Bypass VPN by calling addDisallowedApplication API

README.md

@@ -8,7 +8,7 @@ To handle DNS resoution, we have implemented a local DNS resolver that intercept
 
 ### Target Devices
 
-This plugin targets Android devices running Marshmellow (API 23), or higher. This requirement stems from calling `bindProcessToNetwork`, a [connectivity API](https://developer.android.com/reference/android/net/ConnectivityManager.html#bindProcessToNetwork(android.net.Network)) introduced in version 23, which allows the client application traffic to bypass the VPN.
+This plugin targets Android devices running Lollipop (API 21), or higher. This requirement stems from calling `addDisallowedApplication`, a [VPNService.Builder API](https://developer.android.com/reference/android/net/VpnService.Builder.html#addDisallowedApplication(java.lang.String)) introduced in version 21, which allows the specified application's traffic to bypass the VPN.
 
 ### Javascript API
 

src/android/org/uproxy/tun2socks/Tun2Socks.java

@@ -31,7 +31,6 @@ public class Tun2Socks extends CordovaPlugin {
 
   private String m_socksServerAddress;
   private CallbackContext m_onDisconnectCallback = null;
-  private NetworkManager m_networkManager = null;
 
   @Override
   public boolean execute(String action, JSONArray args, CallbackContext callbackContext)
@@ -68,15 +67,14 @@ public boolean execute(String action, JSONArray args, CallbackContext callbackCo
   }
 
   // Initializes the plugin.
-  // Requires API 23 (Marshmallow) to use the NetworkManager.
-  @TargetApi(Build.VERSION_CODES.M)
+  // Requires API 21 (Lollipop) for the application traffic to bypass the VPN.
+  @TargetApi(Build.VERSION_CODES.LOLLIPOP)
   @Override
   protected void pluginInitialize() {
     if (!hasVpnService()) {
       Log.i(LOG_TAG, "Device does not support plugin.");
       return;
     }
-    m_networkManager = new NetworkManager(getBaseContext());
 
     LocalBroadcastManager.getInstance(getBaseContext())
         .registerReceiver(
@@ -86,10 +84,6 @@ protected void pluginInitialize() {
 
   @Override
   public void onDestroy() {
-    // Stop network manager
-    if (m_networkManager != null) {
-      m_networkManager.destroy();
-    }
     // Stop tunnel service in case the user has quit the app without
     // disconnecting the VPN.
     stopTunnelService();
@@ -110,7 +104,7 @@ protected void prepareAndStartTunnelService(CallbackContext callbackContext) {
 
   // Returns whether the device supports the tunnel VPN service.
   private boolean hasVpnService() {
-    return Build.VERSION.SDK_INT >= Build.VERSION_CODES.M;
+    return Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP;
   }
 
   @TargetApi(Build.VERSION_CODES.ICE_CREAM_SANDWICH)

src/android/org/uproxy/tun2socks/Tunnel.java

@@ -21,6 +21,7 @@
 
 import android.annotation.TargetApi;
 import android.content.Context;
+import android.content.pm.PackageManager.NameNotFoundException;
 import android.net.VpnService;
 import android.os.Build;
 import android.os.ParcelFileDescriptor;
@@ -131,7 +132,7 @@ public synchronized void stop() {
   // synchronized functions as stop() is synchronized and a deadlock is possible as callbacks
   // can be called while stop holds the lock.
   //
-  // Calling allowBypass on VPNService.Builder requires API 21 (Lollipop).
+  // Calling addDisallowedApplication on VPNService.Builder requires API 21 (Lollipop).
   @TargetApi(Build.VERSION_CODES.LOLLIPOP)
   private boolean startVpn() throws Exception {
     mPrivateAddress = selectPrivateAddress();
@@ -143,16 +144,22 @@ private boolean startVpn() throws Exception {
       // Workaround for https://code.google.com/p/android/issues/detail?id=61096
       Locale.setDefault(new Locale("en"));
 
-      ParcelFileDescriptor tunFd =
-          ((VpnService.Builder) mHostService.newVpnServiceBuilder())
-              .setSession(mHostService.getAppName())
-              .setMtu(VPN_INTERFACE_MTU)
-              .addAddress(mPrivateAddress.mIpAddress, mPrivateAddress.mPrefixLength)
-              .addRoute("0.0.0.0", 0)
-              .addRoute(mPrivateAddress.mSubnet, mPrivateAddress.mPrefixLength)
-              .addDnsServer(mPrivateAddress.mRouter)
-              .allowBypass()
-              .establish();
+      ParcelFileDescriptor tunFd = null;
+      try {
+        tunFd =
+            ((VpnService.Builder) mHostService.newVpnServiceBuilder())
+                .setSession(mHostService.getAppName())
+                .setMtu(VPN_INTERFACE_MTU)
+                .addAddress(mPrivateAddress.mIpAddress, mPrivateAddress.mPrefixLength)
+                .addRoute("0.0.0.0", 0)
+                .addDnsServer(mPrivateAddress.mRouter)
+                .addDisallowedApplication(mHostService.getContext().getPackageName())
+                .establish();
+      } catch (NameNotFoundException e) {
+        mHostService.onDiagnosticMessage(
+            "failed exclude app from VPN: " + e.getMessage());
+      }
+
       if (tunFd == null) {
         // As per http://developer.android.com/reference/android/net/VpnService.Builder.html#establish%28%29,
         // this application is no longer prepared or was revoked.