m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

3

Browse Source
This commit is contained in:
Mikhail
2026-05-18 21:33:39 +03:00
parent 5096155d83
commit 469fa0e860
94 changed files with 8761 additions and 8003 deletions
Download Patch File Download Diff File Expand all files Collapse all files
clients/android/README.md
+26 -8
View File
@@ -1,18 +1,25 @@
# RAP Android VPN
This is the Android client for the experimental RAP VPN service.
This is the Android mobile node build with the `vpn-client` service enabled.
Implemented now:
- login through `/auth/login`;
- trusted-device reconnect through `/auth/refresh` without retyping the password
while the device session is valid;
- load organization-scoped VPN client profile from `/clusters/{clusterID}/vpn/client-profile`;
- installation as a first-class fabric node with an embedded QUIC bootstrap
seed set. The seed set is not a backend selector: it contains every known
public or local entry candidate that may help the node join the fabric from
its current network.
- runtime launch uses a persisted `fabric_bootstrap_config`, not a backend API
URL. The Android node starts by attaching to the fabric through bootstrap
peers and then discovers/uses services through fabric rules.
- login and trusted-device refresh through the QUIC fabric control channel;
- load organization-scoped VPN client profile through the fabric control channel;
- request Android VPN permission and create a `VpnService` TUN interface;
- run as a normal fabric node with the `vpn-client` service role. The local
`VpnService` TUN is the IPv4 ingress for that node, and packet channels are
routed by the farm to an authorized `ipv4-egress` pool. HTTP batch fallback
and old VPN protocols are not part of the supported test path.
routed by the farm to an authorized `ipv4-egress` pool. The supported
dataplane is the QUIC fabric runtime only. HTTP batch forwarding, WebSocket
packet relay, direct backend packet relay, and old VPN protocols are removed
from the runtime path.
- user-facing HOME-first screen: connect/disconnect is primary, while backend,
cluster, organization, login, and password are kept in the settings dialog;
- saved connection settings in app preferences so repeat connects do not require
@@ -20,12 +27,23 @@ Implemented now:
- encrypted refresh-token storage through Android Keystore. If the trusted
device session is revoked or expires, the app asks for the password once and
then rotates the device keys/profile again.
- no separate diagnostic foreground service: runtime status is reported by the
node/VPN service itself, so the Android build does not keep a parallel legacy
control process alive.
This is still a lab runtime. The required target model is Android as a farm
node with the `vpn-client` role. The VPN service must attach to the mesh as
that node and route to an authorized IPv4 exit pool; there is no separate VPN
entry point. Exit configuration is always pool based, including pools that
currently contain only one node.
currently contain only one node. A phone installed in a closed network may join
through local seed nodes from that network; it does not need direct Internet
access if a nearby fabric node can route onward.
Current code contract:
- Android control bootstrap field: `fabric_bootstrap_config`
- Android runtime dataplane: QUIC `Fabricvpn` runtime only
- Android runtime status keys: `fabric_transport_*`
Build from this repository on Windows: