CODEWITHSUNDEEP
androidvpnopenvpnandroid-vpn-service
Mike
Mike

Reputation: 157

How does Android know that it has to direct allowed vpn application to tun0

This is an internal Android question.

I would like to have a clear understanding on what happens when vpn tunnel is established with only specific apps allowed through it using "builder.addallowedapplication() " method.

This is similar to how you select apps to process through openvpn.

How does it say to tun0 that these should go through you? What kind of rules does it change or what kind of function calls or api calls it makes in the process.

Kindly help me here.

Thank you

Upvotes: 3

Views: 1957

Answers (1)

ecdsa
ecdsa

Reputation: 542

This is based on policy routing. The Linux kernel can work with multiple routing tables and rules that define for which traffic a specific routing table is used. You can see these rules with ip rule if iproute2 is available on your system. The routes in a specific table can be listed with ip route list table <nr/name> (use all as name to see routes in all tables).

The rules can match different properties associated with a network packet (or a combination of them), e.g. the IP addresses, in-/outbound interfaces, Netfilter marks, or processes' UIDs. The latter in particular is used to exclude/include specific applications. Every app is run by a unique user with its own UID. This allows controlling whether a particular app uses the routing table that directs traffic to the TUN device or not.

For example, using the VPN exclusively for three apps adds rules with these selectors:

... uidrange 10010-10010 lookup 1049 
... uidrange 10062-10062 lookup 1049 
... uidrange 10094-10094 lookup 1049

Routing table 1049 (this changes for each new VPN instance) contains the route that directs traffic to the TUN device.

On the other hand, if the same three apps are excluded from the VPN the selectors are:

... uidrange 0-10009 ...
... uidrange 10011-10061 ...
... uidrange 10063-10093 ...
... uidrange 10095-99999 ...

As you can see, traffic from all UIDs (in the range 0-99999) except the three previously seen are directed to the routing table for the TUN device.

Upvotes: 6

Related Questions