WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* "Exclude Private IPs" in Android App
@ 2018-07-05 17:46 Jason A. Donenfeld
  2018-07-05 19:07 ` Denis Kisselev
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2018-07-05 17:46 UTC (permalink / raw)
  To: Eric Kuck; +Cc: WireGuard mailing list

Hey Eric,

While you're iterating on the "Excluded Applications" feature, what
would you think of also taking a stab at the "Exclude Private IPs"
feature? It's kind of in the same ballpark and works over the same
code you're currently playing with.

First some background: Some people don't want packets intended for
their local network to go through a tunnel. On desktop linux's
wg-quick(8), this is the default with some very clever use of
ip-rule(8)'s suppress_prefixlength parameter. It works perfectly 100%
of the time, without any need for heuristics. I've written to the
folks I know working on Android's networking stack to allow for the
same kind of clever thing, but if that happens, it'd of course be
quite a ways off. So in the meantime, rather than introducing a switch
called "exclude local networks", which would have all sorts of races
with detecting local networks and making decisions about network types
and such, plus the need to toggle VpnService in a racy way, etc, I
have a much cleaner idea: "Exclude Private IPs".

"Exclude Private IPs" works in the most dumb and straightforward way
possible, that is guaranteed to not fail. We add a checkbox underneath
"AllowedIPs". The checkbox is visible if "0.0.0.0/0" or ${MAGICRANGE}
is included in the AllowedIPs; otherwise it is hidden. When the
checkbox is checked, it replaces 0.0.0.0/0 with ${MAGICRANGE}. When
the checkbox is unchecked, it replaces (after sorting) ${MAGICRANGE}
with "0.0.0.0/0". ${MAGICRANGE} is defined to be  0.0.0.0/0 modulo
RFC1918:
"0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2=
,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/=
10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.=
0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.=
0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0=
.0/4"

I think this approach will be simple and consistent, and implementing
this as a static modification of AllowedIPs rather than runtime set
subtraction makes it more obvious what's going on.

What do you think of that idea?

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "Exclude Private IPs" in Android App
  2018-07-05 17:46 "Exclude Private IPs" in Android App Jason A. Donenfeld
@ 2018-07-05 19:07 ` Denis Kisselev
  2018-07-05 19:24   ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Denis Kisselev @ 2018-07-05 19:07 UTC (permalink / raw)
  To: Jason A. Donenfeld, Eric Kuck; +Cc: WireGuard mailing list

[-- Attachment #1: Type: text/plain, Size: 3328 bytes --]

Jason, that sounds like an amazing feature, but would it be possible with the current Go/Android VPN implementation?

In my (limited) experience, entering 2 or more comma-separated IP ranges does not work.
I get "Error bringing up tunnel: Bad Address" if I try to set Allowed IP's to "10.5.0.1/24,192.168.1.0/13" but it works with "0.0.0.0/0".

The Android VPN subsystem only seems to allow a single subnet in that parameter.

I'm running Wireguard for Android v0.0.20180625.
________________________________
From: WireGuard <wireguard-bounces@lists.zx2c4.com> on behalf of Jason A. Donenfeld <Jason@zx2c4.com>
Sent: Thursday, July 5, 2018 10:46 AM
To: Eric Kuck
Cc: WireGuard mailing list
Subject: "Exclude Private IPs" in Android App

Hey Eric,

While you're iterating on the "Excluded Applications" feature, what
would you think of also taking a stab at the "Exclude Private IPs"
feature? It's kind of in the same ballpark and works over the same
code you're currently playing with.

First some background: Some people don't want packets intended for
their local network to go through a tunnel. On desktop linux's
wg-quick(8), this is the default with some very clever use of
ip-rule(8)'s suppress_prefixlength parameter. It works perfectly 100%
of the time, without any need for heuristics. I've written to the
folks I know working on Android's networking stack to allow for the
same kind of clever thing, but if that happens, it'd of course be
quite a ways off. So in the meantime, rather than introducing a switch
called "exclude local networks", which would have all sorts of races
with detecting local networks and making decisions about network types
and such, plus the need to toggle VpnService in a racy way, etc, I
have a much cleaner idea: "Exclude Private IPs".

"Exclude Private IPs" works in the most dumb and straightforward way
possible, that is guaranteed to not fail. We add a checkbox underneath
"AllowedIPs". The checkbox is visible if "0.0.0.0/0" or ${MAGICRANGE}
is included in the AllowedIPs; otherwise it is hidden. When the
checkbox is checked, it replaces 0.0.0.0/0 with ${MAGICRANGE}. When
the checkbox is unchecked, it replaces (after sorting) ${MAGICRANGE}
with "0.0.0.0/0". ${MAGICRANGE} is defined to be  0.0.0.0/0 modulo
RFC1918:
"0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4"

I think this approach will be simple and consistent, and implementing
this as a static modification of AllowedIPs rather than runtime set
subtraction makes it more obvious what's going on.

What do you think of that idea?

Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.zx2c4.com%2Fmailman%2Flistinfo%2Fwireguard&data=02%7C01%7C%7Cf70032b86fee46134b9c08d5e29f5941%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636664096373456109&sdata=OuSYdUZQEB1%2BZ4Wf9%2FEv%2BeHLgTFWIjwMCk1xXJOzOWg%3D&reserved=0

[-- Attachment #2: Type: text/html, Size: 5374 bytes --]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
Jason, that sounds like an amazing feature, but would it be possible with the current Go/Android VPN implementation?</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
In my (limited) experience, entering 2 or more comma-separated IP ranges does not work.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
I get &quot;Error bringing up tunnel: Bad Address&quot; if I try to set Allowed IP's to &quot;10.5.0.1/24,192.168.1.0/13&quot; but it works with &quot;0.0.0.0/0&quot;.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
The Android VPN subsystem only seems to allow a single subnet in that parameter.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif; font-size: 12pt;">
I'm running Wireguard for Android v0.0.20180625.</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> WireGuard &lt;wireguard-bounces@lists.zx2c4.com&gt; on behalf of Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;<br>
<b>Sent:</b> Thursday, July 5, 2018 10:46 AM<br>
<b>To:</b> Eric Kuck<br>
<b>Cc:</b> WireGuard mailing list<br>
<b>Subject:</b> &quot;Exclude Private IPs&quot; in Android App</font>
<div>&nbsp;</div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hey Eric,<br>
<br>
While you're iterating on the &quot;Excluded Applications&quot; feature, what<br>
would you think of also taking a stab at the &quot;Exclude Private IPs&quot;<br>
feature? It's kind of in the same ballpark and works over the same<br>
code you're currently playing with.<br>
<br>
First some background: Some people don't want packets intended for<br>
their local network to go through a tunnel. On desktop linux's<br>
wg-quick(8), this is the default with some very clever use of<br>
ip-rule(8)'s suppress_prefixlength parameter. It works perfectly 100%<br>
of the time, without any need for heuristics. I've written to the<br>
folks I know working on Android's networking stack to allow for the<br>
same kind of clever thing, but if that happens, it'd of course be<br>
quite a ways off. So in the meantime, rather than introducing a switch<br>
called &quot;exclude local networks&quot;, which would have all sorts of races<br>
with detecting local networks and making decisions about network types<br>
and such, plus the need to toggle VpnService in a racy way, etc, I<br>
have a much cleaner idea: &quot;Exclude Private IPs&quot;.<br>
<br>
&quot;Exclude Private IPs&quot; works in the most dumb and straightforward way<br>
possible, that is guaranteed to not fail. We add a checkbox underneath<br>
&quot;AllowedIPs&quot;. The checkbox is visible if &quot;0.0.0.0/0&quot; or ${MAGICRANGE}<br>
is included in the AllowedIPs; otherwise it is hidden. When the<br>
checkbox is checked, it replaces 0.0.0.0/0 with ${MAGICRANGE}. When<br>
the checkbox is unchecked, it replaces (after sorting) ${MAGICRANGE}<br>
with &quot;0.0.0.0/0&quot;. ${MAGICRANGE} is defined to be&nbsp; 0.0.0.0/0 modulo<br>
RFC1918:<br>
&quot;0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4&quot;<br>
<br>
I think this approach will be simple and consistent, and implementing<br>
this as a static modification of AllowedIPs rather than runtime set<br>
subtraction makes it more obvious what's going on.<br>
<br>
What do you think of that idea?<br>
<br>
Jason<br>
_______________________________________________<br>
WireGuard mailing list<br>
WireGuard@lists.zx2c4.com<br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.zx2c4.com%2Fmailman%2Flistinfo%2Fwireguard&amp;data=02%7C01%7C%7Cf70032b86fee46134b9c08d5e29f5941%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636664096373456109&amp;sdata=OuSYdUZQEB1%2BZ4Wf9%2FEv%2BeHLgTFWIjwMCk1xXJOzOWg%3D&amp;reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.zx2c4.com%2Fmailman%2Flistinfo%2Fwireguard&amp;data=02%7C01%7C%7Cf70032b86fee46134b9c08d5e29f5941%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636664096373456109&amp;sdata=OuSYdUZQEB1%2BZ4Wf9%2FEv%2BeHLgTFWIjwMCk1xXJOzOWg%3D&amp;reserved=0</a><br>
</div>
</span></font></div>
</body>
</html>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "Exclude Private IPs" in Android App
  2018-07-05 19:07 ` Denis Kisselev
@ 2018-07-05 19:24   ` Jason A. Donenfeld
  2018-07-05 19:37     ` Denis Kisselev
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2018-07-05 19:24 UTC (permalink / raw)
  To: denis; +Cc: Eric Kuck, WireGuard mailing list

Hi Denis,

> I get "Error bringing up tunnel: Bad Address" if I try to set Allowed IP's to "10.5.0.1/24,192.168.1.0/13" but it works with "0.0.0.0/0".

User error. This fails because:

192.168.1.0 & (1 << (32 - 13)) != 192.168.1.0
and
10.5.0.1 & (1 << (32 - 24) != 10.5.0.1

Try instead using 192.168.0.0/13 and 10.5.0.0/24.

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: "Exclude Private IPs" in Android App
  2018-07-05 19:24   ` Jason A. Donenfeld
@ 2018-07-05 19:37     ` Denis Kisselev
  0 siblings, 0 replies; 4+ messages in thread
From: Denis Kisselev @ 2018-07-05 19:37 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: Eric Kuck, WireGuard mailing list

[-- Attachment #1: Type: text/plain, Size: 630 bytes --]

That does work, thanks! Apologies for the derail.
________________________________
From: Jason A. Donenfeld <Jason@zx2c4.com>
Sent: Thursday, July 5, 2018 12:24 PM
To: denis@dkisselev.net
Cc: Eric Kuck; WireGuard mailing list
Subject: Re: "Exclude Private IPs" in Android App

Hi Denis,

> I get "Error bringing up tunnel: Bad Address" if I try to set Allowed IP's to "10.5.0.1/24,192.168.1.0/13" but it works with "0.0.0.0/0".

User error. This fails because:

192.168.1.0 & (1 << (32 - 13)) != 192.168.1.0
and
10.5.0.1 & (1 << (32 - 24) != 10.5.0.1

Try instead using 192.168.0.0/13 and 10.5.0.0/24.

Jason

[-- Attachment #2: Type: text/html, Size: 1418 bytes --]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
That does work, thanks! Apologies for the derail.</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;<br>
<b>Sent:</b> Thursday, July 5, 2018 12:24 PM<br>
<b>To:</b> denis@dkisselev.net<br>
<b>Cc:</b> Eric Kuck; WireGuard mailing list<br>
<b>Subject:</b> Re: &quot;Exclude Private IPs&quot; in Android App</font>
<div>&nbsp;</div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi Denis,<br>
<br>
&gt; I get &quot;Error bringing up tunnel: Bad Address&quot; if I try to set Allowed IP's to &quot;10.5.0.1/24,192.168.1.0/13&quot; but it works with &quot;0.0.0.0/0&quot;.<br>
<br>
User error. This fails because:<br>
<br>
192.168.1.0 &amp; (1 &lt;&lt; (32 - 13)) != 192.168.1.0<br>
and<br>
10.5.0.1 &amp; (1 &lt;&lt; (32 - 24) != 10.5.0.1<br>
<br>
Try instead using 192.168.0.0/13 and 10.5.0.0/24.<br>
<br>
Jason<br>
</div>
</span></font></div>
</body>
</html>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-05 17:46 "Exclude Private IPs" in Android App Jason A. Donenfeld
2018-07-05 19:07 ` Denis Kisselev
2018-07-05 19:24   ` Jason A. Donenfeld
2018-07-05 19:37     ` Denis Kisselev

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox