login through /auth/login;
trusted-device reconnect through /auth/refresh without retyping the password while the device session is valid;
load organization-scoped VPN client profile from /clusters/{clusterID}/vpn/client-profile;
request Android VPN permission and create a VpnService TUN interface;
relay TUN packets through the Control Plane HTTP packet relay to the active home-1 gateway lease.
user-facing HOME-first screen: connect/disconnect is primary, while backend, cluster, organization, login, and password are kept in the settings dialog;
saved connection settings in app preferences so repeat connects do not require retyping the profile.
encrypted refresh-token storage through Android Keystore. If the trusted device session is revoked or expires, the app asks for the password once and then rotates the device keys/profile again.

This is still a lab runtime, not a production WireGuard/IPsec implementation. The active Linux gateway node must be able to create /dev/net/tun, run ip, sysctl, and iptables, and enable NAT for 10.77.0.0/24.

Build from this repository on Windows:

$env:ANDROID_HOME="C:\Android\Sdk"
$env:ANDROID_SDK_ROOT="C:\Android\Sdk"
pwsh -ExecutionPolicy Bypass -File ..\..\scripts\android\build-android-apk.ps1
adb install -r app/build/outputs/apk/debug/app-debug.apk

Or run directly from the project:

$env:ANDROID_HOME="C:\Android\Sdk"
$env:ANDROID_SDK_ROOT="C:\Android\Sdk"
gradle assembleDebug