org.pacien.tincapp

Platform and feature support

Supported Android versions?
All down to API 21 (Android 5.0 Lollipop).
Supported architectures?
Compiled for ARM-v5TE, ARM-v7a, ARM64-v8a, x86, x86-64. Tested on ARM-v7a. Compilation fails for MIPS and MIPS64 due to a bug in the build tools.
Supported packet types and network devices?
Layer 3 IP packets through tun device, which is the only one exposed by the Android VPN API.
Bundled tinc version?
1.1 branch, backward compatible with the 1.0 protocol, compiled with LibreSSL and LZO.
Multiple networks?
Selection between multiple netnames is supported. However, only one can be active at once (limitation of the underlying API).
No hook scripts?
No interpreter. Replaced with the network.conf file, configuring the interface prior to connection, as required by the Android VPN API.
No nets.boot?
Replaced by an Intent API, allowing VPN connections to be scripted arbitrarily, based on network availability or location for example, by using third party applications.
No configuration editor?
Providing a graphical front-end for editing configuration files is out of the scope of this application. One may conveniently use a text editor through a shell for example.
No route gateways?
Traffic can be routed to gateways using tinc's internal routing. In particular, all traffic can be routed to the VPN by setting Route = 0.0.0.0/0 in network.conf.

Troubleshooting

Tethering?
It is still possible to share a mobile connection while the VPN is active. AllowBypass = true must be set in the network.conf file. However, the shared connection will not be tunneled. Third party applications or custom firewall rules can be used to share the VPN connection with tethered devices.
Unable to click on "OK" on the system "Connection request" dialog
For safety reasons, Android prevents clicking on system dialogs while another application is creating an overlay. Disable such applications.
Route not shown with route or ip route
Routes are added to an Android-managed routing table, entries from which are not listed by default. Use ip route list table all to list entries from all routing tables.

Internals

Binary names?
Executables had to be named libX.so to be automatically copied in the app lib directory with the right permissions when installing.
exec.c?
Processes started with Java's ProcessBuilder do not inherit required file descriptors. The alternative used here is a classic fork+exec through the JNI.
fd_device?
The Android VPN API returns a file descriptor to an underlying tun device. Support for such device has been added to upstream tinc 1.1 as part of this commit.
Why is the control socket not accessible without root access?
On Android, the external user-accessible storage is FAT32-formatted, which does not support UNIX socket files. They are thus stored on the internal, application-private storage.
Why is the Intent API starting Activities instead of Services?
An activity is used as a proxy to start the underlying TincVPNService in order to ask the user for the VPN permission through a special system dialog.

Other

Alternatives?
Vilbrekin's Tinc GUI and culugyx's fork.
License?
Source code released under the GNU GPL v3. Content on the website released under the GNU FDL v1.3.
Icon?
Generated using the Android Material Icon Generator. Licensed under the CC BY-NC 3.0 License and commercial license.
Price?
Cheap on the Google Play Store, free on F-Droid and this website.
Donations?
I gladly accept donations through my PayPal and my BitCoin. Thanks!