Re-posting using the correct source e-mail address... Fred
---------- Forwarded message ---------- From: <[email protected]> Date: Thu, Mar 12, 2015 at 3:29 PM Subject: Re: [Openvpn-users] OpenVPN on Android; IOS To: [email protected] You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at [email protected]. ---------- Forwarded message ---------- From: Fred Templin <[email protected]> To: Gert Doering <[email protected]> Cc: [email protected] Date: Thu, 12 Mar 2015 15:29:33 -0700 Subject: Re: [Openvpn-users] OpenVPN on Android; IOS Hi Gert, This is great information - much better than I had hoped for. It solves some mysteries for me, but not clear yet if it will let me get my code over from linux cleanly. I will try to get my head wrapped around this, and will let you know if I have any further questions if that would be OK. Thanks - Fred On Thu, Mar 12, 2015 at 2:52 PM, Gert Doering <[email protected]> wrote: > Hi Fred, > > On Thu, Mar 12, 2015 at 11:40:08AM -0700, Fred Templin wrote: >> I am wondering how it is that OpenVPN is able >> to run on Android / IOS platforms without needing >> to "root" the device? In particular, how is it that >> OpenVPN can configure a default route or add >> an address to the TUN interface as a general >> user as opposed to "root"? > > Both platforms have a so-called "VPN API" that you can use to setup > the equivalent of a tun interface plus associated routes. > > On iOS, access to the VPN API is governed by having code signed by > a special code signing key, so only priviledged application (not > "root privileged" but "reviewed and signed") get to access the API. > > On Android, the system asks the user "is this ok?" and thus the user > can individually permit access. This confirmation dialog is not > negotiable, unless you're root :-) > > (On modern Android versions, it's not actually setting up routes, but > manipulating IP policy routing to inject only packets from the user that > ran the VPN application into the tun - but the net result is the same, > you tell the VPN API "I want a tun, here's my list of routes and IP > address, please!" and the API returns a file descriptor for the tun if) > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany [email protected] > fax: +49-89-35655025 [email protected] ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
