android: fix Auto-VPN network evaluation stability

mhajduczenia · mhajduczenia · commit e6389f9225af · 2026-04-12T20:04:11.000-06:00
Fix several issues with the Auto-VPN network watcher:

- Add debouncing (2s) to prevent rapid-fire callback evaluation
- Track lastAction to deduplicate redundant enable/disable calls
- Filter out VPN network events in callbacks to prevent feedback loops
  where starting VPN triggers new network events
- Use cm.allNetworks instead of cm.activeNetwork in evaluateCurrent()
  so the underlying Wi-Fi network is found even when VPN is active
- Add WifiManager.scanResults as third SSID detection fallback for
  Android 12+ where transportInfo and connectionInfo return unknown
- Add diagnostic logging for SSID detection method and trusted list matching
- Re-evaluate network state when user adds/removes trusted networks
  or toggles the Auto-VPN feature
- Expose networkWatcher from App for ViewModel access
diff --git a/android/src/main/java/com/tailscale/ipn/App.kt b/android/src/main/java/com/tailscale/ipn/App.kt
@@ -89,7 +89,8 @@ class App : UninitializedApp(), libtailscale.AppContext, ViewModelStoreOwner {
 
   private val appViewModelStore: ViewModelStore by lazy { ViewModelStore() }
   var healthNotifier: HealthNotifier? = null
-  private lateinit var networkWatcher: NetworkWatcher
+  lateinit var networkWatcher: NetworkWatcher
+    private set
 
   override fun getPlatformDNSConfig(): String = dns.dnsConfigAsString
 
diff --git a/android/src/main/java/com/tailscale/ipn/autoconnect/NetworkWatcher.kt b/android/src/main/java/com/tailscale/ipn/autoconnect/NetworkWatcher.kt
@@ -10,6 +10,8 @@ import android.net.NetworkCapabilities
 import android.net.NetworkRequest
 import android.net.wifi.WifiInfo
 import android.net.wifi.WifiManager
+import android.os.Handler
+import android.os.Looper
 import com.tailscale.ipn.App
 import com.tailscale.ipn.ui.model.Ipn
 import com.tailscale.ipn.ui.notifier.Notifier
@@ -21,6 +23,9 @@ class NetworkWatcher(private val context: Context) {
       context.getSystemService(Context.CONNECTIVITY_SERVICE) as ConnectivityManager
 
   private var registered = false
+  private val handler = Handler(Looper.getMainLooper())
+  private var pendingEvaluation: Runnable? = null
+  private var lastAction: String? = null
 
   fun register() {
     if (registered) return
@@ -40,6 +45,13 @@ class NetworkWatcher(private val context: Context) {
     registered = false
   }
 
+  private fun scheduleEvaluation() {
+    pendingEvaluation?.let { handler.removeCallbacks(it) }
+    val runnable = Runnable { evaluateCurrent() }
+    pendingEvaluation = runnable
+    handler.postDelayed(runnable, DEBOUNCE_MS)
+  }
+
   private val callback =
       object : ConnectivityManager.NetworkCallback() {
 
@@ -48,38 +60,63 @@ class NetworkWatcher(private val context: Context) {
             caps: NetworkCapabilities
         ) {
           if (!TrustedNetworks.isEnabled(context)) return
-
-          val isWifi = caps.hasTransport(NetworkCapabilities.TRANSPORT_WIFI)
-          val isCellular = caps.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)
-
-          when {
-            isWifi -> handleWifi(caps)
-            isCellular -> enableVpn()
-          }
+          // Ignore VPN network changes — they are created by us
+          if (caps.hasTransport(NetworkCapabilities.TRANSPORT_VPN)) return
+          scheduleEvaluation()
         }
 
         override fun onLost(network: Network) {
           if (!TrustedNetworks.isEnabled(context)) return
-          enableVpn()
+          scheduleEvaluation()
         }
       }
 
-  private fun handleWifi(caps: NetworkCapabilities) {
+  private fun getSsid(caps: NetworkCapabilities): String? {
+    // Method 1: transportInfo from NetworkCapabilities
     var ssid =
         (caps.transportInfo as? WifiInfo)?.ssid?.trim('"')
             ?.takeIf { it.isNotBlank() && it != "<unknown ssid>" }
+    if (ssid != null) {
+      TSLog.d(TAG, "SSID from transportInfo: $ssid")
+      return ssid
+    }
 
-    // Fallback to WifiManager
-    if (ssid == null) {
-      val wm = context.getSystemService(Context.WIFI_SERVICE) as WifiManager
-      @Suppress("DEPRECATION")
-      ssid = wm.connectionInfo?.ssid?.trim('"')
-          ?.takeIf { it.isNotBlank() && it != "<unknown ssid>" }
+    // Method 2: WifiManager.connectionInfo (deprecated but works on some Android 12+ devices)
+    val wm = context.getSystemService(Context.WIFI_SERVICE) as WifiManager
+    @Suppress("DEPRECATION")
+    ssid = wm.connectionInfo?.ssid?.trim('"')
+        ?.takeIf { it.isNotBlank() && it != "<unknown ssid>" }
+    if (ssid != null) {
+      TSLog.d(TAG, "SSID from WifiManager: $ssid")
+      return ssid
     }
 
+    // Method 3: WifiManager.scanResults — match by BSSID from connectionInfo
+    @Suppress("DEPRECATION")
+    val bssid = wm.connectionInfo?.bssid
+    if (bssid != null) {
+      ssid = wm.scanResults
+          ?.firstOrNull { it.BSSID == bssid }
+          ?.SSID
+          ?.trim('"')
+          ?.takeIf { it.isNotBlank() }
+      if (ssid != null) {
+        TSLog.d(TAG, "SSID from scanResults: $ssid")
+        return ssid
+      }
+    }
+
+    TSLog.d(TAG, "Could not determine SSID")
+    return null
+  }
+
+  private fun handleWifi(caps: NetworkCapabilities) {
+    val ssid = getSsid(caps)
+
     if (ssid == null) return
 
     val trusted = TrustedNetworks.load(context)
+    TSLog.d(TAG, "SSID='$ssid' trusted_list=$trusted match=${ssid in trusted}")
     if (ssid in trusted) {
       disableVpn()
     } else {
@@ -88,35 +125,64 @@ class NetworkWatcher(private val context: Context) {
   }
 
   private fun enableVpn() {
+    if (lastAction == "enable") return
     val state = Notifier.state.value
-    if (state == Ipn.State.Running) return
+    if (state == Ipn.State.Running) {
+      lastAction = "enable"
+      return
+    }
+    lastAction = "enable"
     TSLog.d(TAG, "Enabling VPN (auto-vpn)")
     App.get().startVPN()
   }
 
   private fun disableVpn() {
+    if (lastAction == "disable") return
     val state = Notifier.state.value
-    if (state != Ipn.State.Running) return
+    if (state != Ipn.State.Running) {
+      lastAction = "disable"
+      return
+    }
+    lastAction = "disable"
     TSLog.d(TAG, "Disabling VPN (trusted network)")
     App.get().stopVPN()
   }
 
+  fun reevaluate() {
+    lastAction = null
+    evaluateCurrent()
+  }
+
   fun evaluateCurrent() {
     if (!TrustedNetworks.isEnabled(context)) return
-    val network = cm.activeNetwork ?: run { enableVpn(); return }
-    val caps = cm.getNetworkCapabilities(network) ?: run { enableVpn(); return }
 
-    val isWifi = caps.hasTransport(NetworkCapabilities.TRANSPORT_WIFI)
-    val isCellular = caps.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)
+    // Find the underlying Wi-Fi or cellular network, skipping VPN
+    var wifiCaps: NetworkCapabilities? = null
+    var hasCellular = false
+
+    for (network in cm.allNetworks) {
+      val caps = cm.getNetworkCapabilities(network) ?: continue
+      if (caps.hasTransport(NetworkCapabilities.TRANSPORT_VPN)) continue
+      if (caps.hasTransport(NetworkCapabilities.TRANSPORT_WIFI)) {
+        wifiCaps = caps
+        break // Wi-Fi takes priority
+      }
+      if (caps.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)) {
+        hasCellular = true
+      }
+    }
+
+    TSLog.d(TAG, "evaluateCurrent: wifi=${wifiCaps != null} cellular=$hasCellular")
 
     when {
-      isWifi -> handleWifi(caps)
-      isCellular -> enableVpn()
+      wifiCaps != null -> handleWifi(wifiCaps)
+      hasCellular -> enableVpn()
       else -> enableVpn()
     }
   }
 
   companion object {
     private const val TAG = "NetworkWatcher"
+    private const val DEBOUNCE_MS = 2000L
   }
 }
diff --git a/android/src/main/java/com/tailscale/ipn/ui/viewModel/TrustedNetworksViewModel.kt b/android/src/main/java/com/tailscale/ipn/ui/viewModel/TrustedNetworksViewModel.kt
@@ -10,6 +10,7 @@ import android.net.NetworkCapabilities
 import android.net.wifi.WifiInfo
 import android.net.wifi.WifiManager
 import androidx.lifecycle.AndroidViewModel
+import com.tailscale.ipn.App
 import com.tailscale.ipn.autoconnect.TrustedNetworks
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.StateFlow
@@ -32,19 +33,26 @@ class TrustedNetworksViewModel(application: Application) : AndroidViewModel(appl
     refreshCurrentSsid()
   }
 
+  private fun reevaluate() {
+    App.get().networkWatcher.reevaluate()
+  }
+
   fun setEnabled(enabled: Boolean) {
     TrustedNetworks.setEnabled(ctx, enabled)
     _enabled.value = enabled
+    reevaluate()
   }
 
   fun addSsid(ssid: String) {
     TrustedNetworks.add(ctx, ssid)
     _trustedSsids.value = TrustedNetworks.load(ctx)
+    reevaluate()
   }
 
   fun removeSsid(ssid: String) {
     TrustedNetworks.remove(ctx, ssid)
     _trustedSsids.value = TrustedNetworks.load(ctx)
+    reevaluate()
   }
 
   fun refreshCurrentSsid() {
