Track IPv6 connectivity on Android

Co-authored-by: Jonatan Rhoidn <jonatan.rhodin@mullvad.net>

Author: dlon

android/CHANGELOG.md

@@ -29,6 +29,9 @@ Line wrap the file at 100 chars.                                              Th
 ### Removed
 - Remove Google's resolvers from encrypted DNS proxy.
 
+### Fixed
+- Will no longer try to connect over IPv6 if IPv6 is not available.
+
 
 ## [android/2024.10-beta2] - 2024-12-20
 

android/lib/talpid/src/main/kotlin/net/mullvad/talpid/ConnectivityListener.kt

@@ -2,26 +2,44 @@ package net.mullvad.talpid
 
 import android.net.ConnectivityManager
 import android.net.LinkProperties
+import android.net.Network
+import android.net.NetworkCapabilities
+import co.touchlab.kermit.Logger
+import java.net.DatagramSocket
+import java.net.Inet4Address
+import java.net.Inet6Address
 import java.net.InetAddress
 import kotlin.collections.ArrayList
+import kotlin.time.Duration.Companion.milliseconds
 import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.FlowPreview
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.SharingStarted
 import kotlinx.coroutines.flow.StateFlow
+import kotlinx.coroutines.flow.debounce
+import kotlinx.coroutines.flow.distinctUntilChanged
+import kotlinx.coroutines.flow.filter
 import kotlinx.coroutines.flow.map
 import kotlinx.coroutines.flow.merge
 import kotlinx.coroutines.flow.onEach
 import kotlinx.coroutines.flow.receiveAsFlow
 import kotlinx.coroutines.flow.stateIn
 import kotlinx.coroutines.launch
+import kotlinx.coroutines.plus
+import kotlinx.coroutines.runBlocking
+import net.mullvad.talpid.model.Connectivity
 import net.mullvad.talpid.model.NetworkState
+import net.mullvad.talpid.util.IpUtils
 import net.mullvad.talpid.util.RawNetworkState
 import net.mullvad.talpid.util.defaultRawNetworkStateFlow
-import net.mullvad.talpid.util.hasInternetConnectivity
 
-class ConnectivityListener(private val connectivityManager: ConnectivityManager) {
-    private lateinit var _isConnected: StateFlow<Boolean>
+class ConnectivityListener(
+    private val connectivityManager: ConnectivityManager,
+    val protect: (socket: DatagramSocket) -> Boolean,
+) {
+    private lateinit var _isConnected: StateFlow<Connectivity>
     // Used by JNI
     val isConnected
         get() = _isConnected.value
@@ -37,6 +55,7 @@ class ConnectivityListener(private val connectivityManager: ConnectivityManager)
     val currentDnsServers: ArrayList<InetAddress>
         get() = _mutableNetworkState.value?.dnsServers ?: ArrayList()
 
+    @OptIn(FlowPreview::class)
     fun register(scope: CoroutineScope) {
         // Consider implementing retry logic for the flows below, because registering a listener on
         // the default network may fail if the network on Android 11
@@ -53,15 +72,59 @@ class ConnectivityListener(private val connectivityManager: ConnectivityManager)
 
         _isConnected =
             connectivityManager
-                .hasInternetConnectivity()
-                .onEach { notifyConnectivityChange(it) }
+                .defaultRawNetworkStateFlow()
+                .debounce(300.milliseconds)
+                .map { it.toConnectivity() }
+                .distinctUntilChanged()
+                .onEach { notifyConnectivityChange(it.ipv4, it.ipv6) }
                 .stateIn(
-                    scope,
+                    scope + Dispatchers.IO,
                     SharingStarted.Eagerly,
-                    true, // Assume we have internet until we know otherwise
+                    // Has to happen on IO to avoid NetworkOnMainThreadException, we actually don't
+                    // send any traffic just open a socket to detect the IP version.
+                    runBlocking(Dispatchers.IO) {
+                        connectivityManager.activeRawNetworkState().toConnectivity()
+                    },
                 )
     }
 
+    private fun ConnectivityManager.activeRawNetworkState(): RawNetworkState? =
+        try {
+            activeNetwork?.let { initialNetwork: Network ->
+                RawNetworkState(
+                    network = initialNetwork,
+                    linkProperties = getLinkProperties(initialNetwork),
+                    networkCapabilities = getNetworkCapabilities(initialNetwork),
+                )
+            }
+        } catch (_: RuntimeException) {
+            Logger.e(
+                "Unable to get active network or properties and capabilities of the active network"
+            )
+            null
+        }
+
+    private fun RawNetworkState?.toConnectivity(): Connectivity.Status =
+        if (isVpn()) {
+            // If the default network is a VPN we need to use a socket to check
+            // the underlying network
+            Connectivity.Status(
+                IpUtils.hasIPv4(protect = { protect(it) }),
+                IpUtils.hasIPv6(protect = { protect(it) }),
+            )
+        } else {
+            // If the default network is not a VPN we can check the addresses
+            // directly
+            Connectivity.Status(
+                ipv4 =
+                    this?.linkProperties?.routes?.any { it.destination.address is Inet4Address } ==
+                        true,
+                ipv6 =
+                    this?.linkProperties?.routes?.any { it.destination.address is Inet6Address } ==
+                        true,
+            )
+        }
+
     /**
      * Invalidates the network state cache. E.g when the VPN is connected or disconnected, and we
      * know the last known values not to be correct anymore.
@@ -73,14 +136,18 @@ class ConnectivityListener(private val connectivityManager: ConnectivityManager)
     private fun LinkProperties.dnsServersWithoutFallback(): List<InetAddress> =
         dnsServers.filter { it.hostAddress != TalpidVpnService.FALLBACK_DUMMY_DNS_SERVER }
 
+    private fun RawNetworkState?.isVpn(): Boolean =
+        this?.networkCapabilities?.hasCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN) ==
+            false
+
     private fun RawNetworkState.toNetworkState(): NetworkState =
         NetworkState(
             network.networkHandle,
             linkProperties?.routes,
             linkProperties?.dnsServersWithoutFallback(),
         )
 
-    private external fun notifyConnectivityChange(isConnected: Boolean)
+    private external fun notifyConnectivityChange(isIPv4: Boolean, isIPv6: Boolean)
 
     private external fun notifyDefaultNetworkChange(networkState: NetworkState?)
 }

android/lib/talpid/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt

@@ -48,7 +48,8 @@ open class TalpidVpnService : LifecycleVpnService() {
     @CallSuper
     override fun onCreate() {
         super.onCreate()
-        connectivityListener = ConnectivityListener(getSystemService<ConnectivityManager>()!!)
+        connectivityListener =
+            ConnectivityListener(getSystemService<ConnectivityManager>()!!, ::protect)
         connectivityListener.register(lifecycleScope)
     }
 

android/lib/talpid/src/main/kotlin/net/mullvad/talpid/model/Connectivity.kt

@@ -0,0 +1,7 @@
+package net.mullvad.talpid.model
+
+sealed class Connectivity {
+    data class Status(val ipv4: Boolean, val ipv6: Boolean) : Connectivity()
+
+    data object PresumeOnline : Connectivity()
+}

android/lib/talpid/src/main/kotlin/net/mullvad/talpid/util/IpUtils.kt

@@ -0,0 +1,47 @@
+package net.mullvad.talpid.util
+
+import co.touchlab.kermit.Logger
+import java.net.DatagramSocket
+import java.net.InetAddress
+import java.net.InetSocketAddress
+import java.net.SocketException
+
+object IpUtils {
+    fun hasIPv4(protect: (socket: DatagramSocket) -> Boolean): Boolean =
+        hasIpVersion(InetAddress.getByName(PUBLIC_IPV4_ADDRESS), protect)
+
+    fun hasIPv6(protect: (socket: DatagramSocket) -> Boolean): Boolean =
+        hasIpVersion(InetAddress.getByName(PUBLIC_IPV6_ADDRESS), protect)
+
+    // Fake a connection to a public ip address using a UDP socket.
+    // We don't care about the result of the connection, only that it is possible to create.
+    // This is done this way since otherwise there is not way to check the availability of an ip
+    // version on the underlying network if the VPN is turned on.
+    // Since we are protecting the socket it will use the underlying network regardless
+    // if the VPN is turned on or not.
+    // If the ip version is not supported on the underlying network it will trigger a socket
+    // exception. Otherwise we assume it is available.
+    private inline fun <reified T : InetAddress> hasIpVersion(
+        ip: T,
+        protect: (socket: DatagramSocket) -> Boolean,
+    ): Boolean {
+        val socket = DatagramSocket()
+        if (!protect(socket)) {
+            Logger.e("Unable to protect the socket VPN is not set up correctly")
+            return false
+        }
+        return try {
+            socket.connect(InetSocketAddress(ip, 1))
+            socket.localSocketAddress.also { Logger.d("Public Local address: $it") }
+            true
+        } catch (_: SocketException) {
+            Logger.e("Socket could not be set up")
+            false
+        } finally {
+            socket.close()
+        }
+    }
+
+    private const val PUBLIC_IPV4_ADDRESS = "1.1.1.1"
+    private const val PUBLIC_IPV6_ADDRESS = "2606:4700:4700::1001"
+}

mullvad-jni/src/classes.rs

@@ -18,4 +18,6 @@ pub const CLASSES: &[&str] = &[
     "net/mullvad/talpid/ConnectivityListener",
     "net/mullvad/talpid/TalpidVpnService",
     "net/mullvad/mullvadvpn/lib/endpoint/ApiEndpointOverride",
+    "net/mullvad/talpid/model/Connectivity$Status",
+    "net/mullvad/talpid/model/Connectivity$PresumeOnline",
 ];

talpid-core/src/connectivity_listener.rs

@@ -98,36 +98,34 @@ impl ConnectivityListener {
 
     /// Return the current offline/connectivity state
     pub fn connectivity(&self) -> Connectivity {
-        self.get_is_connected()
-            .map(|connected| Connectivity::Status { connected })
-            .unwrap_or_else(|error| {
-                log::error!(
-                    "{}",
-                    error.display_chain_with_msg("Failed to check connectivity status")
-                );
-                Connectivity::PresumeOnline
-            })
+        self.get_is_connected().unwrap_or_else(|error| {
+            log::error!(
+                "{}",
+                error.display_chain_with_msg("Failed to check connectivity status")
+            );
+            Connectivity::PresumeOnline
+        })
     }
 
-    fn get_is_connected(&self) -> Result<bool, Error> {
+    fn get_is_connected(&self) -> Result<Connectivity, Error> {
         let env = JnixEnv::from(
             self.jvm
                 .attach_current_thread_as_daemon()
                 .map_err(Error::AttachJvmToThread)?,
         );
 
-        let is_connected =
-            env.call_method(self.android_listener.as_obj(), "isConnected", "()Z", &[]);
-
-        match is_connected {
-            Ok(JValue::Bool(JNI_TRUE)) => Ok(true),
-            Ok(JValue::Bool(_)) => Ok(false),
-            value => Err(Error::InvalidMethodResult(
-                "ConnectivityListener",
+        let is_connected = env
+            .call_method(
+                self.android_listener.as_obj(),
                 "isConnected",
-                format!("{:?}", value),
-            )),
-        }
+                "()Lnet/mullvad/talpid/model/Connectivity;",
+                &[],
+            )
+            .expect("Missing isConnected")
+            .l()
+            .expect("isConnected is not an object");
+
+        Ok(Connectivity::from_java(&env, is_connected))
     }
 
     /// Return the current DNS servers according to Android
@@ -160,20 +158,25 @@ impl ConnectivityListener {
 #[unsafe(no_mangle)]
 #[allow(non_snake_case)]
 pub extern "system" fn Java_net_mullvad_talpid_ConnectivityListener_notifyConnectivityChange(
-    _: JNIEnv<'_>,
-    _: JObject<'_>,
-    connected: jboolean,
+    _env: JNIEnv<'_>,
+    _obj: JObject<'_>,
+    is_ipv4: jboolean,
+    is_ipv6: jboolean,
 ) {
     let Some(tx) = &*CONNECTIVITY_TX.lock().unwrap() else {
         // No sender has been registered
         log::trace!("Received connectivity notification wíth no channel");
         return;
     };
 
-    let connected = JNI_TRUE == connected;
+    let is_ipv4 = JNI_TRUE == is_ipv4;
+    let is_ipv6 = JNI_TRUE == is_ipv6;
 
     if tx
-        .unbounded_send(Connectivity::Status { connected })
+        .unbounded_send(Connectivity::Status {
+            ipv4: is_ipv4,
+            ipv6: is_ipv6,
+        })
         .is_err()
     {
         log::warn!("Failed to send offline change event");

talpid-types/src/net/mod.rs

@@ -1,4 +1,6 @@
 use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network};
+#[cfg(target_os = "android")]
+use jnix::FromJava;
 use obfuscation::ObfuscatorConfig;
 use serde::{Deserialize, Serialize};
 #[cfg(windows)]
@@ -566,19 +568,15 @@ pub fn all_of_the_internet() -> Vec<ipnetwork::IpNetwork> {
 /// Information about the host's connectivity, such as the preesence of
 /// configured IPv4 and/or IPv6.
 #[derive(Debug, Clone, Copy, PartialEq)]
+#[cfg_attr(target_os = "android", derive(FromJava))]
+#[cfg_attr(target_os = "android", jnix(package = "net.mullvad.talpid.model"))]
 pub enum Connectivity {
-    #[cfg(not(target_os = "android"))]
     Status {
         /// Whether IPv4 connectivity seems to be available on the host.
         ipv4: bool,
         /// Whether IPv6 connectivity seems to be available on the host.
         ipv6: bool,
     },
-    #[cfg(target_os = "android")]
-    Status {
-        /// Whether _any_ connectivity seems to be available on the host.
-        connected: bool,
-    },
     /// On/offline status could not be verified, but we have no particular
     /// reason to believe that the host is offline.
     PresumeOnline,
@@ -592,7 +590,6 @@ impl Connectivity {
 
     /// If no IP4 nor IPv6 routes exist, we have no way of reaching the internet
     /// so we consider ourselves offline.
-    #[cfg(not(target_os = "android"))]
     pub fn is_offline(&self) -> bool {
         matches!(
             self,
@@ -606,23 +603,7 @@ impl Connectivity {
     /// Whether IPv6 connectivity seems to be available on the host.
     ///
     /// If IPv6 status is unknown, `false` is returned.
-    #[cfg(not(target_os = "android"))]
     pub fn has_ipv6(&self) -> bool {
         matches!(self, Connectivity::Status { ipv6: true, .. })
     }
-
-    /// Whether IPv6 connectivity seems to be available on the host.
-    ///
-    /// If IPv6 status is unknown, `false` is returned.
-    #[cfg(target_os = "android")]
-    pub fn has_ipv6(&self) -> bool {
-        self.is_online()
-    }
-
-    /// If the host does not have configured IPv6 routes, we have no way of
-    /// reaching the internet so we consider ourselves offline.
-    #[cfg(target_os = "android")]
-    pub fn is_offline(&self) -> bool {
-        matches!(self, Connectivity::Status { connected: false })
-    }
 }