Yeah. I know that this not work (got another report about this behaviour). The 
application uses the VPNService API. The routing on Android is behind my 
control. I am afraid but this a bug google would have to fix.

Original comment by arne@rfc2549.org on 26 May 2012 at 10:16

• Changed state: Invalid

okie, oh well

Original comment by sinat...@gmail.com on 26 May 2012 at 11:00

I reported the issue in the google android bug tracker:
http://code.google.com/p/android/issues/detail?id=32622

Original comment by arne@rfc2549.org on 3 Jun 2012 at 6:46

From a mail, you can do if you have rooted your phone:

iptables -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE -t nat
iptables -A FORWARD -j ACCEPT -i wlan0 -o tun0
iptables -A FORWARD -j ACCEPT -i tun0 -o wlan0

Original comment by arne@rfc2549.org on 12 Jun 2012 at 3:02

Issue 96 has been merged into this issue.

Original comment by arne@rfc2549.org on 8 Oct 2012 at 12:44

Issue 104 has been merged into this issue.

Original comment by arne@rfc2549.org on 5 Nov 2012 at 8:09

ah.. so it is possible by just adding postrouting  and forwarding rules?

are you going to implement this in to the app?

i mean, you could do a simpel root-check to see if the the dives is rooted and 
if so just add those rules.. right?

Original comment by gilu...@gmail.com on 5 Nov 2012 at 9:04

Well sometimes the tunnel device is also called tun1. And I know from HTC 
devices that they do some different iptables rules from stock android. While 
the VPNService API has a defined interface anything beyond that is dependend on 
the vendor implementation.  Adding rules could potiently do more harm than good.

Also the wlan interface may be called different on different handsets. For 
example the Motrola Defy has tiwlan0.

Original comment by arne@rfc2549.org on 5 Nov 2012 at 9:28

Solution if root,

See http://forum.xda-developers.com/showpost.php?p=33749904&postcount=10

Oneneeds iptables commands as specified above AND
routing command in 'dedicated tether routing  table'

Hope it helps

Original comment by francesc...@gmail.com on 6 Nov 2012 at 6:23

Issue 107 has been merged into this issue.

Original comment by arne@rfc2549.org on 20 Nov 2012 at 8:09

This is how to get tethering to work regardless of OpenVPN and hotspot startup sequence on Lollipop, with the caveat that it bypasses the VPN tunnel..
If hotspot is active and OpenVPN is then started with "Bypass VPN for local networks" enabled (default), the network/route is shown in the log (high verbosity) as excluded as a local network. The VPN tunnel is bypassed for the tethered devices and tethering appears to work.
If OpenVPN is started first with "Bypass VPN for local networks" enabled, there is no local network detected so the network normally used for tethering is not excluded as before. When the hotspot is activated the subnet used for tethered devices is now NOT being excluded but cannot be routed through the VPN tunnel so tethering appears broken.
The fix is to identify the subnet used by the hotspot service and manually add it to Excluded Networks for the connection. In my case 192.168.43.0/24
Now when the tunnel is initiated the hotspot subnet is always excluded from routing through the tunnel regardless of startup sequence and tethering always works.

@danieljarolim from my experience Hotspot on 4.4+ works without these tricks and always uses the non VPN connection

@schwabe I realsied I was using the vpn provider's profile so tried again with a default configuration but ended up with same results. This is on Android 5.1.1. It's on an old phone so it's a custom ROM but should be close to AOSP defaults.
I'm seeing the same symptoms as #104 and #107 (both start VPN then enable hotspot). I can post working and non-working connection log.

@danieljarolim All I can say that it works on Nexus devices out of the box.

I know this has been closed for a while but it still persists.

I suspect the cause (and why it works in 4.4+) is the tether_dun_required setting. This is default true on stock 4.4+.

When enabled, a separate 'dial-up network' is created specifically for tethering. This would allow tethering to be active while the standard network device has an active OpenVPN connection - they are using separate network devices.

With some custom ROMs (and possibly AOSP?), tether_dun_required is set to false, so tethering and normal data use the same network device. With VPN active the tethered device can't obtain an IP address from the phone.

(I'm running BrokenOS 4.9.1 on my Nexus 5)

Sorry to reopen a closed issue, but is there a solution to this bug? If VPN is active, devices can't get IP thru wireless tether

You can try to exclude 192.168.42.0/24 (the hotspot range)

Where do I find the option to exclude it?

under excluding routes

I tried to exclude the 192.168.42.0/24 but got no luck. The device can't get an IP address from my hotspot. I have to disconnect from my VPN, connect the other device to my hotspot, and then reconnect the VPN. This way it works. But if the VPN is connected, the device trying to connect to my hotspot can't get an IP address

@otaviobps there is probably nothing the app can do about that then. :(

On my device, 192.168.42.0/24 is for USB tethering; for WiFi tethering I have to exclude 192.168.43.0/24. (Or just use 192.168.42.0/23 for both.)

Clients connecting via either won't route via the VPN, though (which would have been the better solution; maybe some iptables rules would fix that).

I have clients able to connect and VPN active on the phone with:

Include: 0.0.0.0/0
Exclude: 192.168.42.0/23

I could solve the problem by assigning a manual IP on the device connecting to my hotspot. Maybe the VPN interferes with DHCP

I think what we're really trying to do actually needs server-side configuration to work - whether it's routing or bridging I'm not sure yet, but essentially the phone has to act as a router for its client devices. If this is what's needed, I don't think it's in scope for this app. :)

I don't think server side configuration will help. The dhcp stuff is probably a bug in Android itself.

Here's my thinking: With the simplest setup, the phone is acting as a client. The server has already provided a DHCP address to the phone; if it's getting other requests from what it sees as the same client it won't do anything as the current lease is still valid - it has to know the client is actually acting as a router/gateway, and service the other requests appropriately.

@jonathonf in hotspot mode the phone itself is the DHCP server.

Right, in plain hotspot mode clients will get an IP address from the phone's DHCP server. However, when the OpenVPN client is running, by default it is redirecting all traffic to the OpenVPN server, meaning any client traffic is also being redirected. Hence, the clients aren't talking to the phone's DHCP server any more - they are talking to the OpenVPN server, and if that doesn't provide an IP address via DCHP then the clients connection attempts will "hang".

However - if the phone acts as a gateway to the OpenVPN network for its hotspot clients, everything should work - instead of clients being given an IP address by the phone, they will be given an address by the OpenVPN server.

Hello guys,

Could you please provide a short step by step procedure on how to do the following in android terminal.

Include: 0.0.0.0/0
Exclude: 192.168.42.0/23

My devices are stuck in obtaining ip addresses.

Please help.

Look in the VPN connection settings. No need for the terminal.

"OpenVPN for Android"... Profiles->Edit profile... Routing->Excluded Networks.

Hi @jonathonf. Thank you for the quick response. I really appreciate it.

So, I went to Settings>Connection>VPN>Turbo VPN. I couldn't find a setting to include or exclude these addresses. Any workaround to do in emulator?

Turbo VPN does not sound anything that would be in my app. Are you sure that you are using my app?

Hi @schwabe. Forgive me, I must be off-topic. But the discussion in this thread matches my issue.

Scenario: I am trying to execute android "Mobile Hotspot (wifi)" on my s7 edge device that is connected to a vpn. However, when the other android devices start connecting, they are getting the "Fail to obtain ip address' error. Your helpful replies in these thread say that I should include or exclude a particular IP address from the VPN. And, I really want to do it, but I am not sure how to do that in the terminal. Please help.

@mae1989 The VPN app has to implement this. If not you would need root for that and (very) good understanding of ip rules and iptables to figure out how to manipulate the policy based routing to achieve that. But I cannot help you with that either since my phones are not rooted.

Hi @schwabe. My phone is rooted. Now, I am just basically lost how to add/exclude those addresses within terminal. I wish someone could help. Thank you for taking time on my issue. In case, someone could help, I have attached the the results using ifconfig and ip route.

Hi again @jonathonf and @schwabe. Btw, thank you for pointing out how to exclude the address in OpenVPN. I tried it and it works great! My devices are now connecting. You guys are awesome. I bet I need to move to OpenVPN instead of other vpn apps, until I figure the solution for those. :)

Is it really fixed?

• Android 7.0:
• enable hotspot
• enable VPN
• connect a client
• the client get an IP but does not connect using the VPN

This has already been covered. Read my comment above and you'll see that the clients are excluded from the VPN.

See also the FAQ. Connected clients via Tethering always use the normal connection and not VPN

1° The FAQ does not mention Android > 5.1
2° workarounds exist but rely on a rooted phone to change ip routing which is not offered via the standard Android API => It would be nice to get a link to AOSP upstream bug report about problematic API call in order to follow possible resolution.