Geek asks and answers

Android VPNService route exception

I use OpenVPN and the new VpnService API that comes with ICS (Android 4.X)

Is there a way to detect the exclusion of an IP address from a VPN tunnel? (so that the traffic that is intended for this ip will be routed directly to the network without going through the VPN tunnel). We are trying to reduce the network load and costs of our VPN by providing bandwidth intensive services, such as YouTube pass, unencrypted, while preserving the rest of the traffic.

As far as I understand, before Android opens the Tun device, it can get a list of routes that indicates what traffic should go to the VPN, and not what traffic to exclude:

VPNSerivice.Builder API Documentation

+5
source share
2 answers

I needed to exclude the local WiFi subnet from the VPN. I used the approach of adding multiple routes instead of 0.0.0.0/0. For example, if you need to exclude the subnet 192.168.240.90/21 (binary representation 11000000.10101000.11110000.01011010), then you must add the following 21 routes to your VpnService (binary representation):

00000000.00000000.00000000.00000000 / 1
10000000.00000000.00000000.00000000 / 2
11100000.00000000.00000000.00000000 / 3
11010000.00000000.00000000.00000000 / 4
11001000.00000000.00000000.00000000 / 5
11000100.00000000.00000000.00000000 / 6
11000010.00000000.00000000.00000000 / 7
11000001.00000000.00000000.00000000 / 8
11000000.00000000.00000000.00000000 / 9
11000000.11000000.00000000.00000000 / 10
11000000.10000000.00000000.00000000 / 11
11000000.10110000.00000000.00000000 / 12
11000000.10100000.00000000.00000000 / 13
11000000.10101100.00000000.00000000 / 14
11000000.10101010.00000000.00000000 / 15
11000000.10101001.00000000.00000000 / 16
11000000.10101000.00000000.00000000 / 17
11000000.10101000.10000000.00000000 / 18
11000000.10101000.11000000.00000000 / 19
11000000.10101000.11100000.00000000 / 20
11000000.10101000.11111000.00000000 / 21

The idea is to invert the bit at the prefix position (right) and make zeros all bits after the prefix position. As a result, all packets, except those that go to the local subnet, will coincide with a particular route

+2
source

Short answer no.

. (, 32 /1 /32, ip). -, . ( CPU)

+1

More articles:


All Articles