From 63ea5a31a1216f41d1c2a52d5643e12a8ec88279 Mon Sep 17 00:00:00 2001 From: Jamil Date: Thu, 1 Feb 2024 22:27:05 -0800 Subject: [PATCH] fix(android): Allow bypassing AlwaysOn VPN (#3522) When AlwaysOnVPN is enabled, it's [possible for apps to be blocked](https://developer.android.com/develop/connectivity/vpn#bypass_vpn) because their traffic gets full-routed through connlib, while we expect to only selectively add routes. This PR fixes things so that AlwaysOn behaves like normal VPN mode. Fixes https://firezonehq.slack.com/archives/C06F51698RK/p1706816373989109?thread_ts=1706813494.509349&cid=C06F51698RK --- kotlin/android/.gitignore | 5 +++-- kotlin/android/app/build.gradle.kts | 3 ++- .../java/dev/firezone/android/tunnel/TunnelService.kt | 10 ++++++++-- .../src/app/blog/jan-2024-product-update/readme.mdx | 2 +- .../src/app/kb/user-guides/android-client/readme.mdx | 2 +- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/kotlin/android/.gitignore b/kotlin/android/.gitignore index 9388b6117..7bf9592e4 100644 --- a/kotlin/android/.gitignore +++ b/kotlin/android/.gitignore @@ -65,8 +65,9 @@ replay_pid* # Covers files to be ignored for android development using Android Studio. # Built application files -*.ap_ -*.aab +**/*.ap_ +**/*.aab +app/release # Files for the ART/Dalvik VM *.dex diff --git a/kotlin/android/app/build.gradle.kts b/kotlin/android/app/build.gradle.kts index 6d7a89a73..bd13cdfe0 100644 --- a/kotlin/android/app/build.gradle.kts +++ b/kotlin/android/app/build.gradle.kts @@ -46,7 +46,8 @@ android { defaultConfig { applicationId = "dev.firezone.android" - minSdk = 30 + // Android 8 + minSdk = 26 targetSdk = 33 versionCode = (System.currentTimeMillis() / 1000 / 10).toInt() // mark:automatic-version diff --git a/kotlin/android/app/src/main/java/dev/firezone/android/tunnel/TunnelService.kt b/kotlin/android/app/src/main/java/dev/firezone/android/tunnel/TunnelService.kt index 9376064f0..0dd12a2cf 100644 --- a/kotlin/android/app/src/main/java/dev/firezone/android/tunnel/TunnelService.kt +++ b/kotlin/android/app/src/main/java/dev/firezone/android/tunnel/TunnelService.kt @@ -250,8 +250,14 @@ class TunnelService : VpnService() { activeTunnel?.let { tunnel -> allowFamily(OsConstants.AF_INET) allowFamily(OsConstants.AF_INET6) - setMetered(false); // Inherit the metered status from the underlying networks. - setUnderlyingNetworks(null); // Use all available networks. + // Allow traffic to bypass the VPN interface when Always-on VPN is enabled. + allowBypass() + + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + setMetered(false) // Inherit the metered status from the underlying networks. + } + + setUnderlyingNetworks(null) // Use all available networks. addAddress(tunnel.config.tunnelAddressIPv4, 32) addAddress(tunnel.config.tunnelAddressIPv6, 128) diff --git a/website/src/app/blog/jan-2024-product-update/readme.mdx b/website/src/app/blog/jan-2024-product-update/readme.mdx index a7524a486..9ae013576 100644 --- a/website/src/app/blog/jan-2024-product-update/readme.mdx +++ b/website/src/app/blog/jan-2024-product-update/readme.mdx @@ -38,7 +38,7 @@ To beta test 1.0, you'll need one of the following: - Apple silicon or Intel Mac running **macOS 12** or later - iPhone or iPad running **iOS/iPadOS 15** or later -- Android phone, tablet, or ChromeOS device running **Android 11** or later +- Android phone, tablet, or ChromeOS device running **Android 8** or later If you qualify for beta testing, we'll add you to a dedicated Slack channel for feedback and support and provide further instructions for downloading clients diff --git a/website/src/app/kb/user-guides/android-client/readme.mdx b/website/src/app/kb/user-guides/android-client/readme.mdx index 55e69bc70..a788475c5 100644 --- a/website/src/app/kb/user-guides/android-client/readme.mdx +++ b/website/src/app/kb/user-guides/android-client/readme.mdx @@ -5,7 +5,7 @@ Google Play Store. ## Prerequisites -- Android / ChromeOS 11 or higher (third party OSes like LineageOS or GrapheneOS +- ChromeOS / Android 8 or higher (third party OSes like LineageOS or GrapheneOS may work too but are **not** supported) - Google Chrome browser installed