Contribution: split tunneling support for VPN
1,170 views
Skip to first unread message
Andrew Kulikov
Sep 22, 2010, 2:58:56 PM9/22/10
to Android Contributors
The proposed contribution to Android Open Source Project enables split
tunneling functionality in Android VPN service. Split tunneling allows
VPN users to access a public network (e.g. Internet) and a corporate
private network at the same time. Current Android VPN implementation
works in such way that all traffic (including one addressed to
Internet) is redirected to VPN gateway. This raises privacy concerns,
increases load on corporate network as well as latency of Internet
sites that must go through corporate network to reach the mobile
device.
The proposed changes would allow user to configure a list of subnet
addresses which belong to private network as well as specify a list of
subnet addresses of public network. The most obvious way to configure
it is through new UI options in VPN settings, but potentially 3rd
party applications will be able to dynamically setup split tunneling
configuration based on network policy. UI modifications are left out
of scope of the proposed patch for now as we want to focus at
infrastructure changes first. The changes can be incorporated without
UI changes without any impact to current users and applications.
The changes consist of two parts:
1) VPN service modification https://review.source.android.com/#change,15624
This patch adds support of new configuration options mRouteList and
mExcludeRouteList in VpnProfile class. These options are passed to
pppd as ipparam argument. By default, if none of mRouteList and
mExcludeRouteList is assigned a value, the current behavior is
preserved (all traffic goes to VPN gateway).
2) https://review.source.android.com/#change,15623 – implements
routing table modification according to split-tunneling configuration
passed in pppd ipparm command line argument.
ip-up-vpn process is executed by pppd when PPP interface is activated
and responsible for creating routes. ip-down-vpn is started by pppd
when PPP interface goes down and is used to restore routing table.
Pppd passes ipparam argument to both ip-up-vpn and ip-down-vpn
processes as command line argument.
Here is an example of how the feature can be used. Let’s assume the
corporate network address is 192.168.0.0/255.255.0.0. At the same time
user’s local home network address is 192.168.11.0/255.255.255.0. User
would like to access his coporate network through VPN while accessing
his local home network and Internet directly. In this case the
configuration would be as follows:
mRouteList = 192.168.0.0/255.255.0.0
mExcludeRouteList = 192.168.11.0/255.255.255.0
We appreciate any feedback from Google engineers and open source
community regarding our approach.
Thanks,
Andrew Kulikov
tunneling functionality in Android VPN service. Split tunneling allows
VPN users to access a public network (e.g. Internet) and a corporate
private network at the same time. Current Android VPN implementation
works in such way that all traffic (including one addressed to
Internet) is redirected to VPN gateway. This raises privacy concerns,
increases load on corporate network as well as latency of Internet
sites that must go through corporate network to reach the mobile
device.
The proposed changes would allow user to configure a list of subnet
addresses which belong to private network as well as specify a list of
subnet addresses of public network. The most obvious way to configure
it is through new UI options in VPN settings, but potentially 3rd
party applications will be able to dynamically setup split tunneling
configuration based on network policy. UI modifications are left out
of scope of the proposed patch for now as we want to focus at
infrastructure changes first. The changes can be incorporated without
UI changes without any impact to current users and applications.
The changes consist of two parts:
1) VPN service modification https://review.source.android.com/#change,15624
This patch adds support of new configuration options mRouteList and
mExcludeRouteList in VpnProfile class. These options are passed to
pppd as ipparam argument. By default, if none of mRouteList and
mExcludeRouteList is assigned a value, the current behavior is
preserved (all traffic goes to VPN gateway).
2) https://review.source.android.com/#change,15623 – implements
routing table modification according to split-tunneling configuration
passed in pppd ipparm command line argument.
ip-up-vpn process is executed by pppd when PPP interface is activated
and responsible for creating routes. ip-down-vpn is started by pppd
when PPP interface goes down and is used to restore routing table.
Pppd passes ipparam argument to both ip-up-vpn and ip-down-vpn
processes as command line argument.
Here is an example of how the feature can be used. Let’s assume the
corporate network address is 192.168.0.0/255.255.0.0. At the same time
user’s local home network address is 192.168.11.0/255.255.255.0. User
would like to access his coporate network through VPN while accessing
his local home network and Internet directly. In this case the
configuration would be as follows:
mRouteList = 192.168.0.0/255.255.0.0
mExcludeRouteList = 192.168.11.0/255.255.255.0
We appreciate any feedback from Google engineers and open source
community regarding our approach.
Thanks,
Andrew Kulikov
Andrew Kulikov
Oct 4, 2010, 2:00:07 PM10/4/10
to Android Contributors
Hi,
Any opinions on this patch?
Thanks,
Andrew
On Sep 22, 11:58 am, Andrew Kulikov <avkuli...@gmail.com> wrote:
> The proposed contribution to Android Open Source Project enables split
> tunneling functionality in Android VPN service. Split tunneling allows
> VPN users to access a public network (e.g. Internet) and a corporate
> private network at the same time. Current Android VPN implementation
> works in such way that all traffic (including one addressed to
> Internet) is redirected to VPN gateway. This raises privacy concerns,
> increases load on corporate network as well as latency of Internet
> sites that must go through corporate network to reach the mobile
> device.
>
> The proposed changes would allow user to configure a list of subnet
> addresses which belong to private network as well as specify a list of
> subnet addresses of public network. The most obvious way to configure
> it is through new UI options in VPN settings, but potentially 3rd
> party applications will be able to dynamically setup split tunneling
> configuration based on network policy. UI modifications are left out
> of scope of the proposed patch for now as we want to focus at
> infrastructure changes first. The changes can be incorporated without
> UI changes without any impact to current users and applications.
>
> The changes consist of two parts:
> 1) VPN service modificationhttps://review.source.android.com/#change,15624
Any opinions on this patch?
Thanks,
Andrew
On Sep 22, 11:58 am, Andrew Kulikov <avkuli...@gmail.com> wrote:
> The proposed contribution to Android Open Source Project enables split
> tunneling functionality in Android VPN service. Split tunneling allows
> VPN users to access a public network (e.g. Internet) and a corporate
> private network at the same time. Current Android VPN implementation
> works in such way that all traffic (including one addressed to
> Internet) is redirected to VPN gateway. This raises privacy concerns,
> increases load on corporate network as well as latency of Internet
> sites that must go through corporate network to reach the mobile
> device.
>
> The proposed changes would allow user to configure a list of subnet
> addresses which belong to private network as well as specify a list of
> subnet addresses of public network. The most obvious way to configure
> it is through new UI options in VPN settings, but potentially 3rd
> party applications will be able to dynamically setup split tunneling
> configuration based on network policy. UI modifications are left out
> of scope of the proposed patch for now as we want to focus at
> infrastructure changes first. The changes can be incorporated without
> UI changes without any impact to current users and applications.
>
> The changes consist of two parts:
Reply all
Reply to author
Forward
Message has been deleted
0 new messages