Refactor RDP proxy handling and update related tests

clients/android/README.md

@@ -9,8 +9,10 @@ Implemented now:
   while the device session is valid;
 - load organization-scoped VPN client profile from `/clusters/{clusterID}/vpn/client-profile`;
 - request Android VPN permission and create a `VpnService` TUN interface;
-- relay TUN packets through the Control Plane HTTP packet relay to the active
-  `home-1` gateway lease.
+- run as a normal fabric node with the `vpn-client` service role. The local
+  `VpnService` TUN is the IPv4 ingress for that node, and packet channels are
+  routed by the farm to an authorized `ipv4-egress` pool. HTTP batch fallback
+  and old VPN protocols are not part of the supported test path.
 - user-facing HOME-first screen: connect/disconnect is primary, while backend,
   cluster, organization, login, and password are kept in the settings dialog;
 - saved connection settings in app preferences so repeat connects do not require
@@ -19,9 +21,11 @@ Implemented now:
   device session is revoked or expires, the app asks for the password once and
   then rotates the device keys/profile again.
 
-This is still a lab runtime, not a production WireGuard/IPsec implementation.
-The active Linux gateway node must be able to create `/dev/net/tun`, run `ip`,
-`sysctl`, and `iptables`, and enable NAT for `10.77.0.0/24`.
+This is still a lab runtime. The required target model is Android as a farm
+node with the `vpn-client` role. The VPN service must attach to the mesh as
+that node and route to an authorized IPv4 exit pool; there is no separate VPN
+entry point. Exit configuration is always pool based, including pools that
+currently contain only one node.
 
 Build from this repository on Windows: