android: add split/tunnel mode selection with search bar for apps #724
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implemented Experimental <INCLUDE> split tunnelling support. This adds a prototype "include-mode" routing model for Android VPN configuration, addressing long-standing user requests for selectively tunneling only chosen applications. When enabled, the VPN builder whitelists specific package names rather than excluding all others. This avoids the need to maintain long exclude lists and supports targeted routing (e.g., only browsers, music players, etc). Details: Implemented a UI toggle button which turns on split tunneling, and which then presents the option to either include or exclude app packages in the VPNBuilder, without having to use MDM. *When Split tunnelling is disabled, the app excludes all packages in builtInDisallowedPackageNames by default, mirroring existing default functionality when no packages are manually added to the exclude list* If Included or Excluded packages are included by MDM, the split tunneling toggle is vacuously turned on -- and user include/exclude lists are ignored. Limitations: DNS resolver traffic can fail under include-mode when Tailscale DNS is active (different results observed across 3 devices). Disabling Tailscale DNS appears to mitigate the issue, but the underlying resolver interaction remains open for analysis. Feedback, testing results, and alternative approaches from developers or knowledgeable users are welcome and appreciated. This commit is intended as a discussion basis / RFC for upstream consideration and iteration :) --------- Signed-off-by: Danial Ramzan <[email protected]> Signed-off-by: danialramzan <[email protected]>
Signed-off-by: Danial Ramzan <[email protected]> Signed-off-by: danialramzan <[email protected]>
* Implemented Experimental <INCLUDE> split tunnelling support. (#5) Implemented Experimental <INCLUDE> split tunnelling support. This adds a prototype "include-mode" routing model for Android VPN configuration, addressing long-standing user requests for selectively tunneling only chosen applications. When enabled, the VPN builder whitelists specific package names rather than excluding all others. This avoids the need to maintain long exclude lists and supports targeted routing (e.g., only browsers, music players, etc). Details: Implemented a UI toggle button which turns on split tunneling, and which then presents the option to either include or exclude app packages in the VPNBuilder, without having to use MDM. *When Split tunnelling is disabled, the app excludes all packages in builtInDisallowedPackageNames by default, mirroring existing default functionality when no packages are manually added to the exclude list* If Included or Excluded packages are included by MDM, the split tunneling toggle is vacuously turned on -- and user include/exclude lists are ignored. Limitations: DNS resolver traffic can fail under include-mode when Tailscale DNS is active (different results observed across 3 devices). Disabling Tailscale DNS appears to mitigate the issue, but the underlying resolver interaction remains open for analysis. Feedback, testing results, and alternative approaches from developers or knowledgeable users are welcome and appreciated. This commit is intended as a discussion basis / RFC for upstream consideration and iteration :) --------- Signed-off-by: Danial Ramzan <[email protected]> * Implemented search bar in split-tunneling page. Signed-off-by: Danial Ramzan <[email protected]> --------- Signed-off-by: Danial Ramzan <[email protected]>
Author
|
Updates #tailscale/tailscale#13816 |
Signed-off-by: danialramzan <[email protected]>
|
Great solution, i started implementing something but saw you already beat me to it, the other solution seems to miss the search bar for filtering which ease the selection. I just wanted to recommend maybe a solution for the part when no allowed app selected the split tunnel wont work, you could test if |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implemented Experimental INCLUDE split tunnelling support alongside a search bar for quick app selection.
Updates tailscale/tailscale#13816
This adds a prototype "include-mode" routing model for Android VPN configuration, addressing long-standing user requests for selectively tunneling only chosen applications, alongside a search bar implementation.
When enabled, the VPN builder whitelists specific package names rather than excluding all others. This avoids the need to maintain long exclude lists and supports targeted routing (e.g., only browsers, music players, etc).
Details:
Implemented a UI toggle button which turns on split tunneling, and which then presents the option to either include or exclude app packages in the VPNBuilder, without having to use MDM, with both the include and exclude package lists capable of containing separate apps. When Split tunnelling is disabled, the app excludes all packages in
builtInDisallowedPackageNamesby default, mirroring existing default functionality when no packages are manually added to the exclude list.If Included or Excluded packages are included by MDM, the split tunneling toggle is vacuously turned on -- and user include/exclude lists are ignored.
A search bar has also been implemented in order to cut down on app selection times significantly. The search bar matches on both app names and package names (e.g
Chromeorcom.android.chrome)Limitations and notes:
DNS resolver traffic might fail under include-mode when Tailscale DNS is active. Disabling Tailscale DNS appears to mitigate the issue, but the underlying resolver interaction remains open for analysis. Feedback, testing results, and alternative approaches from developers or knowledgeable users are welcome and appreciated. (When using Mullvad VPN as my exit node, this problem seems to disappear, which leads me to suspect the problem is indeed with my exit node and not the implementation.)
When split tunneling mode is set to
INCLUDEan empty allowed packages list is interpreted as “route everything,” so all traffic passes through the tunnel. Once an entry is added, filtering works as intended.This commit is intended as a discussion basis / RFC for upstream consideration and iteration :)
Note: I became aware of PR #621 only after finishing this implementation 😄
My goal is not to replace that effort, this PR explores a different UI/UX design (search bar, explicit include/exclude list behaviour, toggle state logic) which may complement the earlier branch.
Happy to collaborate, merge concepts, or align with the earlier PR, whichever direction maintainers prefer :)
Signed-off-by: danialramzan [email protected]