mozilla-mobile/guardian-vpn-android

Support for Always-On VPN mode

Closed this issue · 0 comments

grigoryk commented

Android has an Always-On VPN mode which can be turned on by the user via System VPN settings.

Android can start a VPN service when the device boots and keep it running while the device is on. This feature is called always-on VPN and is available in Android 7.0 (API Level 24) or higher. While Android maintains the service lifecycle, it’s your VPN service that’s responsible for the VPN-gateway connection. Always-on VPN can also block connections that don’t use the VPN.

Currently, Mozilla VPN doesn't work well when "always-on" is enabled in system Settings. It simply doesn't work - service isn't started on boot, and Android displays a persistent notification telling the user that VPN app isn't configured correctly.

Because the system (and not a person) starts and stops an always-on connection, you need to adapt your app’s behavior and user interface:
1) Disable any UI that disconnects the connection because the system and Settings app control the connection.
2) Save any config between each app start and configure a connection with the latest settings.
  Because the system starts your app on demand, the person using the device might not always want to configure a connection.

For (2), we already persist all of the relevant configurations (selected server config, etc).
For (1), the user experience is such that when user manually disables the VPN from the app, Android will display a persistent notification telling the user that the VPN app is disconnect. I think that since the notification is obviously directly connected to the user action within the app, it's okay if we allow user to manually disable VPN from the UI (that is, don't change any of the current UIs).

We have no clear way to detect that "always-on" mode is enabled. When it's enabled, our VPN service will be started without any extra flags. This is what Android docs suggest we use as a way to determine if we've been started by the system - always add extra flags when we're starting it from within the app.

We support API23+, and there's no "always-on" functionality on API23. We'll need to make sure we behave sensibly there.