這段時間項目中使用到了VpnService,整理了一下官方文檔的資料
VpnService is a base class for applications to extend and build their own VPN solutions. In general, it creates a virtual network interface, configures addresses and routing rules, and returns a file descriptor to the application. Each read from the descriptor retrieves an outgoing packet which was routed to the interface. Each write to the descriptor injects an incoming packet just like it was received from the interface. The interface is running on Internet Protocol (IP), so packets are always started with IP headers. The application then completes a VPN connection by processing and exchanging packets with the remote server over a tunnel.
VpnService是一個基類,用於應用擴展和構建自己的VPN解決方案。通常,它會創建一個虛擬網絡接口、配置地址和路由規則,並返回一個文件描述給應用。每次讀取描述都會去檢索一個路由到接口的輸出數據包。每次寫入描述都會注入一個輸入數據包,就像從接口收到的一樣。這個接口運行在IP協議上,所以這些包總是以IP頭開始。應用利用通道上的遠程服務器處理和交換數據包,實現VPN連接。
Letting applications intercept packets raises huge security concerns. A VPN application can easily break the network. Besides, two of them may conflict with each other. The system takes several actions to address these issues. Here are some key points:
讓應用程序截獲數據包會引起巨大的安全問題。一個VPN應用能夠輕易地破壞網絡。此外,兩者之間可能會互相沖突。系統採取了一系列措施來解決這些問題。以下是一些要點:
- User action is required the first time an application creates a VPN connection.
- There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created.
- A system-managed notification is shown during the lifetime of a VPN connection.
- A system-managed dialog gives the information of the current VPN connection. It also provides a button to disconnect.
- The network is restored automatically when the file descriptor is closed. It also covers the cases when a VPN application is crashed or killed by the system.
- 應用第一次創建VPN連接需要用戶操作。
- 同一時刻只能運行一個VPN連接。當一個新的VPN被創建時,已經存在的會失效。
- 在VPN連接的生命週期中,會顯示一個系統管理級通知。
- 一個系統管理級的對話框提供當前VPN連接的信息。也提供了一個按鈕去關閉連接。
- 當文件描述關閉時,網絡會自動恢復。當一個VPN應用崩潰或者被系統殺死後,它的配置仍然有效。
There are two primary methods in this class: prepare(Context) and establish(). The former deals with user action and stops the VPN connection created by another application. The latter creates a VPN interface using the parameters supplied to the VpnService.Builder. An application must call prepare(Context) to grant the right to use other methods in this class, and the right can be revoked at any time. Here are the general steps to create a VPN connection:
這個類中有兩個主要的方法:prepare(Context)和establish()。前者用於用戶操作和停止在其他應用中創建的VPN連接。後者使用參數創建一個VPN接口提供給VpnService.Builder。應用必須調用prepare(Context)授權,才能使用本類中的其他方法,並且權限可以隨時撤銷。以下是創建一個VPN連接的一般步驟:
- When the user presses the button to connect, call
prepare(Context)and launch the returned intent, if non-null. - When the application becomes prepared, start the service.
- Create a tunnel to the remote server and negotiate the network parameters for the VPN connection.
- Supply those parameters to a
VpnService.Builderand create a VPN interface by callingestablish(). - Process and exchange packets between the tunnel and the returned file descriptor.
- When
onRevoke()is invoked, close the file descriptor and shut down the tunnel gracefully.
- 當用戶按下Button去連接時,調用prepare(Context)返回一個intent,如果這個intent不爲空,就啓動它。
- 當應用準備好後,啓動這個服務。
- 創建一個到遠程服務器的通道,爲VPN連接協商網絡參數。
- 提供這些參數給VpnService.Builder,通過調用它establish()創建一個VPN接口。
- 在通道與返回的文件描述之間,處理和交換數據包。
- 當onRevoke()被調用時,優雅地關閉文件描述與通道。
Services extended this class need to be declared with appropriate permission and intent filter. Their access must be secured by BIND_VPN_SERVICE permission, and their intent filter must match SERVICE_INTERFACE action. Here is an example of declaring a VPN service in AndroidManifest.xml:
1 <service android:name=".ExampleVpnService" 2 android:permission="android.permission.BIND_VPN_SERVICE"> 3 <intent-filter> 4 <action android:name="android.net.VpnService"/> 5 </intent-filter> 6 </service>
繼承自此類的Services需要聲明權限和intent filter。它們必須通過BIND_VPN_SERVICE權限才能安全訪問,並且它們的intent filter必須匹配SERVICE_INTERFACE的action。以下是在AndroidManifest.xml中聲明一個VPN service的案例:
1 <service android:name=".ExampleVpnService" 2 android:permission="android.permission.BIND_VPN_SERVICE"> 3 <intent-filter> 4 <action android:name="android.net.VpnService"/> 5 </intent-filter> 6 </service>