Feature/auto vpn

[gitzone83]

Summary

Add an Auto-VPN Manager that automatically enables/disables the Tailscale VPN tunnel based on the device's current network connection. When enabled, VPN is disabled on user-configured trusted Wi-Fi networks and enabled automatically on untrusted Wi-Fi, cellular data, or when no network is connected (fail-secure).

Motivation

Most commercial VPN clients already include network-based auto-connect as a core feature:

• NordVPN --- "Auto-connect" with trusted Wi-Fi network list; VPN activates on untrusted networks
• ExpressVPN --- "Network Protection" that auto-connects on untrusted Wi-Fi and cellular
• Mullvad VPN --- "Auto-connect" on untrusted networks, with per-SSID trust configuration
• Surfshark --- "Auto-connect" with trusted network whitelist
• WireGuard (Android) --- Supports "always-on VPN" at the OS level, but lacks network-aware toggling
• OpenVPN Connect --- Supports trusted network detection via "Seamless Tunnel"

Tailscale's Android client currently lacks this capability --- users must manually toggle VPN on/off when moving between home and public networks. This creates two problems:

1. Security risk: Users forget to enable VPN on untrusted networks (coffee shops, hotels, airports), exposing traffic
2. Unnecessary overhead: VPN stays active on trusted home networks where it isn't needed, adding latency and battery drain for local network traffic

The Auto-VPN feature addresses both by applying a simple, proven model: maintain a user-defined list of trusted SSIDs, and automatically toggle VPN based on whether the current network is trusted. This is the same approach used by the VPN clients listed above, and is the most commonly requested missing feature in Tailscale's mobile clients.

The implementation is fail-secure by design --- if the SSID cannot be determined (location permission denied, transient state, unknown network), VPN defaults to enabled, ensuring the user is never left unprotected.

New files

• autoconnect/TrustedNetworks.kt --- SharedPreferences persistence for trusted SSID list and feature toggle
• autoconnect/NetworkWatcher.kt --- ConnectivityManager.NetworkCallback with debounced evaluation, VPN network filtering, action deduplication, and triple SSID detection fallback
• ui/view/TrustedNetworksView.kt --- Jetpack Compose settings screen with feature toggle, current network detection, manual SSID entry, trusted network list, and runtime location permission
  handling
• ui/viewModel/TrustedNetworksViewModel.kt --- ViewModel with re-evaluation on settings changes

Modified files

• App.kt --- Register/unregister NetworkWatcher in lifecycle
• MainActivity.kt --- Add "trustedNetworks" route and SettingsNav callback
• SettingsView.kt --- Add Auto-VPN menu entry in settings
• SettingsViewModel.kt --- Extend SettingsNav with onNavigateToTrustedNetworks
• Permissions.kt --- Add ACCESS_FINE_LOCATION to permissions list
• AndroidManifest.xml --- Add ACCESS_FINE_LOCATION permission
• strings.xml --- Add auto_vpn, permission_location string resources

Technical notes

• SSID detection uses triple fallback: NetworkCapabilities.transportInfo >> WifiManager.connectionInfo >> WifiManager.scanResults (matched by BSSID) for Android 12-16 compatibility
• Network callbacks are debounced (2s) to prevent rapid toggling from signal strength changes
• VPN network events (TRANSPORT_VPN) are filtered in callbacks and evaluateCurrent() iterates cm.allNetworks instead of using cm.activeNetwork, since VPN becomes the active network when
  running
• Settings changes (add/remove SSID, toggle feature) trigger immediate re-evaluation

Test plan

• Auto-VPN settings screen accessible from Settings
• Feature enable/disable toggle works
• Location permission prompted on enable
• Current SSID detected and displayed (Android 16)
• "Trust current network" button adds SSID, VPN disables
• Removing trusted network enables VPN
• Manual SSID entry works
• VPN enables on cellular / no network
• No feedback loop when VPN starts (VPN network filtered)
• No rapid toggling (debounced callbacks)
• Location permission shows in Settings >> Permissions
• Tested on Samsung and Pixel phones, Android 16 (API 36); tested also on Samsung Galaxy Tab 5

[gitzone83]

Some screenshots of what the feature looks like ...

A new section in the settings

Auto VPN section

and permissions

Location is required to gain access to WiFi SSID information.