diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-07-24 14:14:07 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2015-07-28 13:27:34 +0200 |
| commit | acc8948fa50311c76b58c49c038dc222145f65de (patch) | |
| tree | e614aea6d93a8d876e0d466752f71aaec49e8569 /src/libcharon/plugins/sql | |
| parent | 3390092c76517cf40d73c98ea431712c9147b01f (diff) | |
| download | strongswan-acc8948fa50311c76b58c49c038dc222145f65de.tar.bz2 strongswan-acc8948fa50311c76b58c49c038dc222145f65de.tar.xz | |
android: Apply split tunneling options when creating TUN device
Android blocks traffic for address families for which no IPs, DNS servers
or routes are installed via VpnService.Builder. Since Android 5+ (API
level 21) it is possible to explicitly allow such traffic to bypass the VPN.
So for proper split tunneling we note whether we saw a VIP and/or DNS
server of a specific family, and if not, allow traffic of that family
to bypass the VPN using the new API (on older systems there is no change
and such traffic will still be blocked). Otherwise, we do what we did so
far, that is, simply install the received routes (traffic selectors), all
other traffic will not be directed to the TUN device and use the underlying
network instead.
If traffic for a family should be blocked we install a default route via
TUN device even if we received more specific traffic selectors from the
server. libipsec will use the actual traffic selectors as IPsec policies
and drop any packets it received that don't match them. We only do this
if we saw any VIPs or DNS servers of a family. Otherwise the traffic for
that family is blocked anyway.
Diffstat (limited to 'src/libcharon/plugins/sql')
0 files changed, 0 insertions, 0 deletions