31
Mar
3336057879_956c78db09_z
Last Updated: April 2nd, 2014

Virtual Private Networks (VPNs) aren’t the sexiest topic out there, but they are a pretty vital part of daily operations for almost every major company and many small businesses. VPNs are used to securely connect a computer, tablet, or phone to a company's private network over the Internet, thus allowing people to work remotely while ensuring strict authentication and enforcing administrative policies. Even some power users are apt to set up a VPN if they want to make their home networks accessible while they're on the road.

During the development of Android 4.4 KitKat, the time came to spruce up some of the lower-level pieces that are responsible for creating and managing VPN connections. As with any normal code rewrite, a few bugs crept into the mix. Unfortunately, some of these bugs proved to be relatively catastrophic to a lot of users, leaving them unable to conduct their business.

1148-38795-s6o6DG7F4zEWJyD-upload

Symptoms

The more involved details of each symptom are hard to explain without going into very extensive (and boring) depth about network routing and configurations. Instead, I'm going to stick with the overall effects that most people will witness when they try to establish a connection.

  • Tunneling IPv6 over IPv4 simply doesn’t work. In other words, if you connect to a VPN over IPv4 and the other end supports IPv6, any IPv6 address you attempt to communicate with will be unreachable. Everything will appear to be connected and working, but those data packets simply won't leave your device.
  • Changing connection types (e.g. from wifi to 3g) will result in a disconnection from the VPN. The disconnection might be intentional, as it could be a safety measure to prevent possible snooping. Reconnecting to the VPN is the bigger issue. Some people claim that they can reconnect over the new interface right away, some say that they can only reconnect over the original interface, and some people simply cannot reconnect over any type of interface without first rebooting. To be fair, there isn’t enough information to completely rule out specific apps or environmental conditions.
  • Some apps use VPN routing to establish tethering connections over non-standard interfaces (like Bluetooth). When this occurs on KitKat, it can look like a VPN connection has been established but data packets fail to travel in either direction. This is known to cause issues for apps like BlueVPN and Open Garden. (A mediocre workaround for this is discussed below.)
What Is Affected

Each of the issues described here affect every Nexus device running KitKat 4.4 - 4.4.2. Google Play Edition devices and anything running an aftermarket ROM based on AOSP should also be affected.

HTC and Samsung devices are mentioned in some of the threads, but none of the complaints specify if they are running stock Android (GPE variants or AOSP ROMs). One report claims the 4.4.2 update for the HTC One does not suffer from the Bluetooth tethering bug. Another comment also seems to clear the Galaxy Note 3 of the same bug, but it indicates that the other bugs are probably still present.

Causes

A root cause hasn’t been clearly identified and there’s still not enough information to determine with any certainty if these bugs originate from the same error or if multiple factors are at work. Most of the problems center around handling of the routing table, so it’s possible all of these are manifestations of the same core bug.

Workarounds

Unfortunately, the last few months have gone by without any really good solutions for most of these bugs. In fact, short of offloading the VPN duties to a router, most people have been at a standstill since updating to KitKat.

There has been a fairly crumby workaround discovered by people using BlueVPN to tether over Bluetooth, which is to also be connected to WiFi at the same time. Yes, you read that right. If your device is connected to a WiFi access point, even one that has no uplink connection, it then becomes possible to use apps like BlueVPN and Open Garden. Of course, this isn’t the most battery efficient or convenient option, but it might help when desperate times call for desperate measures.

Fixes Are Coming

On the positive side, all of these issues are probably just about to vanish. A project member dropped into the Bluetooth tethering thread to mark it as FutureRelease while acknowledging that several bug fixes are scheduled for the next release of Android. The other threads relating to VPN issues are still sitting without a change in status, but it’s likely that many of those issues simply haven’t been marked.

Update [4/2]: It looks like the bug related to dropping VPN connections after changing connection types is also fixed. The thread for that issue changed to FutureRelease just a few hours ago.

Wrap-Up

VPNs aren’t used by a large percentage of the population, but those who do use them, rely on them heavily. To suddenly lose access to networks that are vital for your job can be a crippling experience. We’ll just have to wait until the next update (probably 4.4.3) to find out which, if any of these bugs survived, but it sounds like most people will be able to get back to their normal routine fairly soon.

Photo: big tunnel by w.marsh (CC BY 2.0)

Sources: AOSP Issue Tracker #62714, #61948, #62588, #65738, #63660, #61948, #64609, #62588

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Simon Belmont

    Is that the tunnel that Glenn went into near the end of the second to last episode of season 4 of The Walking Dead? That would an awesome reference if it was.

    Probably not. Oh well (sorry for being OT, but I'm still pumped up by last night's finale).

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      I haven't watched it yet, but I kinda doubt it. If I'd known about that, I probably would have tracked down a screencap instead :)

  • Marcell Lévai

    Opera Max doesn't work on my Galaxy S on Kikat at all. With every previous version, it works just fine.

    • nexuswins

      Opera Max works fine on my nexus 4. I'm on 4.4.2

    • deathSparrow

      Galaxy S, on Kitkat.
      What kind of magicis this?

      • Mike Reid

        Muggles call them "Custom ROMs"

  • Fatal1ty_93_RUS

    Well here's your enterprise oriented Android release coming

  • https://plus.google.com/108596272537415356460/posts Jason Farrell

    For the common Joe - if you find yourself using open wifi a lot (at starbucks, etc), you really should be using a VPN, unless you don't like wearing condoms either.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      I used to harp about that so much, but nobody would ever listen, not even the other contractors I worked with. I tend to hate stuff designed to scare people, but I wish more people saw some of those Facebook hijacking demonstrations. That would put so many more people on edge about blindly using public wifi.

      (Before somebody decides to make a remark about it... Yes, I know that's why Facebook and many other sites are SSL-only.)

  • Josh

    The IPv6 bug affects my stock rooted Galaxy S4 (and my Nexus 7 of course). People have reported that it only doesn't route IPv6 over the VPN when the network it's on doesn't support IPv6, but I've found this to be false. When the device has an IPv6 address on my wifi network (dual stack) and I connect to a VPN that is also dual stack, it shows I'm assigned an IPv6 address over the VPN, but IPv6 is still usable. It's as though the device just decides to block it all together, both over the VPN and over wifi.

    At least it just gracefully falls back to using IPv4 only rather than waiting for a timeout on IPv6. Chrome for example will always use IPv6, and if I lose IPv6 connectivity at the router (Comcast's IPv6 will dropout at night sometimes) then Chrome waits for a timeout on IPv6 before trying IPv4, introducing a lot of latency. WIth the VPN it seems to know not to even try IPv6.

  • naviz

    My main issue with VPN (which forces me to use vpnc widget) is the fact that the VPN daemon (racoon?) locks me out of VPN randomly (sometimes a few minutes after connecting, sometimes hours later). As you can imagine, this is a nightmare since I have to work remotely...and have to get someone to unlock my account. VPNC never does this...

    There is also an issue with with VPN and downloading files from the browser (issue 33666 on their bug tracker).

  • TedPhillips

    ah you guys must be stalking me because i just starred that issue and a few related ones yesterday. ;-)

    came across it by way of looking into OpenGarden.

    keep up the good work.

  • Mystery Man

    Lol awesome pic.

  • BrettyDaren

    Yes there are few vulnerabilities in built in VPN. I always recommend to choose good 3rd part VPN option to secure your android and access all geo-restricted sites. Now there are not much difficulties to setup VPN on your android. It is now become as easy as pie. Here you can find out the list of top android vpn apps http://www.vpnranks.com/android-vpn-app/

  • Jeff

    This is just despicable. Are they ever going to actually fix the problem, or will it be perpetually fixed at some random time in the future? Google may not be evil, but neither are they remotely competent in this field. If you want devices that actually work, I guess Apple is where it is at. I've never been a fan of the turtle-necked pretentiousness, but at some point the facts need to speak for themselves

  • Ryan H Monroe

    I had to buy an iPad because of this. I'm liking it. Just might have to drop Google and Samsung. Never thought I would say that but I couldn't work at all due to this update and ios doesn't have these problems