Platform and feature support
- Supported Android versions?
- All down to API 21 (Android 5.0 Lollipop).
- Supported architectures?
- Compiled for ARM-v5TE, ARM-v7a, ARM64-v8a, x86, x86-64. Tested on ARM-v7a. Compilation fails for MIPS and MIPS64 due to a bug in the build tools.
- Supported packet types and network devices?
- Layer 3 IP packets through
tun device, which is the only one exposed by the Android VPN API.
- Bundled tinc version?
- 1.1 branch, backward compatible with the 1.0 protocol, compiled with LibreSSL and LZO.
- Multiple networks?
- Selection between multiple netnames is supported. However, only one can be active at once (limitation of the underlying API).
- No hook scripts?
- No interpreter. Replaced with the
network.conf file, configuring the interface prior to connection, as required by the Android VPN API.
- Replaced by an Intent API, allowing VPN connections to be scripted arbitrarily, based on network availability or location for example, by using third party applications.
- No configuration editor?
- Providing a graphical front-end for editing configuration files is out of the scope of this application. One may conveniently use a text editor through a shell for example.
- No route gateways?
- Traffic can be routed to gateways using tinc's internal routing. In particular, all traffic can be routed to the VPN by setting
Route = 0.0.0.0/0 in
- It is still possible to share a mobile connection while the VPN is active.
AllowBypass = true must be set in the
network.conf file. However, the shared connection will not be tunneled. Third party applications or custom firewall rules can be used to share the VPN connection with tethered devices.
- Unable to click on "OK" on the system "Connection request" dialog
- For safety reasons, Android prevents clicking on system dialogs while another application is creating an overlay. Disable such applications.
- Route not shown with
- Routes are added to an Android-managed routing table, entries from which are not listed by default. Use
ip route list table all to list entries from all routing tables.
- Binary names?
- Executables had to be named
libX.so to be automatically copied in the app
lib directory with the right permissions when installing.
- Processes started with Java's
ProcessBuilder do not inherit required file descriptors. The alternative used here is a classic
exec through the JNI.
- The Android VPN API returns a file descriptor to an underlying
tun device. Support for such device has been added to upstream tinc 1.1 as part of this commit.
- Why is the control socket not accessible without root access?
- On Android, the external user-accessible storage is FAT32-formatted, which does not support UNIX socket files. They are thus stored on the internal, application-private storage.
- Why is the Intent API starting Activities instead of Services?
- An activity is used as a proxy to start the underlying TincVPNService in order to ask the user for the VPN permission through a special system dialog.
- Vilbrekin's Tinc GUI and culugyx's fork.
- Source code released under the GNU GPL v3. Content on the website released under the GNU FDL v1.3.
- Generated using the Android Material Icon Generator. Licensed under the CC BY-NC 3.0 License and commercial license.
- Cheap on the Google Play Store, free on F-Droid and this website.
- I gladly accept donations through my PayPal and my BitCoin. Thanks!