One Plus 8 attacks my LAN VPN gateway... - OnePlus 8 Questions & Answers

This started a couple of days ago, and I have now mitigated it with a couple of firewall rules on the VPN gateway, as well as shutting down the dhcpcd server on that server (which I don't need anyway, and which probably should have been stopped long ago).
My LAN has a raspberry pi 4 running their debian firmware that is configured as a VPN gateway. It connects my LAN via ProtonVPN to the internet. This gateway is set up with a static IP address (192.168.2.49) on the LAN, and is configured to use another RPI on my LAN to get its DNS (192.168.2.50).
My one month old running OOS 11 OnePlus8 is rooted with magisk, and I have blocked most of the google stuff from the internet using afwall, and suspended non-essential system services using greenify. When connected to my LAN, the phone has a static IP address (192.168.2.71), has its gateway set to the VPN gateway (192.168.2.49), and its DNS to my local rpi DNS (192.168.2.50).
DHCP on my LAN is provided by my router (192.168.2.1).
WIFI on my LAN is provided by an enterprise-grade tp-link hotspot.
Starting a few days ago, for reasons mysterious, when the phone connects to the LAN, the VPN gateway would promptly go offline. Because I run it headless, I would be forced to reboot it - which made diagnosis a bit of a pain. Finally, I found a log entry on the VPN gateway that informed me that my OnePlus was trying to claim the ip address of the VPN gateway as its own (192.168.2.49) in spite of being set to use 192.168.2.71. This duplicate IP was causing dhcpcd on the VPN gateway to immediately take down its eth0 interface. This would break ALL connectivity because I have wifi on that RPI disabled.
Prior to this problem involving the OnePlus, that RPI had been up continuously for over 400 days, so it should certainly be considered to be reliable at the job it does and almost certainly the problem is with the OnePlus.
So, for some reason the OnePlus is trying to assert its assigned gateway address as its IP rather than the 192.168.2.71 that is set, at least in some packet that it uses to announce itself; once it is connected it works properly (which means the right IP address is being used).
I have deleted, then re-created the wifi connection profile and doing that did not cause the problem to go away.
I have another RPI VPN gateway on my IOT VLAN (192.168.24.0/24). No DHCP is available on the VLAN (a security measure), and I do have a profile for the phone that allows it to connect to the VLAN. It works without issue there, but then dhcpcd has been and remains shut down on that RPI. I suppose I could start dhcpcd on that server and see if the phone then breaks it too. I won't do this unless there is some merit to doing so...if it would help find the basic problem.
As I say, shutting down dhcpcd and blocking all dhcp traffic to/from the LAN VPN gateway mitigated the problem. But that the problem could occur at all says something is wrong, and I'm pretty sure it isn't a problem on my network.
This seems most likely to be a bug in OnePlus firmware, though why it would manifest after a month is a mystery to me. Does anyone have any insight? Or does anyone have any suggestions for another place on XDA where this post might more appropriately be placed?

I was pretty sure no one would have any idea about this. I have mitigated it by turning off dhcpcd on the VPN gateway and I am not inclined to do a deeper dive; I have too much else to do.

Related

Captivate Wifi/3G data issue

Has anyone had a problem with the Captivate when in both WIFI and 3G coverage the phone will not download or open a webpage? If I shut off one or the other it works but if both are active it hangs up and doesnt download.
Is this by chance on an enterprise wifi access point? Such as one of those expensive cisco APs you find in schools and enterprise class networks? If so, there is currently a driver problem with the captivate connecting to it, but not trasnfering data. Whether the netwrok is encrypted or open doesnt seems to matter. Personally, I find this a bigger problem than the GPS issue. I had to use wifi static to manually set IP, subnet, etc. This is a workaround, not a fix.
jhannaman82 said:
Is this by chance on an enterprise wifi access point? Such as one of those expensive cisco APs you find in schools and enterprise class networks? If so, there is currently a driver problem with the captivate connecting to it, but not trasnfering data. Whether the netwrok is encrypted or open doesnt seems to matter. Personally, I find this a bigger problem than the GPS issue. I had to use wifi static to manually set IP, subnet, etc. This is a workaround, not a fix.
Click to expand...
Click to collapse
Hey, I think I'm running into this issue at my workplace (we definitely use those Cisco APs, I see them all around). I'm connected, I have an IP, but I can't browse anywhere.
Here's the weird thing though: I can connect to the company's wifi in any other building (I guess different APs?) than the one I'm in and wifi works fine. It's just the building my cubicle's in that doesn't work and it's infuriating!
well thats dumb.
I had that happen once since I bought the phone on launch. I restarted my phone and it went away.
I've had this problem as well, usually my phone switches to only wifi pretty quickly though, so I don't notice much. The phone acts like it is using the 3G connection because the arrows are both indicating data coming and going, but nothing actually happens unless only one or the other is on.
i need to check this at more places but at home i have a standard dlink dl-624 router with no security over comcast. i think my issue initially was because of the wifi sleep policy (see below) but now i am just getting really really slow speeds. pages seem to load slower than 3G....(i mean really cinemaxHD is showing last of the mohicans in pan and scan)....also the pages time out very very frequently.....
Anyone having problems check out the advanced setting for wifi. The phone has a WIFI sleep policy. my default setting was to disconnect from wifi after the screen locks. my screen locks after 30 seconds. so basically it always looking for my network. you can change it to never.
I want to reiterate our findings again. There are multiple threads on other forums concerning this as well. When it comes to wifi, the captivate has a major problem. DHCP does not work on enterprise networks. Period. It is a driver issue. The network can be open or using any form of encryption, the results are thr same. I had numerous software, hardware and network analyst tackling this issue all week in my department. It is related in part to most enterprise networks not using a default subnet mask of 255.255.255.0. There is a workaround, but it is not a fix. You can either set a static from your static pool of ip's in wifi settings, or, if u connect to multiple networks, use wifi static from the market to remember and apply seperate static configs accross multiple networks which is what were having to do currently. This affects all captivates, one which we consider a major problem with deploying this phone to our other users.
Sent from my SAMSUNG-SGH-I897 using XDA App
I had the same problem and this is how a turn around the problem when I'm connected but cannot browse.
-Use Wifi Static
- DNS from google 8.8.8.8,8.8.4.4
- switch to airplane mode
- activate wifi
- test my conection (open the browser and surf)
- switch to phone mode
Hope it help
floppy__ said:
I had the same problem and this is how a turn around the problem when I'm connected but cannot browse.
-Use Wifi Static
- DNS from google 8.8.8.8,8.8.4.4
- switch to airplane mode
- activate wifi
- test my conection (open the browser and surf)
- switch to phone mode
Hope it help
Click to expand...
Click to collapse
Did this, Wifi Static was being used previously to bypass dhcp, and it correctly assigned the IP settings, used the static I assigned from our static pool of addresses. Still no data transfer over Cisco APs at work.
jhannaman82 said:
Did this, Wifi Static was being used previously to bypass dhcp, and it correctly assigned the IP settings, used the static I assigned from our static pool of addresses. Still no data transfer over Cisco APs at work.
Click to expand...
Click to collapse
are you able to access a website thru his IP address? in this case it's a DNS problem, try the Google DNS 8.8.8.8 - 8.8.4.4
floppy__ said:
are you able to access a website thru his IP address? in this case it's a DNS problem, try the Google DNS 8.8.8.8 - 8.8.4.4
Click to expand...
Click to collapse
Its hit or miss really, seems the wifi radio stack locks up and stops responding according to our trace logs. yes i have tried both our internal DNS server's as well as googles. Everywhere else works perfectly. But at work with our Cisco open (no security) APs, it doesnt work most of the time. Through whos ip address??? I have a static set from our static pool to make sure dhcp was not the culprit. Its def the device, and not my netwrok. I have over 100 of these APs deployed here.
Wifi works great everywhere else (at home with WPA2, etc). There is def a problem with enterprise cisco APs.
Netmask issue and cisco AP's
Posted this over in development thread.
http://forum.xda-developers.com/showpost.php?p=7698066&postcount=410
Make sure your netmask is correct.
Thanks jhannaman82
I just wanted to give a big thanks to jhannaman82 for posting his company's findings with these wifi issues. My wifi works 100% at home on my linksys tomato router (of course, with a netmask 255.255.255.0). But on my college campus they use an enterprise router setup with 255.255.0.0 and I have been going NUTS trying to figure out if it is my captivate or the network.
I can sometimes get a few minutes of working connection, but it always seems to crap out within 1 or 2 minutes.
I will attempt to fiddle around with switching the dhcp to static IP, and will post my results. Thanks!
edit: no luck with static IP fiddling so far. from my laptop (connected wirelessly), I gathered that the netmask is actually 255.255.248.0... when I set my captivate's netmask to anything other than 255.255.0.0, it does not connect. It says "connected" when I set the netmask to 255.255.0.0, but as usual no data will transfer (it seems). I'm at a loss. *shrug* Hopefully there's a driver update or something.
Thanks jhannaman82!
I just wrote a script with the GScript app: "ifconfig eth0 netmask 255.255.255.0", and have a shortcut on homescreen. The problem was that the netmask was wrongly set to 255.255.0.0 on my office wifi. Now all I need to do is tap on this shortcut at office, and the connection works!
Has anyone contacted Samsung about this ?
I'm hoping this gets fixed soon... This refuses to stay connected at my school. Huge pain.
I entered in an IP address and 255.255.252.0 for my netmask after seeing what it was on my computer and turn on flight mode and tested the wifi and now it's working. I'm not sure if it's just one of those fluke connections that I get... but we'll see.

[Q] Wi-Fi phone configuration & my network

I have a 16-node network (used mostly as a cluster computer for meteorological work), Ethernet, 3 switches, all through an ActionTec DSL gateway/router. There is an edge machine with dnsmasq for dns cache'ing and firewall. My ISP assigns three IP addresses, one of which is my network's gateway address. The ActionTec has DHCP turned "on" although I use SNAT, DNAT, and masquerading on my side. I use my internal network to serve an Apache Web site as well.
The Wi-Fi (and other reception, for that matter) is not very good here, so I bought a TrendNet TEW-636APB Wireless Access Point. It's plugged into one of the switches. The Linux hosts and hosts_files are correctly configured and dnsmasq is configured to assign an IP Address to the TEW-636APB based on its MAC.
Everything works just fine, but most importantly, the HTC One (T-mobile) has no Internet connectivity, even though I can read the IP Address assigned to the phone. Everything is on the same subnet, by the way.
Any suggestions to get Internet up and running? I regularly use bash and c-shell as well as other languages but this one has me stumped. Any suggestions?
Mike
Minneapolis, Minnesota
Additional Info for Wi-Fi Issue
I ruled out some issues in the meantime. The TEW-636APB seems to work fine. I changed each of the config options: same problem. BUT, a laptop connected using Wi-Fi for data works just fine!
On the smartphone (that HTC One), the only URL that connects is on my own network, that is, the Web site served on my subnet and inside my network works just fine. Anything outside of my network fails.
When I turn off Wi-Fi on the cell phone (and use T-Mobile), the Web works just fine.
Very confusing. Any suggestions?
Michael
Might be a DNS problem...
wxmanmichael644 said:
I ruled out some issues in the meantime. The TEW-636APB seems to work fine. I changed each of the config options: same problem. BUT, a laptop connected using Wi-Fi for data works just fine!
On the smartphone (that HTC One), the only URL that connects is on my own network, that is, the Web site served on my subnet and inside my network works just fine. Anything outside of my network fails.
When I turn off Wi-Fi on the cell phone (and use T-Mobile), the Web works just fine.
Very confusing. Any suggestions?
Michael
Click to expand...
Click to collapse
Hi Michael,
It seems to me like this a DNS problem, you should try opening google using it's ip address ( try using http ://173.194.35.132/ ) to check connectivity. Also if your phone is rooted you should be able to use some terminal like tool and try to ping some hosts to rule out the dns problem.
Cheers,
Stefan.
P.S.: please use thanks if information was helpful

[Q] Any way to lock down to SSH/VPN traffic only?

I want to set my Mum's new tablet so that it can only access the Internet via the SSH server running on her Buffalo router (with Tomato firmware).
I've got the server working and accessible remotely and so far the only app I've found that has a Global Proxy setting to redirect everything via the SSH server is SSHTunnel, although I gather that it's not totally reliable when connections drop/change and I can't expect my Mum to cope with monitoring it and re-enabling it manually. When it's disabled, all traffic will just go over local connection unencrypted so that's a concern.
Ideally there'd be some way to setup the SSH settings at a system level, with no way to disable them and force all the traffic go out like this but I'm not sure if there is any way to achieve this.
The other part is setting a firewall (AFWall+ or Android Firewall seem to be the main ones) to only allow traffic via the SSH server. I'm not sure what whitelist rules would be required for this. For example, SSHTunnel connects to the server at x.x.x.x:x, so I presume I'd need a rule to allow connections to this address and this port (I had a quick play with the Avast firewall, which only allows creating custom rules for IP or port, so I'd need two rules with that and it doesn't allow entering the DynDNS name, only a IP address, so that's no good).
Then SSHTunnel has a Local Port (1984) and remote addressort (127.0.0.1:3128) so I presume I'd need rules to allow all of those as well (I'm not sure which of these need to be incoming/outgoing or both). Then there's the question of whether I need to allow other ports like DNS (53) and so on, or if that all goes over the SSH tunnel and doesn't require setting allow rules specifically.
It might be that a VPN server would be more suitable for what I'm trying to acheive than a SSH server and I think the Tomato firmware on the router has that facility (or if the version currently flashed doesn't, there's probably another version I could flash that does), so if that's the case, I'd appreciate advice on locking it down that way instead. Android has built-in VPN support, so it might be possible to use that but it depends on whether it will auto-connect and stay connected all the time or if it requires user intervention and I'll still need to setup firewall rules to prevent data being sent without the VPN in case it does get disabled.
Another issue is whether these firewall rules will prevent the device even being able to connect to any public Wi-Fi points before redirecting the traffic via the SSH/VPN server, which would obviously be no good.
OK, maybe there's another way
I was thinking of setting up a VPN on a Raspberry Pi installed at my parent's house, as they have reasonable broadband speeds, something like 100/10MB. Is there anyway that I could setup my Mum's tablet so that it passes everything through the VPN whether at home or away, so that she doesn't have to worry about toggling the VPN or firewall?
I can point it to the No-IP domain name I've setup but then I think every request would go out onto the Internet (albeit encrypted) before coming back in to the VPN, which would then have to go out again to retrieve whatever webpage, etc is being requested, which would obviously be stupid. If I point it to the LAN IP of 192.168.1.66, that will avoid doing that when at home but won't work when away.
So, any ideas?

Cannot access local lan web site (sometimes)

I have various machines on my lan in 192.168.1.*, I have a local DNS server to give those machines names. This normally works great, but my new Samsung Galaxy S21 sometimes says "cannot access" when I point it at a web address of a server running on my lan. I'll use a network utility app to do a DNS lookup of the other system, and it will tell me the correct address, then I'll use the same network utility to do a traceroute, and it will try to talk to a local IP I do not have in my network, in my DNS database, or anywhere in the set of addresses my router knows about. Where does this ghost address come from? Does the phone imagine that is the gateway it ought to be using for some reason? (The router's DHCP server certainly doesn't claim an unknown address is the gateway).
Every time I start trying to investigate the problem in more detail, everything suddenly starts working perfectly.
Does this ring a bell for anyone? Any clue what is going on? Maybe I should assign my phone's network statically and see if it works better.

Assigning a static IP address to a phones hotspot

How can I assign a static IP address to my phones hotspot?
I use the hotspot on my Samsung M31 to connect my laptop running Windows 10 to the internet.
I also have Oracle's Virtual Box VM running a few test websites on the laptop on Ubuntu Server 22.04, which need a static IP address to access.
A few days back when I ran ipconfig at the Windows command prompt, it showed my wireless IP address as 192.168.166.135. Today, it show as 192.168.35.125. Meaning, all my sites are now broken. Is there a way to stop the hotspot from changing IP addresses?
Can someone please help?
Thanks,
normanscr said:
How can I assign a static IP address to my phones hotspot?
I use the hotspot on my Samsung M31 to connect my laptop running Windows 10 to the internet.
I also have Oracle's Virtual Box VM running a few test websites on the laptop on Ubuntu Server 22.04, which need a static IP address to access.
A few days back when I ran ipconfig at the Windows command prompt, it showed my wireless IP address as 192.168.166.135. Today, it show as 192.168.35.125. Meaning, all my sites are now broken. Is there a way to stop the hotspot from changing IP addresses?
Can someone please help?
Thanks,
Click to expand...
Click to collapse
I don't know the answer to your question directly as your situation is more complicated than is mine but I will try to help in so much as you can at least check what your current settings are.
My setup is only similar to yours in that I have apps (such as vysor & scrcpy) on Windows which are expecting a static IP address from my phone. However, where my setup differs from yours is I'm not using my phone as a hotspot - the router is assigning the IP addresses.
However, maybe what I've learned by randomizing my MAC address on each connection can help you - where I say maybe - as I your situation is using the phone as a hotspot and mine is passively accepting the IP address handed to the phone by the router.
In Android 11, the phone's Wi-Fi radio MAC address can be randomized per SSID, in which case the "address reservation" feature of most routers (often incorrectly called "static" IP addresses) won't work as intended. Worse, in Android 12, in Developer options, you can set a switch to randomize the Wi-Fi radio MAC address of the phone on every connection, regardless of the SSID.
Hence, you have to set the "static" IP address request in the phone itself, so that the router will respect that request for a static IP address.
(As an extra complexity, my SSID broadcast is hidden for privacy reasons (not for security - but privacy), which complicates things only a tiny bit as you have to turn off auto-reconnect for privacy.)
See the images below where maybe (but maybe not!) this information will help you track down why in your (hotspot) case, this static IP address requrest isn't being honored in your hotstpot setup.
normanscr said:
How can I assign a static IP address to my phones hotspot?
I use the hotspot on my Samsung M31 to connect my laptop running Windows 10 to the internet.
I also have Oracle's Virtual Box VM running a few test websites on the laptop on Ubuntu Server 22.04, which need a static IP address to access.
A few days back when I ran ipconfig at the Windows command prompt, it showed my wireless IP address as 192.168.166.135. Today, it show as 192.168.35.125. Meaning, all my sites are now broken. Is there a way to stop the hotspot from changing IP addresses?
Can someone please help?
Thanks,
Click to expand...
Click to collapse
Hi ,
if You are the lucky owner of a rooted phone you can try this:
How do I assign a permanent static IP address to hotspot in Android 10
I would like to assign a permanent static IP address to hotspot in Android 10 (Unofficial LineageOS 17.1 for Natrium by LuK1337, rooted with Magisk v20.3 and updated to Jan 11, 2020 build). Now whenever I turn on the hotspot, it assigns a...
forum.xda-developers.com
To assign a static IP address to your phone's hotspot:
Go to your phone's settings and find the hotspot or tethering settings.
Look for the option to set the IP address as "Static" or "Manual."
Enter the desired IP address, subnet mask, gateway, and DNS server information.
Save the settings and restart the hotspot.
For more details, you can check out https://1921681.mobi/192-168-100-1/. Hope this helps.

Categories

Resources