHAPv2

Hi All,
I am trying to connect company-owned / unmanaged Android 11 devices to a Cisco WAP SSID using our public certificate wireless.fqdn
For my Galaxy A20 Android 11 phone , when connecting the SSID the phone returns:
'couldn't connect to network'
'couldn't authenticate connection'
On the NPS Server, the wireless.fqdn certificate is installed in the Certificates (Local Computer) Personal / Certificates container
We are using Windows NPS/PEAP/MS-CHAPv2 which I believe requires a certificate on the server-side only
I belive PEAP encapsulates the EAP type MS-CHAPv2 authentication in a secure TLS tunnel.
As a further configuration item, I installed the wwireless.fqdn certificate into the cert store on my Android device (User certificates, installed for WiFi)
NPS / RADIUS Server is Windows Server 2016 Datacenter
NPS Role installed with the following Windows NPS Policy
Connection Request Policy:
Wireless connections, NAS Port Type: wireless - other or wireless IEEE 802.11
Network Policy: Staff
CONDITIONS:
Wireless - Other OR Wireless IEEE 802.11
Windows Groups: ADDSGroup
Calling Station ID: ^[^:]+:SSID$
CONSTRAINTS:
EAP TypesMicrosoft: Protected EAP (PEAP)
Edit / certificate issued to: wireless.fqdn
Issuer: DigiCert TLS RSA SHA256 2020 CA1
Enable Fast Reconnect
EAP Type:
Seure password (EAP-MSCHAP v2)
Android 11:
I got into settings / biometrics and security
Other security settings
PFX user certificates: wireless.fqdn installed for WiFi (contains root/intermediate/cert chain)
View security certificates / system / CA root
No user certificates
Click the WiFI SSID / manage
EAP method: PEAP
Enter identity / password
CA certificate: Use system certificates (if I choose 'select certificate' there is nothing to select, android stated in a red color "CA certificate must be selected")
Online certificate status: don't validate
Domain: wireless.fqdn
When connecting to the SSID the phone returns:
'couldn't connect to network'
'couldn't authenticate connection'
MAC of Android phone not in NPS logs
Hope someone with more experience can assist.
Thanks!

Categories

Resources