[Android Development Insights] Build Your VPN App: Insights on Developing with Android VpnManager
In this article,
we will share insights on developing your own researched Android VPN application,
whether you are a beginner or an experienced developer,
these notes will provide practical guidance,
and we hope they will be helpful to you.
- Here are the VPN connection encryption methods available in the native Android AOSP source code:
- PPTP
- L2TP/IPSec PSK
- IPSec Xauth Psk
- IPSec IKEv2 PSK
- L2TP/IPSec RSA
- IPSec Xauth RSA
- IPSec Hybrid RSA
- IPSec IKEv2 RSA
- The official native methods provided are: VpnManager,
VpnService
After my research, I found:
- If using
VpnManager
, it only provides some VPN connection modes and is available only in higher versions (API 30 and above) - If using
VpnService
, it only provides basic settings and does not open the connection mode interface for upper-layer use
- If using
VpnManager
requires API 30 to use and only opens some protocols- Additionally, I saw on the Google issue tracker website,
other developers have similar issues andasked the official if they could open the lower-layer connection modes
for upper-layer use,
the official personnel replied that it might be opened in the future: Click here to view
indicating that others have similar needs, but currently, the official has no development plans
- Additionally, I saw on the Google issue tracker website,
- Previously mentioned that the official only supports some encryption methods, others have to be implemented by yourself or integrated with third-party libraries!
This picture lists the three encryption methods supported by the official: IPSec IKEv2 PSK, IPSec IKEv2 RSA, IPSec User Pass.
- If using the
officially provided
methods to implement, you can:'Connection Type'
: Set thePlatformVpnProfile
through the VpnManager (API level 30 and above) method provisionVpnProfile- The official defines a new class PlatformVpnProfile
- If you look at it with AOSP, the official provides this class for you to
set some connection protocols
Finally, when it reaches the lower-layer Service, it will help you convert it into the VpnProfile class used in the Service - That is, VpnManager’s
line 335
: provisionVpnProfile(@NonNull PlatformVpnProfile profile) Finally, it uses toVpnProfile() to help you convertPlatformVpnProfile
toVpnProfile
- If you look at it with AOSP, the official provides this class for you to
- The official defines a new class PlatformVpnProfile
-
Among them, Ikev2VpnProfile.Builder can set Ikev2 related connection settings. This class actually implements
PlatformVpnProfile
allowing you to set the open protocol mode. 'VPN related settings'
: Through VpnService, addVpnService.Builder()
when creating a local tunnel.- Official VpnService architecture diagram
- This method sets the tunnel during connection, and the official only provides the method as shown in the example below for developers to use.
- Although AOSP provides related protocol connections, it is
not yet open
for upper-layer use. Therefore, if you need to connect using related protocols, you need to develop it yourself. - Example:
/*** Android level 14 up ***/ val builder = VpnService.Builder() val localTunnel = builder .setSession('VPN name') .addAddress('server', 'prefix length') .addRoute('forwarding route', 'prefix length') .addDnsServer('DNS server') .addSearchDomain('DNS search domain') .establish()
- Official VpnService architecture diagram
- AnyConnect: A third-party VPN provider. Currently, third-party vendors’ VPN services are seen.
- AnyConnect official documentation mentions that it provides protocols such as TLS, DTLS, IPsec IKEv2, etc.
- Another AnyConnect document mentions that to use IPsec IKEv2 connection, you need Cisco Adaptive Security Appliance 8.4 or above.
- If you choose this option, you need to contact the vendor to know how to develop and the details.
- This table at the bottom explains the tunneling supported by each platform.
- AnyConnect 4.10 release note mentions some compatibility issues on Android versions:
- For example, Android 5.0, 6.0 power-saving mode conflicts with the service.
- Split DNS cannot operate on Android 4.4 or Samsung 5.x Android devices.
(For reference)
There is a solution seen online to set VpnProfile by directly using methods within the framework through reflection: Create VPN profile on Android- However, this method has been fixed in Android 9.0 and above, so it is speculated that some earlier phones may use this method (if the target device is before this, it can still be considered).
- Fix announcement
(For reference)
Third-party openVpn provides Android open source.- Documentation mentions support for
SSL/TLS
protocol(only supports this protocol)
. - Method to add openVpn to Android project: Click here
- ics-openvpn FAQ also mentions issues with Samsung 5.0 phones.
- Documentation mentions support for
-
When opening a custom VpnService through an app, in Android 8.0 and above, service operation adds background execution limits
-
Tracking android-10.0.0_r1 VpnService.java in aosp its
line:176~179
uses IConnectivityManager.aidl, but currently, there is no trace of the implementation of aidl at the framework level, so it is speculated that it might be placed in something like a binder. To understand how it is implemented, further research into the underlying code is needed. -
Tracking VpnService.Java in Android 12 aosp, its
line:178~181
uses aidl changed to IVpnManager.aidl, there is another file in the source code called VpnManagerService.JavaIn
line:293
theprovisionVpnProfile(VpnProfile profile,...)
this method requires providing a variable VpnProfileLooking into VpnProfile’s
line:97
reveals its default connection scheme is:public int type = TYPE_PPTP
And the connection modes that can be set in VpnProfile are:
However, these connection modes are currently only supported within aosp
And because they are not open, they cannot be directly used in the app
In summary
Firstly, non-developers can only modify it from the phone settings
Secondly, developers can only implement it by working from aosp