LAN connection to server.

[Hunkarada]

Your use case

On android app you can't use lan server (or server, which is under VPN), and this is really annoying, while on PC and iOS I can connect. This issue comes from here https://github.com/element-hq/element-x-android/blob/develop/app/src/main/res/xml/network_security_config.xml. Network config is the same as on previous app. More details here: element-hq/element-android#1793.

Have you considered any alternatives?

Personally, I rebuilt the app with hint by @tobymurray suggested here element-hq/element-android#1793 (comment). Enabled http by changing <base-config cleartextTrafficPermitted="false" /> here from false to true. May be not the best solution, as I'm not android developer, only know java and basic intuition.

Additional context

No response

Are you willing to provide a PR?

No

[spaetz]

Not a developer here, but I don't understand what you mean by LAN server? Are you referring to a connection to a server running on an unencrypted http port instead of https?

[tobymurray]

I think #1793 was resolved for most use cases by element-hq/element-android#3166 ~3 years ago? This is not an Element limitation per-se, recent versions of Android don't allow blanket exceptions (or at least didn't 3 years ago when I looked at this).

I believe if you give your server a domain name from the mentioned list you should be able to connect as you desire.

When I looked, the only way Android would allow this for private IPs would be to literally add each possible private IP individually to that list, which is clearly distasteful. If you have found a way Android can do this in recent times, I think everyone would be open to a better solution.

[Hunkarada]

Not a developer here, but I don't understand what you mean by LAN server? Are you referring to a connection to a server running on an unencrypted http port instead of https?

Yes, http connection, which is encrypted by VPN connection, so I don't need to use TLS (private family server).

[Hunkarada]

I think #1793 was resolved for most use cases by element-hq/element-android#3166 ~3 years ago? This is not an Element limitation per-se, recent versions of Android don't allow blanket exceptions (or at least didn't 3 years ago when I looked at this).

I believe if you give your server a domain name from the mentioned list you should be able to connect as you desire.

When I looked, the only way Android would allow this for private IPs would be to literally add each possible private IP individually to that list, which is clearly distasteful. If you have found a way Android can do this in recent times, I think everyone would be open to a better solution.

I patched app by changing here <base-config cleartextTrafficPermitted="false" /> false to true, and removed everything else in this config, rebuilt app and it works. Android Studio told me, about this is doesn't secure, but... What exactly here not secure? If my server is under VPN encryption, I don't have any security trouble about unencrypted traffic. My server private, so... I don't see any reason to block LAN http connections at all. I don't want to setup DNS server, why I need to do this only for android app when element on PC works absolutely fine. I'm NOT ANDROID DEVELOPER, SO MAYBE I DONE SOMETHING REALLY DANGEROUS, AND I MAY NOT UNDERSTAND IT. But, it seems to resolve this issue.

[Hunkarada]

Opt out of cleartext traffic

Note: The guidance in this section applies only to apps that target Android 8.1 (API level 27) or lower. Starting with Android 9 (API level 28), cleartext support is disabled by default.

If you intend for your app to connect to destinations using only secure connections, you can opt out of supporting cleartext (using the unencrypted HTTP protocol instead of HTTPS) to those destinations. This option helps prevent accidental regressions in apps due to changes in URLs provided by external sources such as backend servers. See NetworkSecurityPolicy.isCleartextTrafficPermitted() for more details.

For example, you might want your app to ensure that connections to secure.example.com are always done over HTTPS to protect sensitive traffic from hostile networks.

So, you actually can allow http connections, if you want, as android doc says. It's not recommended, but you can. https://developer.android.com/privacy-and-security/security-config#CleartextTrafficPermitted

[spaetz]

Yes, you can allow cleartext traffic from a technical point of view, but I doubt this is going to happen for 2 reasons:

1. Afaik, it is against Google's policies and they will refuse to take your app in the Play Store. This in itself is a killer argument.
2. While it can be just as secure if you use eg a vpn directly to your server ot remain in a LAN where you trust the network, allowing unencrypted traffic will make the life for the majority of users less secure. They could be lured into using unencrypted home servers in the wild.

I also run a small family server, and thanks to Letsencrypt, getting valid TLS certs is easy and free in manynsetups. Again, I am no dev, I do see your usecase and it is a valid one. But given the above, I am pretty sure that switch can not be made in general and could not be distributed in the Play Store.

[Hunkarada]

I don't have domain name (I don't need it, and don't want to buy for private family server), so I can't get cert from Let's Encrypt.
For example, Fluffychat app on Google Play Store perfectly works with LAN IPs, so we can at least try to allow cleartext traffic. I can't find in Fluffychat code allowance of cleartext traffic, but if by default it's disabled - it needs to be enabled manually by dev. But this can be not true.
About most of users... I think they just use matrix.org server. Also, what about warning for 5-10 seconds, when user tries to connect to http server? Something like "WARNING. You are trying to connect to server without TLS encryption. If you don't know what does this mean, and not REALLY SURE what are you doing - don't connect to this server". This would be enough in my opinion.
On iOS/PC you can connect to LAN anyway, so this inconsistent approach of app in different platforms is really annoying.

[mackerel225]

I don't have domain name (I don't need it, and don't want to buy for private family server), so I can't get cert from Let's Encrypt. For example, Fluffychat app on Google Play Store perfectly works with LAN IPs, so we can at least try to allow cleartext traffic. I can't find in Fluffychat code allowance of cleartext traffic, but if by default it's disabled - it needs to be enabled manually by dev. But this can be not true. About most of users... I think they just use matrix.org server. Also, what about warning for 5-10 seconds, when user tries to connect to http server? Something like "WARNING. You are trying to connect to server without TLS encryption. If you don't know what does this mean, and not REALLY SURE what are you doing - don't connect to this server". This would be enough in my opinion. On iOS/PC you can connect to LAN anyway, so this inconsistent approach of app in different platforms is really annoying.

Hello. Did you try either

• Setting local DNS to resolve your server ip. Eg mydevice.lan -> 192.168.x.x (usually via router)
• Creating self signed certificate authority for your local network to enable TLS

In both cases, you don't need domain from external provider.

I just tested on my end as I am starting to use Element X for the first time. I have only self signed certs and local domain pointing to local address. So I don't use external CAs like lets encrypt or haven't bought a domain. It seems to work fine. To login I enter https://dietpi.lan:SYNAPSE_PORT

I used latest development build version 0.65 (unreleased yet)

I will have to test at some point if TLS is enabled since I am using .lan.

[Hunkarada]

I don't have domain name (I don't need it, and don't want to buy for private family server), so I can't get cert from Let's Encrypt. For example, Fluffychat app on Google Play Store perfectly works with LAN IPs, so we can at least try to allow cleartext traffic. I can't find in Fluffychat code allowance of cleartext traffic, but if by default it's disabled - it needs to be enabled manually by dev. But this can be not true. About most of users... I think they just use matrix.org server. Also, what about warning for 5-10 seconds, when user tries to connect to http server? Something like "WARNING. You are trying to connect to server without TLS encryption. If you don't know what does this mean, and not REALLY SURE what are you doing - don't connect to this server". This would be enough in my opinion. On iOS/PC you can connect to LAN anyway, so this inconsistent approach of app in different platforms is really annoying.

Hello. Did you try either

* Setting local DNS to resolve your server ip. Eg mydevice.lan -> 192.168.x.x (usually via router)

* Creating self signed certificate authority for your local network to enable TLS

In both cases, you don't need domain from external provider.

I just tested on my end as I am starting to use Element X for the first time. I have only self signed certs and local domain pointing to local address. So I don't use external CAs like lets encrypt or haven't bought a domain. It seems to work fine. To login I enter https://dietpi.lan:SYNAPSE_PORT

I used latest development build version 0.65 (unreleased yet)

I will have to test at some point if TLS is enabled since I am using .lan.

I know about local dns and self-signed certs. I don't need them in my enviroment AT ALL, so it's basicly I need to setup them, just beacause ONE of MANY matrix clients only on specific platform can't use http connections. And, other clients on android, which can be downloaded from google play, can connect by http. Element can connect by http on other platforms. I will try to find a solution by myself, because this will create problems with many non-standard use-cases, such as overlay networks over TCP/IP with encryption on protocol level. (adding their domain systems, if it exsists at all, manually for each of them will be impossible)