Per-App VPN not supported (Android Subsystem)
Reported by
f5mobile...@gmail.com,
Sep 12
|
||||||
Issue descriptionGoogle Chrome 68.0.3440.118 (Official Build) (32-bit) Revision a7ca4397b06108b300bc00c52932eaeae010e662-refs/branch-heads/3440@{#808} Platform 10718.88.2 (Official Build) stable-channel elm Firmware Version Google_Elm.8438.140.0 ARC 4959629 JavaScript V8 6.8.275.29 Flash 30.0.0.134 /opt/google/chrome/pepper/libpepflashplayer.so User Agent Mozilla/5.0 (X11; CrOS aarch64 10718.88.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.118 Safari/537.36 Please specify Cr-* of the system to which this bug/feature applies (add the label below). Steps To Reproduce: (1) Configure Android VPN client with per-app VPN information.i.e., allowedApps and disallowedApps. For eg., F5Access - https://play.google.com/store/apps/details?id=com.f5.edge.client_ics&hl=en_US (2) Add app package names to the disallowedApps list. eg com.opera.browser, com.android.chrome (3) Establish VPN connection (4) Generate traffic from these disallowed apps. Expected Result: Traffic from disallowed apps should not go through the VPN tunnel. Actual Result: Traffic from all apps goes through the tunnel. How frequently does this problem reproduce? Always What is the impact to the user, and is there a workaround? Users cannot use per-app VPN feature Question: Once per-app VPN support is added can we expect it to work with ChromeOS packaged apps as well?
,
Sep 17
hugobenichi for clarification
,
Sep 18
My understanding is that we should actually support whitelisting apps for bypassing the Android VPN. This is an Android connectivity feature and we haven't modified it. However I have never tested it personally on "corearc" based on nyc-mr1. We even have code to whitelist the host Chrome application from Android VPN when the user has configured com.android.chrome in the whitelist: https://cs.corp.google.com/arc-nyc-mr1/frameworks/opt/net/wifi/service/arc/com/android/server/wifi/WifiProxyServiceImpl.java?rcl=c901dd047c1f98b8eb3913bfe8cd13c911efda67&l=2198 To investigate the issue we would need a user feedback report taken after the VPN has been established and after generating some traffic some the supposedly whitelisted apps.
,
Sep 18
,
Sep 21
Just to clarify that Per-App should not be confused with allowBypass flag in VPNService.Builder. https://developer.android.com/reference/kotlin/android/net/VpnService.Builder#allowbypass Per-App provides admin the ability to whitelist or blacklist apps to use VPN tunnel. https://developer.android.com/reference/android/net/VpnService.Builder#addAllowedApplication(java.lang.String)
,
Sep 25
We just discovered that on ChromeOS addAllowedApplication and addDisallowedApplication works. But the behavior is reverse of what we see on Android. 1. If a package is added to addAllowedApplication then only this app's traffic is expected to have access but on ChromeOS the reverse happens (access denied). 2. If a package is added to addDisallowedApplication then this app's traffic is expected to be denied access but on ChromeOS the reverse happens (access granted).
,
Oct 2
Thanks for the additional context. Let me double test this, and I ll report back my findings.
,
Oct 2
,
Oct 3
I tested app backlisting and was successfully able to get apps off the an active Android VPN on both arccore (7.1.1) and arcnext (Android P based) on a Pixel book. Could more comments be added about the exact repro steps of #7. Also note that com.android.chrome refers to the Android Chrome app, but on Chrome OS, Chrome running as a linux build binary is known as org.chromium.arc.intent_helper.
,
Oct 22
@hugo: just sent you a doc to reproduce the issue. Does this help?
,
Jan 11
This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dtapu...@chromium.org
, Sep 13