IPConfigs ONC property is not populated for VPN connections |
|||||||
Issue descriptionchrome.networkingPrivate.getProperties() and other interfaces that use ONC do not currently return an IPConfigs property. This causes a problem for arc_net_host_impl, which wants to pass the DNS server list over to Android. The result is that Android will continue using the LAN DNS servers while the system's default route goes through a VPN. So, under the following scenarios, Android connectivity will be broken: 1) LAN DNS servers are publicly accessible (e.g. 8.8.8.8) but the VPN blocks traffic to those servers, or DNS traffic in general 2) LAN DNS servers are private IPs (e.g. 192.168.1.1) and that traffic is now routed over the VPN 3) VPN DNS servers are "special" (e.g. they resolve internal hosts that are unknown to public DNS servers) The first problem is that VPN Services in shill do not advertise a Device property. The list of shill IPConfigs is accessed through the Device object. Therefore, shill should populate the Device property, and the Manager object should send out a signal when its Devices property changes. My first attempt at fixing this is here: https://chromium-review.googlesource.com/648657 This seems to work OK so far (verified through dbus-monitor). The unit tests need to be updated. The second problem is that even after adding the Device property, Chrome is not happy. At the time when the DefaultNetworkChanged callback occurs, Chrome has not yet queried the Device or IPConfigs, so the host_resolver logs "Network missing device" and the arc_net_host_impl callback doesn't see any DNS info. Even after shill_property_handler requests the IPConfigs for /device/tun0, something I confirmed is happening, the IPConfigs still do not show up in getProperties(). Also, this hits a NOTREACHED() in NetworkStateHandler::NotifyScanCompleted(). I am hoping that Steven can provide some guidance on how to tackle the Chrome issues.
,
Sep 5 2017
DNS servers + search domains are the most important properties to pass over to Android. The datapath uses NAT44 so other elements of the IP configuration aren't currently necessary.
,
Sep 5 2017
It looks like we already have dns_servers for ThirdPartyVpn: https://cs.chromium.org/chromium/src/third_party/cros_system_api/dbus/shill/dbus-constants.h?q=dbus-constants.h&sq=package:chromium&l=740 There is also a 'domain_search' property. I don't know whether or not it makes sense to re-use those, but it would be simpler on the Chrome side to provide these as Service properties. That said, scanning the CL linked above, it seems like Shill already associates a Device with a VPN? We could certainly modify Chrome to do the same, it's just potentially quite a large / risky change.
,
Sep 5 2017
dns_servers and domain_search are used by the SetParameters call, not ONC or Service properties. Empirically, the DNS server list does show up in ONC under SavedIPConfig for VPN. I could change the arc_net_host_impl code to look in both places if that is the most expedient solution. But it feels hacky. > it seems like Shill already associates a Device with a VPN Correct, in shill we still need a Device (usually a VirtualDevice) that owns the Connection object and handles configuring the IP parameters on the interface. The only thing I had to do in my CL was wire up the GetRpcIdentifier code.
,
Sep 5 2017
So, we can change Chrome to associate a Device and IP Configs with VPNs, but as you discovered, it's not trivial. The question becomes, what is the priority for this? I don't have much in the way of free bandwidth to take this on myself in the immediate future.
,
Sep 5 2017
I have a couple of reports from users that may be caused by this (but they have not yet confirmed that it's a DNS problem). I'll send out a CL with the quick arc_net_host_impl fix and we can decide whether it's good enough for now.
,
Sep 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8778ec3109bc8750db7ba39e040d6a4a9802236c commit 8778ec3109bc8750db7ba39e040d6a4a9802236c Author: Kevin Cernekee <cernekee@chromium.org> Date: Wed Sep 06 23:38:40 2017 Fall back to StaticIPConfig or SavedIPConfig if IPConfigs[] is empty VPNs do not currently populate the IPConfigs array, so Android does not get informed about VPN DNS servers. This results in connectivity issues. The IPConfigs problem requires a major rework and changes in both Chrome and shill, so it will not be fixed any time soon. Implement a temporary workaround to address the user issue. BUG= chromium:761708 TEST=manually connect to a VPN and sniff DNS requests coming from Android Change-Id: Ied56cc7004693e4cc5e8d303721d227748d97532 Reviewed-on: https://chromium-review.googlesource.com/651582 Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> Commit-Queue: Kevin Cernekee <cernekee@chromium.org> Cr-Commit-Position: refs/heads/master@{#500115} [modify] https://crrev.com/8778ec3109bc8750db7ba39e040d6a4a9802236c/components/arc/net/arc_net_host_impl.cc
,
Sep 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5bfe3ad1decdfd840726e31694347e6d973a3f09 commit 5bfe3ad1decdfd840726e31694347e6d973a3f09 Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Sep 07 00:44:46 2017 Don't complain if optional ONC fields are missing NameServers, ConnectionStaten, and MacAddress are always optional. RoutingPrefix and Gateway are not required if IPAddress is absent. BUG= chromium:761708 TEST=connect to various networks and watch ~chronos/log/chrome for errors Change-Id: I6bb7652f33053dc24158d7f9ea306c73da5443cb Reviewed-on: https://chromium-review.googlesource.com/651589 Commit-Queue: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> Cr-Commit-Position: refs/heads/master@{#500160} [modify] https://crrev.com/5bfe3ad1decdfd840726e31694347e6d973a3f09/components/arc/net/arc_net_host_impl.cc
,
Sep 18 2017
De-prioritizing since we have a workaround for now.
,
Sep 24 2017
Maybe related: http://b/34975953
,
Feb 15 2018
,
Mar 5 2018
,
May 21 2018
,
May 21 2018
cernekee@ - Are all of the following configurable for VPN: * IP address * Nameservers * Proxy It *appears* that they can all be set and saved correctly if I just enable the UI for VPN and fetch the IPConfig object from the VPN service.
,
May 21 2018
CL: https://chromium-review.googlesource.com/c/chromium/src/+/1068105
,
May 22 2018
Too late to merge this to 67.
,
May 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/701ef06b384a785a1c9903fa104ae708d6b28a5d commit 701ef06b384a785a1c9903fa104ae708d6b28a5d Author: Steven Bennetts <stevenjb@chromium.org> Date: Wed May 23 18:46:30 2018 Settings: Network: Provide and show IP Configs for VPNs This CL includes two small changes: 1. Provides IPConfigs for networks without a device (i.e. VPNs). 2. Shows the 'Network' section for VPNs in the UI. Bug: 761708 Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation Change-Id: I62f691dd0ef0e2001fd66ba033726e25cbd0a58b Reviewed-on: https://chromium-review.googlesource.com/1068105 Reviewed-by: Toni Barzic <tbarzic@chromium.org> Commit-Queue: Steven Bennetts <stevenjb@chromium.org> Cr-Commit-Position: refs/heads/master@{#561181} [modify] https://crrev.com/701ef06b384a785a1c9903fa104ae708d6b28a5d/chrome/browser/resources/settings/internet_page/internet_detail_page.js [modify] https://crrev.com/701ef06b384a785a1c9903fa104ae708d6b28a5d/chromeos/network/managed_network_configuration_handler_impl.cc
,
May 23 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by steve...@chromium.org
, Sep 5 2017