Opened 6 years ago

Last modified 22 months ago

#424 new Feature Wish

Add tap emulation to the iOS and Android clients

Reported by: yuanqi Owned by:
Priority: minor Milestone:
Component: OSS OpenVPN Clients Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: zeroconf, bonjour, multicast, mDNS, service discovery
Cc: plaisthos

Description

This feature is quite important for the iOS clients, since a lot of Apple services make use of Bonjour/mDNS-SD, which cannot be propagated over a layer 3 tunnel, thus bridging is required in order for this to work.

Here is an example of a possible implementation: https://code.google.com/p/guizmovpn/source/browse/trunk/openvpn/tapemu.c?spec=svn3&r=3

Change History (15)

comment:1 Changed 6 years ago by krzee king

dont you need root for tunemu?
the ios client simply uses the vpn interface.
I don't think this is possible from a normal ios build of openvpn. I think it would need to be the normal openvpn built for rooted ios.
So I think it can be hacked up, but I would not expect it in the official OpenVPN Connect any time soon.

comment:2 Changed 6 years ago by krzee king

Priority: majorminor

comment:3 Changed 6 years ago by Gert Döring

Cc: plaisthos added

You don't actually need TAP to achieve mDNS visibility into the network on the other side - a more reasonable approach would be to run an mDNS proxy/forwarder on the server which would only forward mDNS, not "all the broadcasts and ARP and anything" that is floating around in the remote network (which would very much hurt battery life and 3G volume for mobile clients).

The work in the link you've quoted is interesting, though. We've toyed with the idea, and decided not to go there - it's lots of extra code to maintain (which will also take up memory, flash, battery life), and we've not yet been convinced that it's a useful excercise.

krzee: this has nothing to do with root or non-root and the vpn-interface. It's an emulation layer that will make the client behave like it had a tap interface (answering ARP, adding ethernet headers, etc.) while running on a system that only has tun - this happens inside OpenVPN, for Android, the interface is still a "tun".

comment:4 Changed 6 years ago by plaisthos

I am author of the OpenVPN for Android client. I am asked this question also a lot. But questions get rarer; people seems to have accepted that there is no tap on Android. I am not opposed to using/writing a tap emulation on Android. It is just that I don't need the feature myself.

And so far nobody has really volunteered to write the code or deemed it important enough to invest money in having tap support.

comment:5 Changed 6 years ago by plaisthos

I took a short look at the emutap code:

  • code style is vastly different from OpenVPNs
  • instead of using structs to extract protocol fields the codes uses absolute offset
  • complete lack of length checking
  • no IPv6 support

For these reasons I don't see it currently fit for adoption into OpenVPN itself. I would probably end up maintaining it as primary user (OpenVPN on Android and utun on OS X) and I don't want to maintain it in its current state.

comment:6 Changed 6 years ago by yuanqi

cron2: I actually tried this approach (using Avahi's reflector). The problem is that mDNSResponder ignores all point-to-point interfaces (http://www.opensource.apple.com/source/mDNSResponder/mDNSResponder-333.10/mDNSMacOSX/mDNSMacOSX.c), which includes the utun interface

comment:7 Changed 6 years ago by plaisthos

And by having a tap emulation for utun that interface it would ignored as well.

comment:8 Changed 6 years ago by yuanqi

Which is probably why guizmovpn chose to inject those packets to lo0 using PCAP, since they will not be ignored by mDNSResponder

Last edited 6 years ago by yuanqi (previous) (diff)

comment:9 Changed 3 years ago by Antonio

We have "rather" officially dropped any idea of supporting TAP in OpenVPN Connect.
Is there still real interest here? We haven't seen any request around this topic for a while ....

comment:10 Changed 3 years ago by Antonio

Component: OpenVPN ConnectOSS OpenVPN Clients

comment:11 Changed 2 years ago by MeachamusPrime

I'm very interested. I've got a tap server setup and would like to use it on Android.

comment:12 Changed 2 years ago by v1n0

Yes, of course I am interested; if I can bridge my iPhone straight into my home LAN, I can then immediately use Apple Home Kit. This has been confirmed from my Apple laptop running macOS Mojave with OpenVPN bridge into my home LAN (it can run my Apple Home Kit functions flawlessly). Since I don't watch television, I do not currently own an Apple TV, and I never got an iPad, so while I'm waiting for those pieces of hardware to be ordered and arrive (on which Apple has software to support Home Kit remotely), I need a software solution to control my home network appliances.

One option I might think of trying is to bring my laptop, connect to a wifi network, set up the OpenVPN bridge to my LAN, and then export that OpenVPN LAN to my iPhone via USB, but there are five problems with that:

  1. I would need my laptop
  2. I would need an external wifi
  3. I would need a USB connection to my iPhone
  4. I would need to configure all of that.
  5. The whole idea is not to depend on other things when I have my iPhone.

Another option similar to the above is actually more reasonable, but still excessive:

  1. Bring my iPhone. Use it as a hotspot for my laptop.
  2. Bring my laptop, OpenVPN into my home LAN bridged. Done.

But, the problem with that is that I then need to bring my laptop with me.

The ultimate solution will be to get a stand-alone AppleTV box (without television), or an old iPad that can run iOS10 (anybody have used iPads they can part with?). However, until then, being able to bridge my iPhone into my LAN seems preferred.

Edit: for some reason, the forum places a question mark after the following word, turns it into a link, and turns it grey, none of which I want: "HomeKit". Therefore, I changed it into two words: "Home Kit".

Last edited 2 years ago by v1n0 (previous) (diff)

comment:13 Changed 2 years ago by plaisthos

For your usecase it will probably still not work. On Mac OS you have a real tap device, which also has broadcst semantics. Even with emulating tap over tun on iOS, it will not get the broadcast mode you would need to get Home Kit working.

comment:14 Changed 22 months ago by clh42

I'm also very interested. Android here, but I would have the same need on iOS if I had an Apple device. I have a few apps that work with different home devices and they only work if the phone is on the same network as the device. The TUN interface is not sufficient, the app or the device still knows it's not the same network. The devices still refuse to work.

I went so far as to pay $7.99 for a 3rd party OpenVPN client (called literally "OpenVPN Client") by colucci-web.it that includes TAP emulation and it works like a charm! (There are reviews from other users who say the TAP emulation didn't work for them, but it worked for me. One possibility for the users who say it didn't work is user error in not knowing how to set it up. Not saying that's every case, but it's a possibility. I had no issue at all getting it to work.)

It unfortunately looks like this 3rd party vendor doesn't make an iOS version of their client. (I haven't researched whether there are other iOS 3rd party OpenVPN clients that might include TAP emulation.)

It would be great if the main OpenVPN client included TAP functionality.

I would agree that it's probably not a wide-spread need, but for those who need it, it's an important need, or they have no use for OpenVPN for their purpose.

Last edited 22 months ago by clh42 (previous) (diff)

comment:15 in reply to:  14 Changed 22 months ago by Gert Döring

Replying to clh42:

I went so far as to pay $7.99 for a 3rd party OpenVPN client (called literally "OpenVPN Client") by colucci-web.it that includes TAP emulation and it works like a charm! (There are reviews from other users who say the TAP emulation didn't work for them, but it worked for me. One possibility for the users who say it didn't work is user error in not knowing how to set it up. Not saying that's every case, but it's a possibility. I had no issue at all getting it to work.)

This is for Android? Interesting. You can ask them for the source code, and since their OpenVPN core will be based on GPL'ed OpenVPN, they are required to give it to you (theoretically it's possible they did their own code from scratch, but this is very very unlikely - it's lots of work).

It unfortunately looks like this 3rd party vendor doesn't make an iOS version of their client. (I haven't researched whether there are other iOS 3rd party OpenVPN clients that might include TAP emulation.)

It would be great if the main OpenVPN client included TAP functionality.

I would agree that it's probably not a wide-spread need, but for those who need it, it's an important need, or they have no use for OpenVPN for their purpose.

Don't hang your hopes too high... even if we added a tap emulation, it might still not make apps work that assume "I'm on the same network". Like, for example, Airprint - Airprint requires multicast communication, which iOS just does not do on VPN interfaces (otherwise you could make this work already by proxying on a "tun mode" VPN server).

Encapsulating/decapsulating tun packets into tap frames will enable some things to be done, but if iOS just refuses to do stuff on VPN interfaces, this won't help...

Note: See TracTickets for help on using tickets.