Pango Platform
HomeConsole
  • What is Pango Developer Platform
  • Getting started
    • Sign up on the Management Console
    • Create a new project
    • Switch projects
    • Change console settings
    • Edit your profile
    • Try out the demo app
    • Keep exploring
    • Deprecation and Sunset
  • Console details
    • Dashboard
      • General
      • Location loading
    • Users
      • User page
    • Active sessions
    • Network
      • Countries
      • Locations
      • Pools
        • Optimal location
        • Location rules
    • Settings
      • General
        • Project config description (JSON format)
          • Server selector (JSON format)
          • Request selector (JSON format)
      • Authentication methods
        • Auth Plugin requirements
      • VPN
        • General
        • VPN Bypass list
        • Client Networks
      • Member
    • Export Data
    • Log
  • SDK
    • Unified VPN SDK for Android
      • Setup
        • Application Setup
        • Proguard Rules, Notification, and Analytics Configurations
        • Backend URL Configuration
      • Usage
        • Initialization
        • VPN Interface
        • Backend interface
      • Features
        • Hydra Protocol
          • Location profile (Hydra only)
        • Custom sdk dependencies
        • Deferred VPN Service Initialization
        • Authentication
        • Client Network List (CNL)
        • OpenVPN transport
        • Wireguard Transport
        • Reconnection strategy
        • Single Protocol SDK
        • Killswitch
        • Domain route via VPN
        • Process route via VPN
        • Process Bypass
        • Domain Bypass
        • Traffic rules
        • VPN Node DNS Configuration
        • Multihop
          • Optimal Location
      • Exceptions
      • Version migration
      • Changelog
    • Unified VPN SDK for Apple
      • Setup
        • Application Setup
        • Network Extension Setup
          • Network Extension Setup for tvOS
        • Backend URL Configuration
      • Usage
        • Single Protocol SDK
        • Unified SDK
        • Logging
        • Decoding Encoded VPN SDK Logs
      • Features
        • Deferred VPN Service Initialization
        • Authentication
        • Wireguard Transport
        • Reconnection strategy
        • Killswitch
        • Domain Bypass
        • Multihop
          • Optimal Location
        • Client Network List (CNL)
        • Domain route via VPN
      • Changelog
      • API Reference
    • IPSEC VPN SDK for Apple
    • Unified VPN SDK for Windows
      • Setup
        • Backend URL Configuration
        • Service command line arguments
        • ARM Platform Support
      • Usage
        • CoreAPI
        • Events
        • Generating a Unique Device Identifier
        • Error processing
        • Pipe Messaging
      • Features
        • Traffic protection
          • Killswitch
          • Prevent IP Leaks
          • Block Local Networks
        • Other
          • Firewall
            • DNS Monitor
            • Process Bypass
            • Domain Bypass
            • Process route via VPN
            • Domain route via VPN
          • Throttling
          • Optimal Location
          • Common issues
        • Hydra Protocol
          • CustomDNS, UserDNS, MultiHop, VpnProfiles
        • OpenVPN Protocol
        • Wireguard Protocol
        • IPSec Protocol
      • Collecting Debug Logs
      • Changelog
    • Unified VPN SDK for Routers
      • SDK. Shared library.
      • Configuration Interface (CI)
        • Unix Domain Sockets CI
        • REST API CI
    • Unified VPN SDK Feature Comparison By Platform
    • Unified VPN SDK
      • Features
        • Personal Bridge
    • Tunnel Vision and Tunnel Crack Prevention
  • REST API
    • Partner API
  • Sample applications
    • Unified VPN SDK demo for Windows
    • Hydra VPN SDK demo for iOS
    • IPSEC VPN SDK demo for iOS
    • Unified VPN SDK demo for Android
    • Hydra VPN SDK demo for OpenWRT
    • OpenVPN configuration file
  • Resources
    • Use cases
      • Public VPN
      • Business VPN
        • Creating a Business VPN Project
        • Wi-Fi Security for Business
      • Application anti-blocking
    • How-to
      • Create a Firebase project for User Authentication
      • AWS CloudFront Distribution of the Platform URL
      • How can I get Shared Secret key from iTunes Connect for In-App Purchase
  • FAQ
    • General
      • VPN Platform Flow
      • What data is collected by the Platform?
      • What analytic data is collected by your SDK?
      • How the Platform restricts access to our data?
      • Why DNS Leak tests often indicate positive result?
      • Do we need to perform endpoint health checks?
      • How is the VPN exit node found?
      • How are streams re-marked if VPN is enabled/disabled on an active flow?
      • Is there a maximum number of supported devices?
      • Are both IPv4 and IPv6 supported?
      • What is the MTU of the tunnel?
      • Are any redundancy measures in terms of reliability provided?
      • Is there any load balancing?
      • Do you block broadcast and multicast to/from the VPN?
    • List of Open Source libs
Powered by GitBook
On this page
  • Traffic proxy Rules (Hydra transport)
  • DNS
  • Other
  • Examples

Was this helpful?

  1. SDK
  2. Unified VPN SDK for Android
  3. Features

Traffic rules

Traffic proxy Rules (Hydra transport)

Its possible to configure how Hydra will operate with DNS and other traffic. To configure it, use addDnsRule and addProxyRule of SessionConfig.Builder when starting a VPN session.

DNS

Whenever a DNS resolution takes place, it's intercepted by Hydra VPN and domain-based rules might be applied.

Domain-based rules affect how DNS resolution proceeds as well as how further connections to a particular domain will be routed.

Domains might be classified according to types below:

type

dns resolution

bypass

DNS request will proceed in bypass of Hydra VPN. DNS server is a system-wide one or the one specified in hydra configuration.

proxy

No dns resolution will take place on client-side. Real IP resolved on server-side is returned to application.

vpn

No dns resolution will take place on client-side. Real IP resolved on server-side is returned to application.

blockDns

No DNS resolution takes place. Connections to this domain never happen. By default 127.0.0.1 returned

These rules can be created and added to SessionConfig.Builder#addDnsRulewith the following methods.

  • TrafficRule.Builder.bypass

  • TrafficRule.Builder.proxy

  • TrafficRule.Builder.blockDns

  • TrafficRule.Builder.vpn

TrafficRule.Builder.blockPkt - should not be used for addDnsRule - its for addProxyRule

Data sources

  • fromAssets - read list of domains stored in application assets

  • fromFile - read list of domains from file

  • fromDomains - direct pass list of domains

  • fromResource - read list of domains from application resources

Domain matching algorithm:

Domains are searched using longest prefix matching approach, meaning that the most specific match has the highest priority.

Wildcard "*" might be used to match any character occurring any number of times.

Character "?" might be used to match any character occurring one time.

key

entries

match

www.google.com

www.google.com

www.yahoo.com

www.google.com

www.google.com

www.*.com

www.goog*.com

www.google.com

www.google.com

www.google.com

*.google.com

*.com

*.google.com

If no match for a domain is found default domain rule is applied.

Other

Whenever traffic other than DNS reaches Hydra VPN, domain-based rules are the first ones to be considered in order to route content through a correct data path.

In case no domain rule was associated to this IP (e.g. application is using directly IP, no DNS resolution took place previously) or domain default rule was applied to respective domain (no particular match for this domain was found by the time of dns resolution) generic rules are applied. This might be interpreted as domain based rules always taking precedence over generic rules unless they were not applied or default domain rule was applied.

Generic rules are based on any combination of destination IP, destination port and protocol.

These rules can be created and added to SessionConfig.Builder#addProxyRulewith the following methods:

  • TrafficRule.Builder.bypass

  • TrafficRule.Builder.proxy

  • TrafficRule.Builder.blockPkt

  • TrafficRule.Builder.vpn

TrafficRule.Builder.blockDns - should not be used for addProxyRule - its for addDnsRule

Data sources:

  • fromIp

  • udp

  • tcp

  • tcpFromIp

  • udpFromIp

  • any

Valid combinations for searching. (port or/and protocol)

prio
ip
proto
port
Example

1

X

bypass().any(0) bypass().any(1, 1024)

2

X

bypass().udp(0)

3

X

X

bypass().tcp(23)

bypass().tcp(20,30)

Valid combinations for searching. (IP longest prefix match)

prio
ip
proto
port
Example

4

X

bypass().fromIp("100.96.0.0",12)

5

X

X

vpn().fromIp("100.64.0.0",10,22)

bypass().fromIp("100.64.0.0",10, 25, 30)

6

X

X

bypass().udpFromIp("100.100.0.0",16)

7

X

X

X

proxy().tcpFromIp("100.100.0.0", 16, 23)

proxy().tcpFromIp("100.100.0.0", 16, 23, 40)

Port Ranges

Port ranges might be specified wherever port is allowed

Just one port range per rule is allowed, but multiple ranges for same combination of ip, proto and type might be considered by adding multiple rules (one per port range):

  • Using one rule for each range since port ranges don't overlap:

bypass().tcp(15, 30)
bypass().tcp(40, 50)
  • Port range which overlaps existing port range for same combination of ip and proto will NOT be added:

bypass().tcp(15,30)
bypass().tcp(25,50) <- NOT valid ! (port range overlaps 1st one)

Method of Blocking

  • blockPkt for TCP: send RST message when SYN packet is first seen

  • blockPkt for UDP: send ICMP message HOST UNREACHABLE->PORT UNREACHABLE when udp packet is first seen

  • blockPkt for Non-TCP/UDP: Drop packet

Examples

To bypass local network traffic and make local network resource accessible, you can configure an IP mask rule:

final SessionConfig.Builder builder = new SessionConfig.Builder();
builder.addProxyRule(TrafficRule.Builder.bypass().fromIp("192.168.1.0", 24)); //all traffic to net 192.168.1.0 will go outside vpn tunnel

PreviousDomain BypassNextVPN Node DNS Configuration

Last updated 1 year ago

Was this helpful?