Please restart your device for VPN tethering to work about vpnhotspot HOT 53 CLOSED

Hey, chiming in here since I apparently helped start a back-and-forth.

There is an issue open about this on the CalyxOS side, so it's on our radar. It's already been linked, but one more time in case anyone missed it: https://gitlab.com/CalyxOS/calyxos/-/issues/2192

To be fair, the particular setting we're talking about here isn't one that the majority of users will ever encounter at all, so it hasn't been a focus of manual testing, and this is the first time I've seen this issue come up. Please correct me if I'm wrong on this, but from my perspective, it's very niche.

Custom ROMs tend to have a number of added features and intentional behavior-altering framework changes that would require CTS tests to be modified in order to pass need extra attention to ensure they are able to even run properly (edit: I was reminded that I was thinking of other types of tests, when I mentioned modifying them, and this is for the case that a method signature or other functionality has been changed; actually changing CTS tests to pass goes against the point). This has been done in some cases, but it can be time-consuming and hasn't yet been done in all cases. With CalyxOS, in my experience at least, CTS tests are run for some things (e.g. WebView), and particularly they are run when modifying sensitive code, but it's done selectively, not yet run for absolutely everything.

Affected OSes don't ship releases with Google Mobile Services included, so it's not like there's a requirement to have all CTS tests pass, but of course it would be nice.

LineageOS and CalyxOS are open-source projects, so anyone can contribute code to solve issues like this, or can report issues and we'll do what we can.

Thanks!

from vpnhotspot.

@soccerboys2008 Thanks for the logs! It appears that in the last log you sent everything seems working fine. If you try my order now, does the error message reappear? (Disregard the connectivity issue since you said your VPN is not working.)

EDIT: What I mean is that 1. start VPN tethering 2. start VPN 3. turn off VPN tethering and on again 4. export debug information.

rebooted device and did that in that exact order (same issue), here log:
vpnhotspot-2936274959345153651_025703.log.txt

from vpnhotspot.

I tried the following:

On new version:
Disable VPN -> Reboot -> Enable VPN Tethering -> Enable VPN: No warning, VPN not seem to work properly
Log(Please ignore the crashed vibrator thing in the logs)
new.log

On Old version v2.16.11:
Disable VPN -> Reboot -> Enable VPN Tethering -> Enable VPN: Working properly
old.log

Not sure if it is the same problem. If not, I can open a new issue.

from vpnhotspot.

pia is back online, i restarted and grabbed one more log following these steps (jic you want it), before i downgrade again:

@soccerboys2008 Thanks for the logs! It appears that in the last log you sent everything seems working fine. If you try my order now, does the error message reappear? (Disregard the connectivity issue since you said your VPN is not working.)

EDIT: What I mean is that 1. start VPN tethering 2. start VPN 3. turn off VPN tethering and on again 4. export debug information.

let me know if you want that one too

from vpnhotspot.

just sending drive links now, not gonna try to send attachments

https://drive.google.com/file/d/1--mc25VqTd5W9DsNwT0YAF9RBo3kv0X7/view?usp=sharing

from vpnhotspot.

does my service-connectivity.jar file look ok

from vpnhotspot.

fixed

from vpnhotspot.

Hi, I can confirm this works.

And I am also using Lineage OS, so I suspect this is something related to the OS, because it does introduced something like firewall in the connectivity apex.

If this problem is ROM's side, can you provide some more detailed information about the issue?

from vpnhotspot.

Thanks for the information!

I have reported the issue to the developers and the issue is tracked here: https://gitlab.com/CalyxOS/calyxos/-/issues/2192

from vpnhotspot.

its upstream: https://review.lineageos.org/c/LineageOS/android_packages_modules_Connectivity/+/369208

from vpnhotspot.

@Uldiniad Please explain your commit? How does LineageOS/CalyxOS even pass CTS tests with this? Do you guys even run CTS tests? 🤔

We don't test CTS and have no reason to

from vpnhotspot.

I agree this is not an appropriate place for legal discussions.

The commit would not be necessary in AOSP, which does not have a native user-accessible firewall. Whether or not the commit is still necessary in custom ROMs is a different matter and will be looked at.

from vpnhotspot.

Hi what VPN are you using? Can you export debug information on v2.17 and send it to me?

from vpnhotspot.

Hi, I am having the same problem. Here is the debug log.

I toggled the Repeater switch on and off, and captured the log.
The VPN I have been using is sing-box (https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)

vpnhotspot-2535350892380703906.log

from vpnhotspot.

Hi @hellobbn does rebooting solve the issue?

from vpnhotspot.

Make sure you are reporting after you see this prompt again after reboot. Do not uninstall the app.

from vpnhotspot.

Hi @Mygod , I can confirm that rebooting does not solve the issue.

from vpnhotspot.

@hellobbn Does the following steps help?

1. Disable VPN.
2. Reboot the device.
3. Start VPN tethering.
4. Enable VPN.

from vpnhotspot.

Hi, if I start VPN tethering before enabling VPN, the error message no longer shows. However, it seems the traffic is not going through VPN, either.

from vpnhotspot.

@hellobbn Okay, are you saying you did those steps without rebooting the device and the error no longer shows? Can you export debug information while VPN and tethering are all active? Also was v2.16 working for you before?

from vpnhotspot.

i use pia, however pia is currently having a nationwide issue in us starting about 4 - 6 hours ago

however i can use the repeater without a vpn until they get there stuff figured out

i will upgrade the app quick and grab the debug info

from vpnhotspot.

This warning should only pop up if you use a VPN along with tethering but you can try that and see how it goes too.

from vpnhotspot.

hmm, just noticed that verison works without the vpn (naked as i like to call it), but when connected to pia (even though it currently has network issues) the issue reappears

thats probably why reboot didn't work, cause every time you connect the vpn the error appears

exported debug (before reboot):
vpnhotspot-7265846459898467798_021801.log.txt

just tried reboot and same issue, no error naked though

exported degug (after reboot, before running naked was included):
vpnhotspot-5674043189770050290_023006.log.txt

exported degug (after reboot, after/during running naked was included):
vpnhotspot-2945051092799165850_022935.log.txt

i'll need to downgrade again once pia gets there issues resolved (can connect but spotty connections / slow internet, not related to this app)

from vpnhotspot.

until pia is fixed i wont be able to test this:

@hellobbn Does the following steps help?

1. Disable VPN.

2. Reboot the device.

3. Start VPN tethering.

4. Enable VPN.

usually the order i use is this:

1. reboot (no vpn active)
2. enable vpn
3. start vpn tethering

(in the past starting vpn tethering before enabling the vpn always lead to no internet access (devices connect to the network but receive no internet access, so i always stuck to the order above))

again once pia is fixed ill test the order you provided (can't test for internet access with vpn that has spotty internet access)

from vpnhotspot.

also the reason i had to downgrade last night (before these vpn issues), is i was getting no network access following the order i usually use (which gave the error message). after the downgrade everything worked again

from vpnhotspot.

@soccerboys2008 Thanks for the logs! It appears that in the last log you sent everything seems working fine. If you try my order now, does the error message reappear? (Disregard the connectivity issue since you said your VPN is not working.)

EDIT: What I mean is that 1. start VPN tethering 2. start VPN 3. turn off VPN tethering and on again 4. export debug information.

from vpnhotspot.

when i said same issue, it appeared at step 3 "3. turn off VPN tethering and on again" (specifically when it was turned on again)

from vpnhotspot.

      10198  HAPPY_BOX_MATCH RESTRICTED_MATCH IIF_MATCH tun0

Okay I feel like the issue here is that the uids_allowed_on_restricted_networks global setting is somehow not being used/respected by system, causing system to block DNS traffic from VPN Hotspot. 🤔 (Since v2.17, VPN Hotspot handles tethering DNS instead of offloading it to the primary DNS server.)

@hellobbn What is your device? I can see that you are running Android 14. Is it stock or custom ROM?

from vpnhotspot.

i have another oneplus 5 thats on lineageos 21 (android 14), with everything installed if it can help

(the oneplus 5 in the screenshots i've been too lazy to update, which is why its on lineage os 20 (android 13)) (this is the device all the logs came from)

from vpnhotspot.

Hi can you guys try this apk? It should hopefully work on Android 13+.

EDIT: Sorry this apk is buggy. Please hold.

from vpnhotspot.

Fixed some bugs and should hopefully work on any Android version: https://github.com/Mygod/pogoplusle/releases/download/debug/vpnhotspot-v2.17.5-debug2.apk

from vpnhotspot.

new error appeared (no internet access, and no internet access from connected devices)

here's the debug log:
vpnhotspot-2389545170582576160_094038.log.txt

from vpnhotspot.

Hmm I couldn't download the log...

from vpnhotspot.

ill try again then:

vpnhotspot-2389545170582576160_094038.log.txt

from vpnhotspot.

Did you download and install the debug2 version?

from vpnhotspot.

yes, im getting same error on the link i just sent imma upload a google drive link:

https://drive.google.com/file/d/1XgnTuTGpJJslxNGtf4NaRRJo0AFhB6a5/view?usp=sharing

from vpnhotspot.

Thanks for the logs but I am pretty sure that's not debug2 version. Try this apk? https://github.com/Mygod/pogoplusle/releases/download/debug/vpnhotspot-v2.17.5-debug2.apk

(I will double check this apk meanwhile.)

EDIT: Yes I think this is the right apk.

from vpnhotspot.

ok it seems the first one i installed was only 3mb (probably an incomplete download leading to that error) anyway here is the log and screenshots (same as the original error):
vpnhotspot-8812612977146599456_100343.log.txt

p.s. i'm getting an issue with viewing the log with 404 not found using the preview if you have an error let me know and ill send a drive link

from vpnhotspot.

Great please google drive the logs :)

from vpnhotspot.

https://drive.google.com/file/d/1XiTqTeG77vnROjzuXAq3LE3yym6DROJc/view?usp=sharing

from vpnhotspot.

Hmm I think your ROM might be not fully upgraded to Android 13 and that could be causing the issue. Do you have the file /apex/com.android.tethering/javalib/service-connectivity.jar and if so, can you send it to me?

from vpnhotspot.

Meanwhile this might fix the issue: https://github.com/Mygod/pogoplusle/releases/download/debug/vpnhotspot-v2.17.5-debug3.apk

from vpnhotspot.

this made me remember that pia manages its own dns (may play a part (as in conflict of interest) or maybe not)

      10198  HAPPY_BOX_MATCH RESTRICTED_MATCH IIF_MATCH tun0

Okay I feel like the issue here is that the uids_allowed_on_restricted_networks global setting is somehow not being used/respected by system, causing system to block DNS traffic from VPN Hotspot. 🤔 (Since v2.17, VPN Hotspot handles tethering DNS instead of offloading it to the primary DNS server.)

@hellobbn What is your device? I can see that you are running Android 14. Is it stock or custom ROM?

anyway imma test debug 3 now

from vpnhotspot.

That doesn't matter. :)

from vpnhotspot.

https://drive.google.com/file/d/1-NsTCYZGTlNG6IrlWVLY_S8_H65uJNEh/view?usp=sharing

from vpnhotspot.

Yeah this was my fault. I wrote a bug. debug4: https://github.com/Mygod/pogoplusle/releases/download/debug/vpnhotspot-v2.17.5-debug4.apk

from vpnhotspot.

works on android 14 too (different oneplus 5 with lineage 21)

from vpnhotspot.

Sure. Essentially I am trying to grant this app restricted network permission which allows it to serve downstream DNS traffic bypassing Android VPN firewall. The way the app does this is essentially running settings put global uids_allowed_on_restricted_networks <app uid>.

Looking at your logs, it seems like the global settings was updated properly and looking at the system jar from @soccerboys2008, the system does look at this settings key. However, somehow the permission is still not granted to the app for some reason. 🤔

from vpnhotspot.

Yeah that is definitely responsible. Why would they do this?

from vpnhotspot.

i run plain lineage os (lineageos.org), so theres probably an upstream issue

from vpnhotspot.

The firewall feature is "ported" from the CalyxOS to LineageOS. And here is the word from the developer which may answer @Mygod :

hey, thanks for sharing this. i'm 90% sure it's a bug in the firewall implementation. that uids_allowed_on_restricted_networks list was previously used by the firewall implementation (too) to track whether or not to allow network access for an application. the new implementation uses a uid policy instead, POLICY_REJECT_ALL, for that. it's very likely there was an oversight on my part in the new implementation that causes it to not even pay attention to uids_allowed_on_restricted_networks at all anymore. i'll need to mess with it a bit, but i do think it's something that i want to get fixed
actually, not sure yet, but this commit might be responsible (on the calyxos side anyway): https://review.calyxos.org/c/CalyxOS/platform_packages_modules_Connectivity/+/21480/7
it was created for a good reason in the previous implementation - to prevent apps from being given too much permission simply for being allowed to use the internet. but it may not be applicable with the new implementation. i'll have to check.

from vpnhotspot.

@Uldiniad Please explain your commit? How does LineageOS/CalyxOS even pass CTS tests with this? Do you guys even run CTS tests? 🤔

from vpnhotspot.

Thanks for the explanations! However, I'm unsure if changing CTS tests is the right thing to do since the whole point of CTS tests is to ensure compatibility. Also I guess you are probably legally not allowed to advertise your product with Android name if CTS tests do not pass: https://source.android.com/docs/compatibility/compatibility-faq#is-compatibility-mandatory

Anyway back to the topic, I don't think that commit is necessary since only system apps and shell can modify (in fact, or even read) uids_allowed_on_restricted_networks as far as I'm concerned.

from vpnhotspot.