Virtual Private Networks (VPNs) aren’t the sexiest topic out there, but they are a pretty vital part of daily operations for almost every major company and many small businesses. VPNs are used to securely connect a computer, tablet, or phone to a company's private network over the Internet, thus allowing people to work remotely while ensuring strict authentication and enforcing administrative policies. Even some power users are apt to set up a VPN if they want to make their home networks accessible while they're on the road.

During the development of Android 4.4 KitKat, the time came to spruce up some of the lower-level pieces that are responsible for creating and managing VPN connections. As with any normal code rewrite, a few bugs crept into the mix. Unfortunately, some of these bugs proved to be relatively catastrophic to a lot of users, leaving them unable to conduct their business.

Symptoms

The more involved details of each symptom are hard to explain without going into very extensive (and boring) depth about network routing and configurations. Instead, I'm going to stick with the overall effects that most people will witness when they try to establish a connection.

  • Tunneling IPv6 over IPv4 simply doesn’t work. In other words, if you connect to a VPN over IPv4 and the other end supports IPv6, any IPv6 address you attempt to communicate with will be unreachable. Everything will appear to be connected and working, but those data packets simply won't leave your device.
  • Changing connection types (e.g. from wifi to 3g) will result in a disconnection from the VPN. The disconnection might be intentional, as it could be a safety measure to prevent possible snooping. Reconnecting to the VPN is the bigger issue. Some people claim that they can reconnect over the new interface right away, some say that they can only reconnect over the original interface, and some people simply cannot reconnect over any type of interface without first rebooting. To be fair, there isn’t enough information to completely rule out specific apps or environmental conditions.
  • Some apps use VPN routing to establish tethering connections over non-standard interfaces (like Bluetooth). When this occurs on KitKat, it can look like a VPN connection has been established but data packets fail to travel in either direction. This is known to cause issues for apps like BlueVPN and Open Garden. (A mediocre workaround for this is discussed below.)

What Is Affected

Each of the issues described here affect every Nexus device running KitKat 4.4 - 4.4.2. Google Play Edition devices and anything running an aftermarket ROM based on AOSP should also be affected.

HTC and Samsung devices are mentioned in some of the threads, but none of the complaints specify if they are running stock Android (GPE variants or AOSP ROMs). One report claims the 4.4.2 update for the HTC One does not suffer from the Bluetooth tethering bug. Another comment also seems to clear the Galaxy Note 3 of the same bug, but it indicates that the other bugs are probably still present.

Causes

A root cause hasn’t been clearly identified and there’s still not enough information to determine with any certainty if these bugs originate from the same error or if multiple factors are at work. Most of the problems center around handling of the routing table, so it’s possible all of these are manifestations of the same core bug.

Workarounds

Unfortunately, the last few months have gone by without any really good solutions for most of these bugs. In fact, short of offloading the VPN duties to a router, most people have been at a standstill since updating to KitKat.

There has been a fairly crumby workaround discovered by people using BlueVPN to tether over Bluetooth, which is to also be connected to WiFi at the same time. Yes, you read that right. If your device is connected to a WiFi access point, even one that has no uplink connection, it then becomes possible to use apps like BlueVPN and Open Garden. Of course, this isn’t the most battery efficient or convenient option, but it might help when desperate times call for desperate measures.

Fixes Are Coming

On the positive side, all of these issues are probably just about to vanish. A project member dropped into the Bluetooth tethering thread to mark it as FutureRelease while acknowledging that several bug fixes are scheduled for the next release of Android. The other threads relating to VPN issues are still sitting without a change in status, but it’s likely that many of those issues simply haven’t been marked.

Update [4/2]: It looks like the bug related to dropping VPN connections after changing connection types is also fixed. The thread for that issue changed to FutureRelease just a few hours ago.

Wrap-Up

VPNs aren’t used by a large percentage of the population, but those who do use them, rely on them heavily. To suddenly lose access to networks that are vital for your job can be a crippling experience. We’ll just have to wait until the next update (probably 4.4.3) to find out which, if any of these bugs survived, but it sounds like most people will be able to get back to their normal routine fairly soon.

Photo: big tunnel by w.marsh (CC BY 2.0)

Sources: AOSP Issue Tracker #62714, #61948, #62588, #65738, #63660, #61948, #64609, #62588