VpnService

During this time, VpnService was used in the project, and the information of the official documents was sorted out.

 

VpnService is a base class for applications to extend and build their own VPN solutions. In general, it creates a virtual network interface, configures addresses and routing rules, and returns a file descriptor to the application. Each read from the descriptor retrieves an outgoing packet which was routed to the interface. Each write to the descriptor injects an incoming packet just like it was received from the interface. The interface is running on Internet Protocol (IP), so packets are always started with IP headers. The application then completes a VPN connection by processing and exchanging packets with the remote server over a tunnel.

VpnService is a base class for applications extending and building their own VPN solutions. Typically, it creates a virtual network interface, configures addresses and routing rules, and returns a file description to the application. Each read of the description retrieves an outgoing packet routed to the interface. Each write to the description injects an input packet as if received from the interface. This interface runs on the IP protocol, so these packets always start with an IP header. The application utilizes the remote server on the tunnel to process and exchange packets to implement the VPN connection.

 

Letting applications intercept packets raises huge security concerns. A VPN application can easily break the network. Besides, two of them may conflict with each other. The system takes several actions to address these issues. Here are some key points:

Allowing applications to intercept packets can cause huge security problems. A VPN application can easily disrupt the network. Furthermore, the two may conflict with each other. The system takes a series of measures to solve these problems. Here are some key points:

 

• User action is required the first time an application creates a VPN connection.　
• There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created.
• A system-managed notification is shown during the lifetime of a VPN connection.
• A system-managed dialog gives the information of the current VPN connection. It also provides a button to disconnect.
• The network is restored automatically when the file descriptor is closed. It also covers the cases when a VPN application is crashed or killed by the system.

 

• User action is required for the app to create a VPN connection for the first time.
• Only one VPN connection can be running at a time. When a new VPN is created, the existing ones are invalidated.
• During the life cycle of a VPN connection, a sysadmin-level notification is displayed.
• A system management level dialog provides information about the current VPN connection. A button is also provided to close the connection.
• When the file description is closed, the network is automatically restored. When a VPN app crashes or is killed by the system, its configuration remains in effect.
  

 

There are two primary methods in this class: prepare(Context) and establish(). The former deals with user action and stops the VPN connection created by another application. The latter creates a VPN interface using the parameters supplied to the VpnService.Builder. An application must call prepare(Context) to grant the right to use other methods in this class, and the right can be revoked at any time. Here are the general steps to create a VPN connection:

 

There are two main methods in this class: prepare(Context) and establish(). The former is used for user actions and stopping VPN connections created in other apps. The latter uses parameters to create a VPN interface to provide to VpnService.Builder. The application must call prepare(Context) to authorize to use other methods in this class, and the permission can be revoked at any time. Here are the general steps to create a VPN connection:

 

 

1. When the user presses the button to connect, call prepare(Context) and launch the returned intent, if non-null.
2. When the application becomes prepared, start the service.
3. Create a tunnel to the remote server and negotiate the network parameters for the VPN connection.
4. Supply those parameters to a VpnService.Builder and create a VPN interface by calling establish().
5. Process and exchange packets between the tunnel and the returned file descriptor.
6. When onRevoke() is invoked, close the file descriptor and shut down the tunnel gracefully.

 

1. When the user presses the Button to connect, call prepare(Context) to return an intent, and start it if the intent is not empty.
2. When the application is ready, start the service.
3. Create a tunnel to the remote server to negotiate network parameters for the VPN connection.
4. Provide these parameters to VpnService.Builder, which creates a VPN interface by calling its establish().
5. Packets are processed and exchanged between the channel and the returned file description.
6. Gracefully closes the file description and channel when onRevoke() is called.

 

 

Services extended this class need to be declared with appropriate permission and intent filter. Their access must be secured by BIND_VPN_SERVICE permission, and their intent filter must match SERVICE_INTERFACE action. Here is an example of declaring a VPN service in AndroidManifest.xml:

<uses-permission android:name="android.permission.INTERNET"/>
<service android:name=".ExampleVpnService"
         android:permission="android.permission.BIND_VPN_SERVICE">
     <intent-filter>
         <action android:name="android.net.VpnService"/>
     </intent-filter>
</service>

Services that inherit from this class need to declare permissions and intent filters. They must pass the BIND_VPN_SERVICE permission for secure access, and their intent filter must match the SERVICE_INTERFACE action. The following is an example of declaring a VPN service in AndroidManifest.xml:

<uses-permission android:name="android.permission.INTERNET"/>
<service android:name=".ExampleVpnService"
         android:permission="android.permission.BIND_VPN_SERVICE">
     <intent-filter>
         <action android:name="android.net.VpnService"/>
     </intent-filter>
</service>