<div dir="auto"><div>That's an interesting point; in theory it's probably possible to multiplex into one tun device, provided the routes for each distinct wg interface don't overlap.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 7, 2019, 19:37 Julian Orth <<a href="mailto:ju.orth@gmail.com">ju.orth@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 3/26/19 8:49 PM, <a href="mailto:mikma.wg@lists.m7n.se" target="_blank" rel="noreferrer">mikma.wg@lists.m7n.se</a> wrote:><br>
> On 2019-03-26 15:17, Julian Orth wrote:<br>
>> Hello list,<br>
>><br>
>> I'm currently using WireGuard on Android for two purposes:<br>
>><br>
>> 1. Routing all traffic via a commercial VPN provider to protect myself on<br>
>> open wireless networks.<br>
>> 2. Connecting to my home network.<br>
>><br>
>> Unfortunately WireGuard on Android does not allow me to do both of these<br>
>> things at the same time. I assume this is because VpnService [1] only allows 1<br>
>> VPN connection at a time.<br>
><br>
> Can't you add the peer for your home network to the same configuration (tun<br>
> device) as the peer for the commercial VPN provider? It seems a straight<br>
> forward solution to me if you are okay with the IP addresses assigned by the<br>
> VPN provider.<br>
<br>
Using the same src IP is not going to work in my case. The VPN provider might<br>
also assign me a new IP and then I might have to reconfigure my home network.<br>
Not something I want to deal with.<br>
<br>
But this would also require me to share the same public key between my home<br>
network and the VPN provider. For some reason this does not feel right to me. On<br>
the other hand, I use the same SSH key on multiple sites so maybe this feeling<br>
is not justified.<br>
<br>
My current provider allows me to generate the key pair locally and to only send<br>
them the public key. If they insistet on generating the keys on their servers<br>
and sending me the private key, then this solution would be impossible.<br>
<br>
><br>
>><br>
>> Has any thought been put into emulating multiple tun devices in user space?<br>
><br>
> I don't see why you would need multiple tun devices.<br>
<br>
By "emulating multiple tun devices" I did not mean emulating all of the<br>
functionality of tun devices. Packets are processed as follows right now:<br>
<br>
1. Kernel chooses the correct route and device<br>
2. Kernel sends the packet via the device<br>
3. If the device is a wireguard tun device:<br>
a. Choose the peer and wrap the packet in a wireguard packet<br>
b. Goto 1 with the original packet replaced by the wrapped packet<br>
<br>
What I suggest is emulating steps 1 and 2. An emulated tun devices would<br>
therefore only have to consist of a set of assigned routes and an instance of<br>
the wireguard core that implements step 3.<br>
<br>
Let's say the Android app currently processes packets as follows:<br>
<br>
void process(packet) {<br>
peer, packet := wireguard.process(packet);<br>
peer.udp_send(packet);<br>
}<br>
<br>
My suggestion is to change this as follows:<br>
<br>
void process(packet) {<br>
seen_peers := { }; // a set<br>
while (true) {<br>
tap_dev := find_tap_dev(packet.dst);<br>
peer, packet := tap_dev.process(packet);<br>
if (seen_peers.contains(peer)) {<br>
// routing loop<br>
return;<br>
}<br>
seen_peers.add(peer);<br>
if (find_tap_dev(packet.dst) == null) {<br>
peer.udp_send(packet);<br>
return;<br>
}<br>
}<br>
}<br>
<br>
The Android tun device created via VpnService would then of course contain the<br>
union of all routes of the emulated tun devices.<br>
<br>
> It is possible to add<br>
> multiple IPv4 and IPv6 addresses to the tun device, but there may be a problem<br>
> with the source address selection. Linux allows specifying a preferred address<br>
> for each route, but it isn't possible in the Android API AFAIK. If you have a<br>
> rooted device then you can potentially update the routing tables with the<br>
> preferred source address for each VPN route.<br>
<br>
I don't think routing should be necessary for this. Afaik, other VPN apps<br>
already support using multiple tunnels at once.<br>
<br>
><br>
> /Mikma<br>
<br>
PS: Your mail was classified as spam by gmail.<br>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank" rel="noreferrer">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div></div></div>