Hi Fred, On Thu, Mar 12, 2015 at 11:40:08AM -0700, Fred Templin wrote: > I am wondering how it is that OpenVPN is able > to run on Android / IOS platforms without needing > to "root" the device? In particular, how is it that > OpenVPN can configure a default route or add > an address to the TUN interface as a general > user as opposed to "root"?
Both platforms have a so-called "VPN API" that you can use to setup
the equivalent of a tun interface plus associated routes.
On iOS, access to the VPN API is governed by having code signed by
a special code signing key, so only priviledged application (not
"root privileged" but "reviewed and signed") get to access the API.
On Android, the system asks the user "is this ok?" and thus the user
can individually permit access. This confirmation dialog is not
negotiable, unless you're root :-)
(On modern Android versions, it's not actually setting up routes, but
manipulating IP policy routing to inject only packets from the user that
ran the VPN application into the tun - but the net result is the same,
you tell the VPN API "I want a tun, here's my list of routes and IP
address, please!" and the API returns a file descriptor for the tun if)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpgCrZ56mecg.pgp
Description: PGP signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
