On Android, a VPN’s private network can sometimes be reached by apps that shouldn’t be allowed to use it. For example, even if your routing rules don’t include those apps, they may still get VPN access by binding directly to the TUN interface.
Android provides an API called getConnectionOwnerUid(), which lets you figure out which UID (i.e., which app) owns a given network connection. With that, a VPN app can identify unwanted apps and block them from using the VPN.
So I’d like to request a hook in tun2socks that lets it pass the connection’s 4‑tuple (src IP/port + dst IP/port) up to the VPN app. The VPN app would then reply with “allow” or “deny”, and tun2socks would enforce that decision.
It’d be best if this hook/API is asynchronous, so it doesn’t hurt performance or become a bottleneck under high concurrency.
Thanks!
On Android, a VPN’s private network can sometimes be reached by apps that shouldn’t be allowed to use it. For example, even if your routing rules don’t include those apps, they may still get VPN access by binding directly to the TUN interface.
Android provides an API called getConnectionOwnerUid(), which lets you figure out which UID (i.e., which app) owns a given network connection. With that, a VPN app can identify unwanted apps and block them from using the VPN.
So I’d like to request a hook in tun2socks that lets it pass the connection’s 4‑tuple (src IP/port + dst IP/port) up to the VPN app. The VPN app would then reply with “allow” or “deny”, and tun2socks would enforce that decision.
It’d be best if this hook/API is asynchronous, so it doesn’t hurt performance or become a bottleneck under high concurrency.
Thanks!