Yes. The problem is lollipop. I tried to install tinc on my brother's device which mount a cyano 10.1( android 4.2.2) and it works. I don't understand which is the problem with lollipop. Is there a firewall that block the packets? Andrea Squeri If you are running Lollipop / Android 5.x on your Nexus 5, then you are probably seeing the same issue I was with it. lollipop seems to change networking quite a bit in that it's using iptables / and `ip rule list` extensively for per-user settings. I think http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/ is relevant if you see running in to the same issue, it's confusing quite a lot of folks. I was unable to get tinc-gui (or even tincd manually and tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom. I'm not sure if coming up with a fancy tinc-up is the solution or someone with the ability to get tinc compatible with the official Android VPN API that a lot of the openvpn apps are using now. You might be able to draw some inspiration from https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh but I haven't tried it since I've been back on 4.4.2. On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com> wrote:> Hi, First sorry for my bad English. > I made a vpn wtih tinc for link my home and my two office. In Addition I > want to configure my android device to link with my vpn. > The topology of the net is this: > > cubox(a linux machine in my home with vpn address 192.168.0.20) > groppalbero (a linux machine in my second office with vpn address > 192.168.0.40) > imac(a mac machine in my first office with vpn address 192.168.0.50) > nexus5(my android device with vpn address 192.168.0.80) > > I have configurate all machine and now they all works except the android > device. > On this I use ?Tinc Gui? app for configure it. When I start the tinc > daemon it connect to the configured host and the tun0 interface in created > and configured, but i can ping with any hosts > and any host can ping my android device. the result of ping IS NOT a > network unavailable response. In fact it block un operation and from the > tinc gui log I can see that the packet are received by my android device. > I suspect that can be a problem for the route but I can?t understand which > the problem is. > > For information paste the configuration from cubic and android device: > > CUBOX : > > -------------------------------------------------------------------------------------------------------- > andre at cubox vpnalma]$ cat tinc.conf > # Sample tinc configuration file > > # This is a comment. > # Spaces and tabs are eliminated. > # The = sign isn't strictly necessary any longer, though you may want > # to leave it in as it improves readability :) > # Variable names are treated case insensitive. > > # The name of this tinc host. Required. > Name = cubox > > # The internet host to connect with. > # Comment these out to make yourself a listen-only connection > # You must use the name of another tinc host. > # May be used multiple times for redundance. > #ConnectTo = vaio > #ConnectTo = groppalbero > #ConnectTo = imac > #ConnectTo = servermarcy > > # The tap device tinc will use. > # Default is /dev/tap0 for ethertap or FreeBSD, > # /dev/tun0 for Solaris and OpenBSD, > # and /dev/net/tun for Linux tun/tap device. > Device = /dev/net/tun > [andre at cubox vpnalma]$ cat tinc-up > #!/bin/sh > # This file sets up the tap device. > # It gives you the freedom to do anything you want with it. > # Use the correct name for the tap device: > # The environment variable $INTERFACE is set to the right name > # on most platforms, but if it doesn't work try to set it manually. > > # Give it the right ip and netmask. Remember, the subnet of the > # tap device must be larger than that of the individual Subnets > # as defined in the host configuration file! > ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0 > #ip link set $INTERFACE up > #ip addr add 192.168.0.20/32 dev $INTERFACE > #ip route add 192.168.0.0/24 dev $INTERFACE > [andre at cubox vpnalma]$ cat hosts/cubox > #iample host configuration file > # This file was generated by host beta. > > # The real IP address of this tinc host. Can be used by other tinc hosts. > Address = 10.0.0.7 > Address = almaliberty.duckdns.org > # Portnumber for incoming connections. Default is 655. > Port = 655 > > # Subnet on the virtual private network that is local for this host. > Subnet = 192.168.0.20/32 > ???????????????????????????????????????????????????? > The network is so configurated: > > ?????????????????????????????????????????????????????????????????????????????? > > [andre at cubox vpnalma]$ ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255 > inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link> > ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet) > RX packets 63975281 bytes 142504956 (135.9 MiB) > RX errors 0 dropped 2 overruns 0 frame 0 > TX packets 35826176 bytes 2648965717 (2.4 GiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 > inet 127.0.0.1 netmask 255.0.0.0 > inet6 ::1 prefixlen 128 scopeid 0x10<host> > loop txqueuelen 0 (Local Loopback) > RX packets 167609 bytes 76370891 (72.8 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 167609 bytes 76370891 (72.8 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 > inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20 > unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen > 500 (UNSPEC) > RX packets 8876 bytes 1765584 (1.6 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 5939 bytes 2394177 (2.2 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > [andre at cubox vpnalma]$ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > default router.asus.com 0.0.0.0 UG 1024 0 0 > eth0 > 10.0.0.0 * 255.255.255.0 U 0 0 0 > eth0 > router.asus.com * 255.255.255.255 UH 1024 0 0 > eth0 > 192.168.0.0 * 255.255.255.0 U 0 0 0 > vpnalma > [andre at cubox vpnalma]$ > > ?????????????????????????????????????????????????????????????????? > > ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG: > > > u0_a167 at hammerhead:/ $ su > root at hammerhead:/ # cd sdcard/tinc/vpnalma > at tinc.conf < > # Sample tinc configuration file > > # This is a comment. > # Spaces and tabs are eliminated. > # The = sign isn't strictly necessary any longer, though you may want > # to leave it in as it improves readability :) > # Variable names are treated case insensitive. > > # The name of this tinc host. Required. > Name = nexus5 > > # The internet host to connect with. > # Comment these out to make yourself a listen-only connection > # You must use the name of another tinc host. > # May be used multiple times for redundance. > ConnectTo = cubox > ConnectTo = groppalbero > ConnectTo = imac > # The tap device tinc will use. > # Default is /dev/tap0 for ethertap or FreeBSD, > # /dev/tun0 for Solaris and OpenBSD, > # and /dev/net/tun for Linux tun/tap device. > #Mode = switch > Device = /dev/tun > #DeviceType = tap > #Interface = tap0 > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter > ScriptsInterpreter = /system/bin/sh > root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up > #!/bin/sh > # This file sets up the tap device. > # It gives you the freedom to do anything you want with it. > # Use the correct name for the tap device: > # The environment variable $INTERFACE is set to the right name > # on most platforms, but if it doesn't work try to set it manually. > > # Give it the right ip and netmask. Remember, the subnet of the > # tap device must be larger than that of the individual Subnets > # as defined in the host configuration file! > ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0 > #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter > #ip link set $INTERFACE up > #ip addr add 192.168.0.80/24 dev $INTERFACE > #ip route add 192.168.0.0/24 dev $INTERFACE > root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5 > sh: hosts/nexus5: can't execute: Permission denied > at hosts/nexus5 < > # Sample host configuration file > > # The real IP address of this tinc host. Can be used by other tinc hosts. > > # Portnumber for incoming connections. Default is 655. > #Port = 655 > > # Subnet on the virtual private network that is local for this host. > Subnet = 192.168.0.80/32 > > -----BEGIN RSA PUBLIC KEY----- > > -----END RSA PUBLIC KEY----- > > root at hammerhead:/sdcard/tinc/vpnalma # ip addr > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 > link/[530] > inet 10.183.70.124/29 scope global rmnet0 > inet6 fe80::7561:c093:ea26:5781/64 scope link > valid_lft forever preferred_lft forever > 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000 > link/[530] > 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff > 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff > 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff > 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff > 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff > 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff > 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff > 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff > 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen > 1000 > link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff > 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN > link/sit 0.0.0.0 brd 0.0.0.0 > 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen > 1000 > link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff > 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen > 1000 > link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff > 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UNKNOWN qlen 500 > link/none > inet 192.168.0.80/24 scope global tun0 > > > root at hammerhead:/sdcard/tinc/vpnalma # ip route > 10.183.70.120/29 dev rmnet0 proto kernel scope link src 10.183.70.124 > 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124 > 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124 > 192.168.0.0/24 dev tun0 proto kernel scope link src 192.168.0.80 > > > root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20 > PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data. > ^C > --- 192.168.0.20 ping statistics --- > 10 packets transmitted, 0 received, 100% packet loss, time 9003ms > > 1|root at hammerhead:/sdcard/tinc/vpnalma # > > > ???????????????????????????????????????????????????????????????????????????????? > > From the tinc gui log that I can?t copy and paste , I see that the device > in connected to cubic but i can?t ping with it. > -- > Andrea Squeri > Inviato con Sparrow <http://www.sparrowmailapp.com/?sig> > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >_______________________________________________ tinc mailing list tinc at tinc-vpn.org http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150326/979cd67a/attachment-0001.html>
SELinux is considered as the biggest problem. On Thu, Mar 26, 2015, 22:37 Andrea Squeri <andrea.squeri at gmail.com> wrote:> Yes. The problem is lollipop. I tried to install tinc on my brother's > device which mount a cyano 10.1( android 4.2.2) and it works. > I don't understand which is the problem with lollipop. Is there a > firewall that block the packets? > > Andrea Squeri > If you are running Lollipop / Android 5.x on your Nexus 5, then you are > probably seeing the same issue I was with it. lollipop seems to change > networking quite a bit in that it's using iptables / and `ip rule list` > extensively for per-user settings. > I think > http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/ > is relevant if you see running in to the same issue, it's confusing quite a > lot of folks. I was unable to get tinc-gui (or even tincd manually and > tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom. > I'm not sure if coming up with a fancy tinc-up is the solution or someone > with the ability to get tinc compatible with the official Android VPN API > that a lot of the openvpn apps are using now. > You might be able to draw some inspiration from > https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh > but I haven't tried it since I've been back on 4.4.2. > > On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com> > wrote: > >> Hi, First sorry for my bad English. >> I made a vpn wtih tinc for link my home and my two office. In Addition I >> want to configure my android device to link with my vpn. >> The topology of the net is this: >> >> cubox(a linux machine in my home with vpn address 192.168.0.20) >> groppalbero (a linux machine in my second office with vpn address >> 192.168.0.40) >> imac(a mac machine in my first office with vpn address 192.168.0.50) >> nexus5(my android device with vpn address 192.168.0.80) >> >> I have configurate all machine and now they all works except the android >> device. >> On this I use ?Tinc Gui? app for configure it. When I start the tinc >> daemon it connect to the configured host and the tun0 interface in created >> and configured, but i can ping with any hosts >> and any host can ping my android device. the result of ping IS NOT a >> network unavailable response. In fact it block un operation and from the >> tinc gui log I can see that the packet are received by my android device. >> I suspect that can be a problem for the route but I can?t understand >> which the problem is. >> >> For information paste the configuration from cubic and android device: >> >> CUBOX : >> >> -------------------------------------------------------------------------------------------------------- >> andre at cubox vpnalma]$ cat tinc.conf >> # Sample tinc configuration file >> >> # This is a comment. >> # Spaces and tabs are eliminated. >> # The = sign isn't strictly necessary any longer, though you may want >> # to leave it in as it improves readability :) >> # Variable names are treated case insensitive. >> >> # The name of this tinc host. Required. >> Name = cubox >> >> # The internet host to connect with. >> # Comment these out to make yourself a listen-only connection >> # You must use the name of another tinc host. >> # May be used multiple times for redundance. >> #ConnectTo = vaio >> #ConnectTo = groppalbero >> #ConnectTo = imac >> #ConnectTo = servermarcy >> >> # The tap device tinc will use. >> # Default is /dev/tap0 for ethertap or FreeBSD, >> # /dev/tun0 for Solaris and OpenBSD, >> # and /dev/net/tun for Linux tun/tap device. >> Device = /dev/net/tun >> [andre at cubox vpnalma]$ cat tinc-up >> #!/bin/sh >> # This file sets up the tap device. >> # It gives you the freedom to do anything you want with it. >> # Use the correct name for the tap device: >> # The environment variable $INTERFACE is set to the right name >> # on most platforms, but if it doesn't work try to set it manually. >> >> # Give it the right ip and netmask. Remember, the subnet of the >> # tap device must be larger than that of the individual Subnets >> # as defined in the host configuration file! >> ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0 >> #ip link set $INTERFACE up >> #ip addr add 192.168.0.20/32 dev $INTERFACE >> #ip route add 192.168.0.0/24 dev $INTERFACE >> [andre at cubox vpnalma]$ cat hosts/cubox >> #iample host configuration file >> # This file was generated by host beta. >> >> # The real IP address of this tinc host. Can be used by other tinc hosts. >> Address = 10.0.0.7 >> Address = almaliberty.duckdns.org >> # Portnumber for incoming connections. Default is 655. >> Port = 655 >> >> # Subnet on the virtual private network that is local for this host. >> Subnet = 192.168.0.20/32 >> ???????????????????????????????????????????????????? >> The network is so configurated: >> >> ?????????????????????????????????????????????????????????????????????????????? >> >> [andre at cubox vpnalma]$ ifconfig >> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 >> inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255 >> inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link> >> ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet) >> RX packets 63975281 bytes 142504956 (135.9 MiB) >> RX errors 0 dropped 2 overruns 0 frame 0 >> TX packets 35826176 bytes 2648965717 (2.4 GiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 >> inet 127.0.0.1 netmask 255.0.0.0 >> inet6 ::1 prefixlen 128 scopeid 0x10<host> >> loop txqueuelen 0 (Local Loopback) >> RX packets 167609 bytes 76370891 (72.8 MiB) >> RX errors 0 dropped 0 overruns 0 frame 0 >> TX packets 167609 bytes 76370891 (72.8 MiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 >> inet 192.168.0.20 netmask 255.255.255.0 destination 192.168.0.20 >> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 >> txqueuelen 500 (UNSPEC) >> RX packets 8876 bytes 1765584 (1.6 MiB) >> RX errors 0 dropped 0 overruns 0 frame 0 >> TX packets 5939 bytes 2394177 (2.2 MiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> [andre at cubox vpnalma]$ route >> Kernel IP routing table >> Destination Gateway Genmask Flags Metric Ref Use >> Iface >> default router.asus.com 0.0.0.0 UG 1024 0 0 >> eth0 >> 10.0.0.0 * 255.255.255.0 U 0 0 0 >> eth0 >> router.asus.com * 255.255.255.255 UH 1024 0 0 >> eth0 >> 192.168.0.0 * 255.255.255.0 U 0 0 0 >> vpnalma >> [andre at cubox vpnalma]$ >> >> ?????????????????????????????????????????????????????????????????? >> >> ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG: >> >> >> u0_a167 at hammerhead:/ $ su >> root at hammerhead:/ # cd sdcard/tinc/vpnalma >> at tinc.conf < >> # Sample tinc configuration file >> >> # This is a comment. >> # Spaces and tabs are eliminated. >> # The = sign isn't strictly necessary any longer, though you may want >> # to leave it in as it improves readability :) >> # Variable names are treated case insensitive. >> >> # The name of this tinc host. Required. >> Name = nexus5 >> >> # The internet host to connect with. >> # Comment these out to make yourself a listen-only connection >> # You must use the name of another tinc host. >> # May be used multiple times for redundance. >> ConnectTo = cubox >> ConnectTo = groppalbero >> ConnectTo = imac >> # The tap device tinc will use. >> # Default is /dev/tap0 for ethertap or FreeBSD, >> # /dev/tun0 for Solaris and OpenBSD, >> # and /dev/net/tun for Linux tun/tap device. >> #Mode = switch >> Device = /dev/tun >> #DeviceType = tap >> #Interface = tap0 >> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter >> ScriptsInterpreter = /system/bin/sh >> root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up >> #!/bin/sh >> # This file sets up the tap device. >> # It gives you the freedom to do anything you want with it. >> # Use the correct name for the tap device: >> # The environment variable $INTERFACE is set to the right name >> # on most platforms, but if it doesn't work try to set it manually. >> >> # Give it the right ip and netmask. Remember, the subnet of the >> # tap device must be larger than that of the individual Subnets >> # as defined in the host configuration file! >> ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0 >> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter >> #ip link set $INTERFACE up >> #ip addr add 192.168.0.80/24 dev $INTERFACE >> #ip route add 192.168.0.0/24 dev $INTERFACE >> root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5 >> sh: hosts/nexus5: can't execute: Permission denied >> at hosts/nexus5 < >> # Sample host configuration file >> >> # The real IP address of this tinc host. Can be used by other tinc hosts. >> >> # Portnumber for incoming connections. Default is 655. >> #Port = 655 >> >> # Subnet on the virtual private network that is local for this host. >> Subnet = 192.168.0.80/32 >> >> -----BEGIN RSA PUBLIC KEY----- >> >> -----END RSA PUBLIC KEY----- >> >> root at hammerhead:/sdcard/tinc/vpnalma # ip addr >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 >> link/[530] >> inet 10.183.70.124/29 scope global rmnet0 >> inet6 fe80::7561:c093:ea26:5781/64 scope link >> valid_lft forever preferred_lft forever >> 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000 >> link/[530] >> 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff >> 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff >> 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff >> 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff >> 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff >> 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff >> 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff >> 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff >> 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen >> 1000 >> link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff >> 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN >> link/sit 0.0.0.0 brd 0.0.0.0 >> 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen >> 1000 >> link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff >> 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN >> qlen 1000 >> link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff >> 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc >> pfifo_fast state UNKNOWN qlen 500 >> link/none >> inet 192.168.0.80/24 scope global tun0 >> >> >> root at hammerhead:/sdcard/tinc/vpnalma # ip route >> 10.183.70.120/29 dev rmnet0 proto kernel scope link src 10.183.70.124 >> 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124 >> 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124 >> 192.168.0.0/24 dev tun0 proto kernel scope link src 192.168.0.80 >> >> >> root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20 >> PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data. >> ^C >> --- 192.168.0.20 ping statistics --- >> 10 packets transmitted, 0 received, 100% packet loss, time 9003ms >> >> 1|root at hammerhead:/sdcard/tinc/vpnalma # >> >> >> ???????????????????????????????????????????????????????????????????????????????? >> >> From the tinc gui log that I can?t copy and paste , I see that the device >> in connected to cubic but i can?t ping with it. >> -- >> Andrea Squeri >> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig> >> >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> >> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- HTML????????????????????????????... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150327/95753a40/attachment-0001.html>
I don't know.. It seems that anyone had try to made work tinc with lollipop. Even googoling i don't found anything about this argoument. Andrea Squeri Il 27/mar/2015 06:55 "Tatsuyuki Ishi" <ishitatsuyuki at gmail.com> ha scritto:> SELinux is considered as the biggest problem. > > On Thu, Mar 26, 2015, 22:37 Andrea Squeri <andrea.squeri at gmail.com> wrote: > >> Yes. The problem is lollipop. I tried to install tinc on my brother's >> device which mount a cyano 10.1( android 4.2.2) and it works. >> I don't understand which is the problem with lollipop. Is there a >> firewall that block the packets? >> >> Andrea Squeri >> If you are running Lollipop / Android 5.x on your Nexus 5, then you are >> probably seeing the same issue I was with it. lollipop seems to change >> networking quite a bit in that it's using iptables / and `ip rule list` >> extensively for per-user settings. >> I think >> http://www.linux.org/threads/debugging-nat-prerouting-issues-iptables.7136/ >> is relevant if you see running in to the same issue, it's confusing quite a >> lot of folks. I was unable to get tinc-gui (or even tincd manually and >> tinkering via adb shell) to work so I've downgraded my S5 to a 4.4.2 rom. >> I'm not sure if coming up with a fancy tinc-up is the solution or someone >> with the ability to get tinc compatible with the official Android VPN API >> that a lot of the openvpn apps are using now. >> You might be able to draw some inspiration from >> https://github.com/offensive-security/kali-nethunter/blob/master/utils/manna/start-nat-full-lollipop.sh >> but I haven't tried it since I've been back on 4.4.2. >> >> On Wed, Mar 25, 2015 at 5:15 AM, Andrea Squeri <andrea.squeri at gmail.com> >> wrote: >> >>> Hi, First sorry for my bad English. >>> I made a vpn wtih tinc for link my home and my two office. In Addition I >>> want to configure my android device to link with my vpn. >>> The topology of the net is this: >>> >>> cubox(a linux machine in my home with vpn address 192.168.0.20) >>> groppalbero (a linux machine in my second office with vpn address >>> 192.168.0.40) >>> imac(a mac machine in my first office with vpn address 192.168.0.50) >>> nexus5(my android device with vpn address 192.168.0.80) >>> >>> I have configurate all machine and now they all works except the android >>> device. >>> On this I use ?Tinc Gui? app for configure it. When I start the tinc >>> daemon it connect to the configured host and the tun0 interface in created >>> and configured, but i can ping with any hosts >>> and any host can ping my android device. the result of ping IS NOT a >>> network unavailable response. In fact it block un operation and from the >>> tinc gui log I can see that the packet are received by my android device. >>> I suspect that can be a problem for the route but I can?t understand >>> which the problem is. >>> >>> For information paste the configuration from cubic and android device: >>> >>> CUBOX : >>> >>> -------------------------------------------------------------------------------------------------------- >>> andre at cubox vpnalma]$ cat tinc.conf >>> # Sample tinc configuration file >>> >>> # This is a comment. >>> # Spaces and tabs are eliminated. >>> # The = sign isn't strictly necessary any longer, though you may want >>> # to leave it in as it improves readability :) >>> # Variable names are treated case insensitive. >>> >>> # The name of this tinc host. Required. >>> Name = cubox >>> >>> # The internet host to connect with. >>> # Comment these out to make yourself a listen-only connection >>> # You must use the name of another tinc host. >>> # May be used multiple times for redundance. >>> #ConnectTo = vaio >>> #ConnectTo = groppalbero >>> #ConnectTo = imac >>> #ConnectTo = servermarcy >>> >>> # The tap device tinc will use. >>> # Default is /dev/tap0 for ethertap or FreeBSD, >>> # /dev/tun0 for Solaris and OpenBSD, >>> # and /dev/net/tun for Linux tun/tap device. >>> Device = /dev/net/tun >>> [andre at cubox vpnalma]$ cat tinc-up >>> #!/bin/sh >>> # This file sets up the tap device. >>> # It gives you the freedom to do anything you want with it. >>> # Use the correct name for the tap device: >>> # The environment variable $INTERFACE is set to the right name >>> # on most platforms, but if it doesn't work try to set it manually. >>> >>> # Give it the right ip and netmask. Remember, the subnet of the >>> # tap device must be larger than that of the individual Subnets >>> # as defined in the host configuration file! >>> ifconfig $INTERFACE 192.168.0.20 netmask 255.255.255.0 >>> #ip link set $INTERFACE up >>> #ip addr add 192.168.0.20/32 dev $INTERFACE >>> #ip route add 192.168.0.0/24 dev $INTERFACE >>> [andre at cubox vpnalma]$ cat hosts/cubox >>> #iample host configuration file >>> # This file was generated by host beta. >>> >>> # The real IP address of this tinc host. Can be used by other tinc hosts. >>> Address = 10.0.0.7 >>> Address = almaliberty.duckdns.org >>> # Portnumber for incoming connections. Default is 655. >>> Port = 655 >>> >>> # Subnet on the virtual private network that is local for this host. >>> Subnet = 192.168.0.20/32 >>> ???????????????????????????????????????????????????? >>> The network is so configurated: >>> >>> ?????????????????????????????????????????????????????????????????????????????? >>> >>> [andre at cubox vpnalma]$ ifconfig >>> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 >>> inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255 >>> inet6 fe80::d263:b4ff:fe00:6a6b prefixlen 64 scopeid 0x20<link> >>> ether d0:63:b4:00:6a:6b txqueuelen 1000 (Ethernet) >>> RX packets 63975281 bytes 142504956 (135.9 MiB) >>> RX errors 0 dropped 2 overruns 0 frame 0 >>> TX packets 35826176 bytes 2648965717 (2.4 GiB) >>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >>> >>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 >>> inet 127.0.0.1 netmask 255.0.0.0 >>> inet6 ::1 prefixlen 128 scopeid 0x10<host> >>> loop txqueuelen 0 (Local Loopback) >>> RX packets 167609 bytes 76370891 (72.8 MiB) >>> RX errors 0 dropped 0 overruns 0 frame 0 >>> TX packets 167609 bytes 76370891 (72.8 MiB) >>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >>> >>> vpnalma: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 >>> inet 192.168.0.20 netmask 255.255.255.0 destination >>> 192.168.0.20 >>> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 >>> txqueuelen 500 (UNSPEC) >>> RX packets 8876 bytes 1765584 (1.6 MiB) >>> RX errors 0 dropped 0 overruns 0 frame 0 >>> TX packets 5939 bytes 2394177 (2.2 MiB) >>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >>> >>> [andre at cubox vpnalma]$ route >>> Kernel IP routing table >>> Destination Gateway Genmask Flags Metric Ref Use >>> Iface >>> default router.asus.com 0.0.0.0 UG 1024 0 0 >>> eth0 >>> 10.0.0.0 * 255.255.255.0 U 0 0 0 >>> eth0 >>> router.asus.com * 255.255.255.255 UH 1024 0 0 >>> eth0 >>> 192.168.0.0 * 255.255.255.0 U 0 0 0 >>> vpnalma >>> [andre at cubox vpnalma]$ >>> >>> ?????????????????????????????????????????????????????????????????? >>> >>> ON THE ANDROIDE DEVICE SIDE I HAVE THIS CONFG: >>> >>> >>> u0_a167 at hammerhead:/ $ su >>> root at hammerhead:/ # cd sdcard/tinc/vpnalma >>> at tinc.conf < >>> # Sample tinc configuration file >>> >>> # This is a comment. >>> # Spaces and tabs are eliminated. >>> # The = sign isn't strictly necessary any longer, though you may want >>> # to leave it in as it improves readability :) >>> # Variable names are treated case insensitive. >>> >>> # The name of this tinc host. Required. >>> Name = nexus5 >>> >>> # The internet host to connect with. >>> # Comment these out to make yourself a listen-only connection >>> # You must use the name of another tinc host. >>> # May be used multiple times for redundance. >>> ConnectTo = cubox >>> ConnectTo = groppalbero >>> ConnectTo = imac >>> # The tap device tinc will use. >>> # Default is /dev/tap0 for ethertap or FreeBSD, >>> # /dev/tun0 for Solaris and OpenBSD, >>> # and /dev/net/tun for Linux tun/tap device. >>> #Mode = switch >>> Device = /dev/tun >>> #DeviceType = tap >>> #Interface = tap0 >>> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter >>> ScriptsInterpreter = /system/bin/sh >>> root at hammerhead:/sdcard/tinc/vpnalma # cat tinc-up >>> #!/bin/sh >>> # This file sets up the tap device. >>> # It gives you the freedom to do anything you want with it. >>> # Use the correct name for the tap device: >>> # The environment variable $INTERFACE is set to the right name >>> # on most platforms, but if it doesn't work try to set it manually. >>> >>> # Give it the right ip and netmask. Remember, the subnet of the >>> # tap device must be larger than that of the individual Subnets >>> # as defined in the host configuration file! >>> ifconfig $INTERFACE 192.168.0.80 netmask 255.255.255.0 >>> #echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter >>> #ip link set $INTERFACE up >>> #ip addr add 192.168.0.80/24 dev $INTERFACE >>> #ip route add 192.168.0.0/24 dev $INTERFACE >>> root at hammerhead:/sdcard/tinc/vpnalma # hosts/nexus5 >>> sh: hosts/nexus5: can't execute: Permission denied >>> at hosts/nexus5 < >>> # Sample host configuration file >>> >>> # The real IP address of this tinc host. Can be used by other tinc hosts. >>> >>> # Portnumber for incoming connections. Default is 655. >>> #Port = 655 >>> >>> # Subnet on the virtual private network that is local for this host. >>> Subnet = 192.168.0.80/32 >>> >>> -----BEGIN RSA PUBLIC KEY----- >>> >>> -----END RSA PUBLIC KEY----- >>> >>> root at hammerhead:/sdcard/tinc/vpnalma # ip addr >>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN >>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >>> inet 127.0.0.1/8 scope host lo >>> inet6 ::1/128 scope host >>> valid_lft forever preferred_lft forever >>> 2: rmnet0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen >>> 1000 >>> link/[530] >>> inet 10.183.70.124/29 scope global rmnet0 >>> inet6 fe80::7561:c093:ea26:5781/64 scope link >>> valid_lft forever preferred_lft forever >>> 3: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 4: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 5: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 6: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 7: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 8: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 9: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000 >>> link/[530] >>> 10: rev_rmnet0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether a2:f5:64:5f:9d:05 brd ff:ff:ff:ff:ff:ff >>> 11: rev_rmnet1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether ea:f8:93:71:83:a1 brd ff:ff:ff:ff:ff:ff >>> 12: rev_rmnet2: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether 2a:84:3a:f5:3b:f0 brd ff:ff:ff:ff:ff:ff >>> 13: rev_rmnet3: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether 4a:d5:f8:77:cb:80 brd ff:ff:ff:ff:ff:ff >>> 14: rev_rmnet4: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether 16:db:e7:e3:f4:39 brd ff:ff:ff:ff:ff:ff >>> 15: rev_rmnet5: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether 46:3a:94:70:f0:5f brd ff:ff:ff:ff:ff:ff >>> 16: rev_rmnet6: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether 62:2c:a9:03:e9:4d brd ff:ff:ff:ff:ff:ff >>> 17: rev_rmnet7: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether f6:8e:08:a1:aa:10 brd ff:ff:ff:ff:ff:ff >>> 18: rev_rmnet8: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN >>> qlen 1000 >>> link/ether 72:92:60:5c:e6:7c brd ff:ff:ff:ff:ff:ff >>> 19: sit0: <NOARP> mtu 1480 qdisc noop state DOWN >>> link/sit 0.0.0.0 brd 0.0.0.0 >>> 20: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN >>> qlen 1000 >>> link/ether 8e:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff >>> 21: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN >>> qlen 1000 >>> link/ether 8c:3a:e3:18:bb:55 brd ff:ff:ff:ff:ff:ff >>> 23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc >>> pfifo_fast state UNKNOWN qlen 500 >>> link/none >>> inet 192.168.0.80/24 scope global tun0 >>> >>> >>> root at hammerhead:/sdcard/tinc/vpnalma # ip route >>> 10.183.70.120/29 dev rmnet0 proto kernel scope link src 10.183.70.124 >>> 10.206.56.132 via 10.183.70.125 dev rmnet0 src 10.183.70.124 >>> 10.207.43.46 via 10.183.70.125 dev rmnet0 src 10.183.70.124 >>> 192.168.0.0/24 dev tun0 proto kernel scope link src 192.168.0.80 >>> >>> >>> root at hammerhead:/sdcard/tinc/vpnalma # ping 192.168.0.20 >>> PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data. >>> ^C >>> --- 192.168.0.20 ping statistics --- >>> 10 packets transmitted, 0 received, 100% packet loss, time 9003ms >>> >>> 1|root at hammerhead:/sdcard/tinc/vpnalma # >>> >>> >>> ???????????????????????????????????????????????????????????????????????????????? >>> >>> From the tinc gui log that I can?t copy and paste , I see that the >>> device in connected to cubic but i can?t ping with it. >>> -- >>> Andrea Squeri >>> Inviato con Sparrow <http://www.sparrowmailapp.com/?sig> >>> >>> >>> _______________________________________________ >>> tinc mailing list >>> tinc at tinc-vpn.org >>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >>> >>> >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150327/712b45c7/attachment-0001.html>