Implemented Experimental <INCLUDE> split tunnelling support. (#5)

Implemented Experimental <INCLUDE> split tunnelling support.

This adds a prototype "include-mode" routing model for Android VPN configuration, addressing long-standing user requests for selectively tunneling only chosen applications.

When enabled, the VPN builder whitelists specific package names rather than excluding all others. This avoids the need to maintain long exclude lists and supports targeted routing (e.g., only browsers, music players, etc).

Details: Implemented a UI toggle button which turns on split tunneling, and which then presents the option to either include or exclude app packages in the VPNBuilder, without having to use MDM. *When Split tunnelling is disabled, the app excludes all packages in builtInDisallowedPackageNames by default, mirroring existing default functionality when no packages are manually added to the exclude list*
If Included or Excluded packages are included by MDM, the split tunneling toggle is vacuously turned on -- and user include/exclude lists are ignored.

Limitations: DNS resolver traffic can fail under include-mode when Tailscale DNS is active (different results observed across 3 devices). Disabling Tailscale DNS appears to mitigate the issue, but the underlying resolver interaction remains open for analysis. Feedback, testing results, and alternative approaches from developers or knowledgeable users are welcome and appreciated.

This commit is intended as a discussion basis / RFC for upstream consideration and iteration :)

---------

Signed-off-by: Danial Ramzan <danialramzan@gmail.com>

Author: danialramzan

android/src/main/java/com/tailscale/ipn/App.kt

@@ -426,7 +426,11 @@ open class UninitializedApp : Application() {
     // the VPN (i.e. we're logged in and machine is authorized).
     private const val ABLE_TO_START_VPN_KEY = "ableToStartVPN"
     private const val DISALLOWED_APPS_KEY = "disallowedApps"
-    // File for shared preferences that are not encrypted.
+      private const val ALLOWED_APPS_KEY = "allowedApps"
+      private const val SPLIT_TUNNEL_KEY = "splitTunnelEnabled"
+      private const val SPLIT_TUNNEL_MODE_KEY = "split_tunnel_mode"
+
+      // File for shared preferences that are not encrypted.
     private const val UNENCRYPTED_PREFERENCES = "unencrypted"
     private lateinit var appInstance: UninitializedApp
     lateinit var notificationManager: NotificationManagerCompat
@@ -599,19 +603,73 @@ open class UninitializedApp : Application() {
     this.restartVPN()
   }
 
-  fun disallowedPackageNames(): List<String> {
+    fun updateUserAllowedPackageNames(packageNames: List<String>) {
+        if (packageNames.any { it.isEmpty() }) {
+            TSLog.e(TAG, "updateUserAllowedPackageNames called with empty packageName(s)")
+            return
+        }
+        getUnencryptedPrefs().edit().putStringSet(ALLOWED_APPS_KEY, packageNames.toSet()).apply()
+        this.restartVPN()
+    }
+
+    fun isSplitTunnelEnabled(): Boolean =
+        getUnencryptedPrefs().getBoolean(SPLIT_TUNNEL_KEY, false)
+
+    fun setSplitTunnelEnabled(enabled: Boolean) {
+        getUnencryptedPrefs().edit().putBoolean(SPLIT_TUNNEL_KEY, enabled).apply()
+        restartVPN()
+    }
+
+    fun setSplitTunnelMode(mode: SplitTunnelMode) {
+        getUnencryptedPrefs().edit()
+            .putString(SPLIT_TUNNEL_MODE_KEY, mode.name)
+            .apply()
+        restartVPN()
+    }
+
+    fun getSplitTunnelMode(): SplitTunnelMode {
+        val stored = getUnencryptedPrefs().getString(SPLIT_TUNNEL_MODE_KEY, null)
+        return if (stored != null) {
+            SplitTunnelMode.valueOf(stored)
+        } else {
+            SplitTunnelMode.EXCLUDE
+        }
+    }
+
+
+
+
+    fun disallowedPackageNames(): List<String> {
     val mdmDisallowed =
         MDMSettings.excludedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
-    if (mdmDisallowed.isNotEmpty()) {
+
+        if (mdmDisallowed.isNotEmpty()) {
       TSLog.d(TAG, "Excluded application packages were set via MDM: $mdmDisallowed")
       return builtInDisallowedPackageNames + mdmDisallowed
     }
+
     val userDisallowed =
         getUnencryptedPrefs().getStringSet(DISALLOWED_APPS_KEY, emptySet())?.toList() ?: emptyList()
     return builtInDisallowedPackageNames + userDisallowed
   }
 
-  fun getAppScopedViewModel(): AppViewModel {
+
+    fun allowedPackageNames(): List<String> {
+        val mdmAllowed =
+            MDMSettings.includedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
+
+        if (mdmAllowed.isNotEmpty()) {
+            TSLog.d(TAG, "Included application packages were set via MDM: $mdmAllowed")
+            return mdmAllowed
+        }
+
+        val userAllowed =
+            getUnencryptedPrefs().getStringSet(ALLOWED_APPS_KEY, emptySet())?.toList() ?: emptyList()
+        return userAllowed
+    }
+
+
+    fun getAppScopedViewModel(): AppViewModel {
     return appViewModel
   }
 
@@ -640,4 +698,9 @@ open class UninitializedApp : Application() {
           // Android Connectivity Service https://github.com/tailscale/tailscale/issues/14128
           "com.google.android.apps.scone",
       )
+
+    enum class SplitTunnelMode {
+        INCLUDE,
+        EXCLUDE
+    }
 }

android/src/main/java/com/tailscale/ipn/IPNService.kt

@@ -149,39 +149,82 @@ open class IPNService : VpnService(), libtailscale.IPNService {
     }
   }
 
-  override fun newBuilder(): VPNServiceBuilder {
-    val b: Builder =
-        Builder()
-            .setConfigureIntent(configIntent())
-            .allowFamily(OsConstants.AF_INET)
-            .allowFamily(OsConstants.AF_INET6)
-    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
-      b.setMetered(false) // Inherit the metered status from the underlying networks.
-    }
-    b.setUnderlyingNetworks(null) // Use all available networks.
-
-    val includedPackages: List<String> =
-        MDMSettings.includedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
-    if (includedPackages.isNotEmpty()) {
-      // If an admin defined a list of packages that are exclusively allowed to be used via
-      // Tailscale,
-      // then only allow those apps.
-      for (packageName in includedPackages) {
-        TSLog.d(TAG, "Including app: $packageName")
-        b.addAllowedApplication(packageName)
-      }
-    } else {
-      // Otherwise, prevent certain apps from getting their traffic + DNS routed via Tailscale:
-      // - any app that the user manually disallowed in the GUI
-      // - any app that we disallowed via hard-coding
-      for (disallowedPackageName in UninitializedApp.get().disallowedPackageNames()) {
-        TSLog.d(TAG, "Disallowing app: $disallowedPackageName")
-        disallowApp(b, disallowedPackageName)
-      }
+    private fun allowApp(b: Builder, name: String) {
+        try {
+            b.addAllowedApplication(name)
+        } catch (e: PackageManager.NameNotFoundException) {
+            TSLog.d(TAG, "Failed to add allowed application: $e")
+        }
     }
 
-    return VPNServiceBuilder(b)
-  }
+    override fun newBuilder(): VPNServiceBuilder {
+        val b: Builder =
+            Builder()
+                .setConfigureIntent(configIntent())
+                .allowFamily(OsConstants.AF_INET)
+                .allowFamily(OsConstants.AF_INET6)
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+            b.setMetered(false) // Inherit the metered status from the underlying networks.
+        }
+        b.setUnderlyingNetworks(null) // Use all available networks.
+
+        val app = UninitializedApp.get()
+
+        val mdmAllowed = MDMSettings.includedPackages.flow.value.value?.
+        split(",")?.map { it.trim() }?.filter { it.isNotEmpty() } ?: emptyList()
+        val mdmDisallowed = MDMSettings.excludedPackages.flow.value.value?.
+        split(",")?.map { it.trim() }?.filter { it.isNotEmpty() } ?: emptyList()
+
+        val splitEnabled = app.isSplitTunnelEnabled()
+        val mode = app.getSplitTunnelMode()
+
+        when {
+            mdmAllowed.isNotEmpty() -> {
+                TSLog.d(TAG, "MDM include mode, allowed = $mdmAllowed")
+                mdmAllowed.forEach { pkg ->
+                    TSLog.d(TAG, "Including app via MDM: $pkg")
+                    allowApp(b, pkg)
+                }
+            }
+
+            mdmDisallowed.isNotEmpty() -> {
+                val effectiveDisallowed = app.builtInDisallowedPackageNames + mdmDisallowed
+                TSLog.d(TAG, "MDM exclude mode, disallowed = $effectiveDisallowed")
+                effectiveDisallowed.forEach { pkg ->
+                    TSLog.d(TAG, "Disallowing app via MDM: $pkg")
+                    disallowApp(b, pkg)
+                }
+            }
+
+            !splitEnabled -> {
+                TSLog.d(TAG, "Split tunneling disabled; using built-in disallowed only")
+                app.builtInDisallowedPackageNames.forEach { pkg ->
+                    TSLog.d(TAG, "Disallowing built-in app: $pkg")
+                    disallowApp(b, pkg)
+                }
+            }
+
+            mode == UninitializedApp.SplitTunnelMode.INCLUDE -> {
+                val userAllowed = app.allowedPackageNames()
+                TSLog.d(TAG, "User INCLUDE mode; allowed = $userAllowed")
+                userAllowed.forEach { pkg ->
+                    TSLog.d(TAG, "Including app via user INCLUDE: $pkg")
+                    allowApp(b, pkg)
+                }
+            }
+
+            else -> {
+                val effectiveDisallowed = app.disallowedPackageNames()
+                TSLog.d(TAG, "User EXCLUDE mode; disallowed = $effectiveDisallowed")
+                effectiveDisallowed.forEach { pkg ->
+                    TSLog.d(TAG, "Disallowing app via user EXCLUDE/built-in: $pkg")
+                    disallowApp(b, pkg)
+                }
+            }
+        }
+
+        return VPNServiceBuilder(b)
+    }
 
   companion object {
     const val ACTION_START_VPN = "com.tailscale.ipn.START_VPN"

android/src/main/java/com/tailscale/ipn/ui/model/Ipn.kt

@@ -120,6 +120,7 @@ class Ipn {
         CorpDNSSet = true
       }
 
+
     var ExitNodeID: StableNodeID? = null
       set(value) {
         field = value

android/src/main/java/com/tailscale/ipn/ui/view/SettingsView.kt

@@ -89,7 +89,7 @@ fun SettingsView(
           Lists.ItemDivider()
           Setting.Text(
               R.string.split_tunneling,
-              subtitle = stringResource(R.string.exclude_certain_apps_from_using_tailscale),
+              subtitle = stringResource(R.string.include_or_exclude_certain_apps_from_using_tailscale),
               onClick = settingsNav.onNavigateToSplitTunneling)
 
           if (showTailnetLock.value == ShowHide.Show) {