VpnManager

public class VpnManager
extends Object

java.lang.Object
   ↳ android.net.VpnManager


This class provides an interface for apps to manage platform VPN profiles

Apps can use this API to provide profiles with which the platform can set up a VPN without further app intermediation. When a VPN profile is present and the app is selected as an always-on VPN, the platform will directly trigger the negotiation of the VPN without starting or waking the app (unlike VpnService).

VPN apps using supported protocols should preferentially use this API over the VpnService API for ease-of-development and reduced maintenance burden. This also give the user the guarantee that VPN network traffic is not subjected to on-device packet interception.

See also:

Summary

Constants

String ACTION_VPN_MANAGER_EVENT

Action sent in Intents to VpnManager clients when an event occurred.

String CATEGORY_EVENT_ALWAYS_ON_STATE_CHANGED

The always-on state of this VPN was changed

This may be the result of a user changing VPN settings, or a Device Policy Manager app having changed the VPN policy.

String CATEGORY_EVENT_DEACTIVATED_BY_USER

The user deactivated the VPN.

String CATEGORY_EVENT_IKE_ERROR

An IKE protocol error occurred.

String CATEGORY_EVENT_NETWORK_ERROR

A network error occurred.

int ERROR_CLASS_NOT_RECOVERABLE

EXTRA_ERROR_CLASS coding for a non-recoverable error.

int ERROR_CLASS_RECOVERABLE

EXTRA_ERROR_CLASS coding for a recoverable error.

int ERROR_CODE_NETWORK_IO

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR indicating an input/output error.

int ERROR_CODE_NETWORK_LOST

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR indicating that network connectivity was lost.

int ERROR_CODE_NETWORK_PROTOCOL_TIMEOUT

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR indicating a timeout.

int ERROR_CODE_NETWORK_UNKNOWN_HOST

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR to indicate that the network host isn't known.

String EXTRA_ERROR_CLASS

Extra for the error class, as an int.

String EXTRA_ERROR_CODE

Extra for an error code, as an int.

String EXTRA_SESSION_KEY

The key of the session that experienced this event, as a String.

String EXTRA_TIMESTAMP_MILLIS

A long timestamp containing the time at which the event occurred.

String EXTRA_UNDERLYING_LINK_PROPERTIES

The LinkProperties of the underlying network when the event occurred.

String EXTRA_UNDERLYING_NETWORK

The network that was underlying the VPN when the event occurred, as a Network.

String EXTRA_UNDERLYING_NETWORK_CAPABILITIES

The NetworkCapabilities of the underlying network when the event occurred.

String EXTRA_VPN_PROFILE_STATE

The VpnProfileState at the time that this event occurred.

Public methods

void deleteProvisionedVpnProfile()

Delete the VPN profile configuration that was provisioned by the calling app

VpnProfileState getProvisionedVpnProfileState()

Retrieve the VpnProfileState for the profile provisioned by the calling package.

Intent provisionVpnProfile(PlatformVpnProfile profile)

Install a VpnProfile configuration keyed on the calling app's package name.

void startProvisionedVpnProfile()

This method was deprecated in API level 33. This method is replaced by startProvisionedVpnProfileSession which returns a session key for the caller to diagnose the errors.

String startProvisionedVpnProfileSession()

Request the startup of a previously provisioned VPN.

void stopProvisionedVpnProfile()

Tear down the VPN provided by the calling app (if any)

Inherited methods

Constants

ACTION_VPN_MANAGER_EVENT

Added in API level 33
public static final String ACTION_VPN_MANAGER_EVENT

Action sent in Intents to VpnManager clients when an event occurred.

If the provisioning application declares a service handling this intent action, but is not already running, it will be started. Upon starting, the application is granted a short grace period to run in the background even while the device is idle to handle any potential failures. Applications requiring long-running actions triggered by one of these events should declare a foreground service to prevent being killed once the grace period expires. This action will have a category of either CATEGORY_EVENT_IKE_ERROR, CATEGORY_EVENT_NETWORK_ERROR, or CATEGORY_EVENT_DEACTIVATED_BY_USER, that the app can use to filter events it's interested in reacting to. It will also contain the following extras :

When this event is an error, either CATEGORY_EVENT_IKE_ERROR or CATEGORY_EVENT_NETWORK_ERROR, the following extras will be populated :

Constant Value: "android.net.action.VPN_MANAGER_EVENT"

CATEGORY_EVENT_ALWAYS_ON_STATE_CHANGED

Added in API level 33
public static final String CATEGORY_EVENT_ALWAYS_ON_STATE_CHANGED

The always-on state of this VPN was changed

This may be the result of a user changing VPN settings, or a Device Policy Manager app having changed the VPN policy.

Constant Value: "android.net.category.EVENT_ALWAYS_ON_STATE_CHANGED"

CATEGORY_EVENT_DEACTIVATED_BY_USER

Added in API level 33
public static final String CATEGORY_EVENT_DEACTIVATED_BY_USER

The user deactivated the VPN. This can happen either when the user turns the VPN off explicitly, or when they select a different VPN provider.

Constant Value: "android.net.category.EVENT_DEACTIVATED_BY_USER"

CATEGORY_EVENT_IKE_ERROR

Added in API level 33
public static final String CATEGORY_EVENT_IKE_ERROR

An IKE protocol error occurred. Codes (in EXTRA_ERROR_CODE) are the codes from IkeProtocolException, as defined by IANA in "IKEv2 Notify Message Types - Error Types".

Constant Value: "android.net.category.EVENT_IKE_ERROR"

CATEGORY_EVENT_NETWORK_ERROR

Added in API level 33
public static final String CATEGORY_EVENT_NETWORK_ERROR

A network error occurred. Error codes (in EXTRA_ERROR_CODE) are ERROR_CODE_NETWORK_*.

Constant Value: "android.net.category.EVENT_NETWORK_ERROR"

ERROR_CLASS_NOT_RECOVERABLE

Added in API level 33
public static final int ERROR_CLASS_NOT_RECOVERABLE

EXTRA_ERROR_CLASS coding for a non-recoverable error. This error is fatal, e.g. configuration error. The stack will not retry connection.

Constant Value: 1 (0x00000001)

ERROR_CLASS_RECOVERABLE

Added in API level 33
public static final int ERROR_CLASS_RECOVERABLE

EXTRA_ERROR_CLASS coding for a recoverable error. The stack experienced an error but will retry with exponential backoff, e.g. network timeout.

Constant Value: 2 (0x00000002)

ERROR_CODE_NETWORK_IO

Added in API level 33
public static final int ERROR_CODE_NETWORK_IO

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR indicating an input/output error. This code happens when reading or writing to sockets on the underlying networks was terminated by an I/O error. .

See also:

Constant Value: 3 (0x00000003)

ERROR_CODE_NETWORK_LOST

Added in API level 33
public static final int ERROR_CODE_NETWORK_LOST

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR indicating that network connectivity was lost. The most common reason for this error is that the underlying network was disconnected, .

Constant Value: 2 (0x00000002)

ERROR_CODE_NETWORK_PROTOCOL_TIMEOUT

Added in API level 33
public static final int ERROR_CODE_NETWORK_PROTOCOL_TIMEOUT

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR indicating a timeout. For Ikev2 VPNs, this happens typically after a retransmission failure.

Constant Value: 1 (0x00000001)

ERROR_CODE_NETWORK_UNKNOWN_HOST

Added in API level 33
public static final int ERROR_CODE_NETWORK_UNKNOWN_HOST

An EXTRA_ERROR_CODE for CATEGORY_EVENT_NETWORK_ERROR to indicate that the network host isn't known. This happens when domain name resolution could not resolve an IP address for the specified host.

Constant Value: 0 (0x00000000)

EXTRA_ERROR_CLASS

Added in API level 33
public static final String EXTRA_ERROR_CLASS

Extra for the error class, as an int. This is always either ERROR_CLASS_NOT_RECOVERABLE or ERROR_CLASS_RECOVERABLE. This extra is only populated for error categories.

Constant Value: "android.net.extra.ERROR_CLASS"

EXTRA_ERROR_CODE

Added in API level 33
public static final String EXTRA_ERROR_CODE

Extra for an error code, as an int.

For non-error categories, this extra is not populated.

Constant Value: "android.net.extra.ERROR_CODE"

EXTRA_SESSION_KEY

Added in API level 33
public static final String EXTRA_SESSION_KEY

The key of the session that experienced this event, as a String. This is the same key that was returned by startProvisionedVpnProfileSession().

Constant Value: "android.net.extra.SESSION_KEY"

EXTRA_TIMESTAMP_MILLIS

Added in API level 33
public static final String EXTRA_TIMESTAMP_MILLIS

A long timestamp containing the time at which the event occurred. This is a number of milliseconds since the epoch, suitable to be compared with System.currentTimeMillis().

Constant Value: "android.net.extra.TIMESTAMP_MILLIS"

Added in API level 33
public static final String EXTRA_UNDERLYING_LINK_PROPERTIES

The LinkProperties of the underlying network when the event occurred.

This extra will be null if there was no underlying network at the time of the event, or the underlying network has no bearing on the event, as in the case of:

  • CATEGORY_EVENT_DEACTIVATED_BY_USER
  • CATEGORY_EVENT_ALWAYS_ON_STATE_CHANGED

Constant Value: "android.net.extra.UNDERLYING_LINK_PROPERTIES"

EXTRA_UNDERLYING_NETWORK

Added in API level 33
public static final String EXTRA_UNDERLYING_NETWORK

The network that was underlying the VPN when the event occurred, as a Network.

This extra will be null if there was no underlying network at the time of the event, or the underlying network has no bearing on the event, as in the case of:

  • CATEGORY_EVENT_DEACTIVATED_BY_USER
  • CATEGORY_EVENT_ALWAYS_ON_STATE_CHANGED

Constant Value: "android.net.extra.UNDERLYING_NETWORK"

EXTRA_UNDERLYING_NETWORK_CAPABILITIES

Added in API level 33
public static final String EXTRA_UNDERLYING_NETWORK_CAPABILITIES

The NetworkCapabilities of the underlying network when the event occurred.

This extra will be null if there was no underlying network at the time of the event, or the underlying network has no bearing on the event, as in the case of:

  • CATEGORY_EVENT_DEACTIVATED_BY_USER
  • CATEGORY_EVENT_ALWAYS_ON_STATE_CHANGED

Constant Value: "android.net.extra.UNDERLYING_NETWORK_CAPABILITIES"

EXTRA_VPN_PROFILE_STATE

Added in API level 33
public static final String EXTRA_VPN_PROFILE_STATE

The VpnProfileState at the time that this event occurred.

This extra may be null if the VPN was revoked by the user, or the profile was deleted.

Constant Value: "android.net.extra.VPN_PROFILE_STATE"

Public methods

deleteProvisionedVpnProfile

Added in API level 30
public void deleteProvisionedVpnProfile ()

Delete the VPN profile configuration that was provisioned by the calling app

Throws
SecurityException if this would violate user settings

getProvisionedVpnProfileState

Added in API level 33
public VpnProfileState getProvisionedVpnProfileState ()

Retrieve the VpnProfileState for the profile provisioned by the calling package.

Returns
VpnProfileState the VpnProfileState with current information, or null if there was no profile provisioned and started by the calling package.

provisionVpnProfile

Added in API level 30
public Intent provisionVpnProfile (PlatformVpnProfile profile)

Install a VpnProfile configuration keyed on the calling app's package name.

This method returns null if user consent has already been granted, or an Intent to a system activity. If an intent is returned, the application should launch the activity using Activity#startActivityForResult to request user consent. The activity may pop up a dialog to require user action, and the result will come back via its Activity.onActivityResult(int, int, Intent). If the result is Activity#RESULT_OK, the user has consented, and the VPN profile can be started.

Parameters
profile PlatformVpnProfile: the VpnProfile provided by this package. Will override any previous VpnProfile stored for this package. This value cannot be null.

Returns
Intent an Intent requesting user consent to start the VPN, or null if consent is not required based on privileges or previous user consent.

startProvisionedVpnProfile

Added in API level 30
Deprecated in API level 33
public void startProvisionedVpnProfile ()

This method was deprecated in API level 33.
This method is replaced by startProvisionedVpnProfileSession which returns a session key for the caller to diagnose the errors.

Request the startup of a previously provisioned VPN.

Throws
SecurityException exception if user or device settings prevent this VPN from being setup, or if user consent has not been granted

startProvisionedVpnProfileSession

Added in API level 33
public String startProvisionedVpnProfileSession ()

Request the startup of a previously provisioned VPN.

Returns
String A unique key corresponding to this session. This value cannot be null.

Throws
SecurityException exception if user or device settings prevent this VPN from being setup, or if user consent has not been granted

stopProvisionedVpnProfile

Added in API level 30
public void stopProvisionedVpnProfile ()

Tear down the VPN provided by the calling app (if any)