I have implemented an Android application which connects to its application server via a VPN tunnel. Thats fine.
However I want that the application turn on the Android VPN service itself ,rather than I am turning on the VPN on Android manually.
Is it possible to turn on this from java source code, like
// TO DO
if (something) {
VPN ON
}
Currently it's not possible to do that. Event with the latest classes in Android 4.0, User action is required to create a VPN connection. It's considered a security issue to be able progrmmatically to establish vpn connection (e.g. without the user to notice).
It is not possible to turn off the VPN from Java source code, unless the device is rooted, then there some hacks around. (so I have been told being an Android developer for a major software company) It is almost possible to do but it will take writing something in Native Code. There are some companies that are currently attempting to do this in an SDK. Authentec is one, but even in there SDK it is not possible to shut off the VPN connection yet. I came here looking to see if anyone has done this before but I know it is not possible through Java code, it will have to be in Native Code ( C for simpletons like myself)
Related
We have set up our own VPN Server and want to route all the traffic from our VOIP android app through this server.
But all the solutions I have seen thus far use the vpn service class http://developer.android.com/reference/android/net/VpnService.html, which creates a vpn tunnel for the whole device and not just my application. I want the other apps running on the phone to use the internet as normal while the traffic from our app is routed through our VPN server.
Is there anyway to do this? I am very grateful for any suggestions. Thanks
VpnService does not need to apply to the whole device. See: VpnService.Builder.addAllowedApplication (available with API 21 - 5.0):
Adds an application that's allowed to access the VPN connection. If this method is called at least once, only applications added through this method (and no others) are allowed access. Else (if this method is never called), all applications are allowed by default. If some applications are added, other, un-added applications will use networking as if the VPN wasn't running.
I am developing a parental kind of App in which there is a requirement to block specific urls from all the browsers in the Device. I think this is an old question but couldn't find any solution yet on stack.
Do you have any working solutions. Assumption - The device is rooted.
Regards,
sha
I have two resources for you:
Since the device is rooted you can work directly with iptables. iptables will give you very precise control over all coming and going data packets. Check out open source projects like AFWall+ on GitHub for iptables in action.
If you want to be able to run your app on unrooted devices look into creating a fake VPN. You don't send any data to an actual VPN server, you simply use the VPN API to filter all the information coming and going. Check out Disconnect (whenever they actually share their open source code...) or OpenVPN which is what Disconnect builds on.
This is going to sound strange, and please don't judge the impracticality of doing something like this, but I need to add support for controlling out bound network traffic from an Android device. Doesn't have to be selective. I basically need to put the device in a mode where out bound communication is silenced over WIFI. (primarily) The reason for this is I have a networked application that's remotely controlled and I need to be able to put it to "communication sleep" on-demand and then "wake it up" after a period of time, or on-demand. The on-demand aspect is controlled remotely. Hence the need to put the device in a state where it'll only accept in bound communication.
I'm primarily interested in TCP/UDP blocking of out bound traffic. I'm not interested in a separate firewall app. My application includes a service that's already implementing all the communication code required. I just need some suggestions on how to control out bound communication.
FYI, I have a mix of 2.3 and 4.0 devices to work with.
Could I have my service implement some basic firewall support? Maybe a simple proxy that the device is configured to use? (similar to the Ad Block app)
Thanks in advance for any suggestions. If it's at all possible, I'll try to share the code for it here.
UPDATE: Sorry, I have and require root on these devices anyways.
On the proxy idea, really I just need a black hole listening on a port. If I can set the system proxy settings from my app, when the out bound communication needs to be disabled, I can enable the proxy and drop all connections.
If I can't set the system proxy settings, I'll have to implement a working proxy, require the user configure the proxy, and control it's behavior accordingly when connections are received.
I might as well answer my own question. With root you can include iptables and make some command line calls to control the traffic flow. Note that you should have some experience with stateful firewall concepts, as mucking with outbound DENYs will lead you to confusion unless you know exactly what the system/app is supposed to do. (random response ports, etc...)
A proxy service would work for Android devices and versions which allow for network proxy support. Unfortunately not all my devices allow for it. (my Ginger Bread devices don't have proxy support, it's just not present in the UI, and the API is read only for the HTTP_PROXY System setting)
So there's no example code to offer. I'm playing with iptables on my devices. I'll likely include it in my application, which requires root anyways.
I'm working on programmatically setting a VPN connection on android devices. I was successfully able to do so for devices using OS 2.3.5 and before (I used reflection to get to the hidden classes). But with android 4.0 they got rid of the old classes and use the VPNService class instead.
I figured the best place to start would be to use the ToyVPN example android provided, but I'm facing a lot of challenges with it. In the example code they only needed to send the server address:
InetSocketAddress server = new InetSocketAddress(mServerAddress, Integer.parseInt(mServerPort));
And then created the VPN tunnel by opening the channel:
tunnel = DatagramChannel.open();
But in my case I need to send the server address, username and password. So far I haven't figured out how to do so. My best guess was to do something like this:
Authenticator.setDefault(new Authenticator(){
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("user","pass".toCharArray());
}});
try {
// Create a DatagramChannel as the VPN tunnel.
tunnel = DatagramChannel.open();
But this did not work.
so what I'm asking is:
Is there a way, other than what's used in ToyVpn, to create a VPN connection programmatically?
If not, how do I send the credentials when I want to establish a connection to the server?
Edit
I forgot to mention that I need to specify the VPN type (PPTP, L2TP, L2TP/IPSec PSK or L2TP/IPSec CRT).
Basically the VPN API introduced in Android 4.0+ only allows you to implement your own VPN implementation. It does no more than opening the Linux TUN device and pass the file descriptor to you, plus setting up the routes/DNS servers/etc you provided. The whole VPN protocol implementation is solely up to you.
So the short answer is: no. you can't use the VPN API to set up any of the
PPTP, L2TP, L2TP/IPSec PSK or L2TP/IPSec CRT
VPN connections, unless you roll out your own implementation of the mentioned VPN types.
That being said, you may still try to broadcast an Intent to bring your user to the system VPN settings activity and ask them to manually configure/start the VPN.
Oh and one more thing to add. At the time of this writing, Android's latest DevicePolicyManager (API level 21) already provides WiFi settings provisioning support. I would personally guess that Google might continue to add more Android for Work features, which may include VPN provisioning support you need. I/O 2015 is only a few days away so let's wait and see...
There is a way to set a VPN connection programmatically. You might want to take a look at OpenVPN for Android (ics-openvpn) project's source. If there is no need for your app to make the connection directly, you can also use intents to trigger a connection from ics-openvpn. OpenVPN offers a wide range of settings, but you still have to see if it is compatible with your server.
The VpnService class introduced in Android 4.0 (ICS) can only do some settings such as the creating the network interface (only tun mode), some routes and DNS servers. It is still needed for your app to be able to connect without root permission. You might want to check here for more info on how to use VpnService.
As far as I have explored ics-openvpn's code, the app integrates a OpenVPN binary runnable in the app's APK. The app executes this binary, sending and receiving commands through a local socket. The binary takes care of almost everything, you just have to parse the input to know what methods of VpnService.Builder you will be calling, and what information will you be sending back through the socket (this includes confirmations, config files, credentials, bytecounts, etc)
Just a quick question as Google isn't throwing up much.
Is it possible to create a VPN connection using native code in
Android?
And if so does the VPN offer support for keep alives?
I believe it would be more of a permissions issue than of an exposed or not exposed issue. Most VPN connections would need you to modify and access the network filtering calls of your kernel. Since your app should really be operating in it's own sandbox this is something I would doubt is exposed by default (to apps at least) since you would essentially be modifying the way the entire OS routes network traffic. For the same reason that in order to modify iptables in the OS, it needs to be rooted so that your app can actually alter such things. At that point I would assume the connection would be made similar to any other vpn connection in any other linux os (via an ipsec daemon or some proxy dameon that you create), but the calling entity would need the actual access level necessary to complete the call to the kernel.
Rooting of the device is needed for creating a VPN connection. We need access to /data/misc/keystore and /data/misc/vpn/profiles in our programm.