VpnService

这段时间项目中使用到了VpnService，整理了一下官方文档的资料

VpnService is a base class for applications to extend and build their own VPN solutions. In general, it creates a virtual network interface, configures addresses and routing rules, and returns a file descriptor to the application. Each read from the descriptor retrieves an outgoing packet which was routed to the interface. Each write to the descriptor injects an incoming packet just like it was received from the interface. The interface is running on Internet Protocol (IP), so packets are always started with IP headers. The application then completes a VPN connection by processing and exchanging packets with the remote server over a tunnel.

VpnService是一个基类，用于应用扩展和构建自己的VPN解决方案。通常，它会创建一个虚拟网络接口、配置地址和路由规则，并返回一个文件描述给应用。每次读取描述都会去检索一个路由到接口的输出数据包。每次写入描述都会注入一个输入数据包，就像从接口收到的一样。这个接口运行在IP协议上，所以这些包总是以IP头开始。应用利用通道上的远程服务器处理和交换数据包，实现VPN连接。

Letting applications intercept packets raises huge security concerns. A VPN application can easily break the network. Besides, two of them may conflict with each other. The system takes several actions to address these issues. Here are some key points:

让应用程序截获数据包会引起巨大的安全问题。一个VPN应用能够轻易地破坏网络。此外，两者之间可能会互相冲突。系统采取了一系列措施来解决这些问题。以下是一些要点：

• User action is required the first time an application creates a VPN connection.　
• There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created.
• A system-managed notification is shown during the lifetime of a VPN connection.
• A system-managed dialog gives the information of the current VPN connection. It also provides a button to disconnect.
• The network is restored automatically when the file descriptor is closed. It also covers the cases when a VPN application is crashed or killed by the system.

• 应用第一次创建VPN连接需要用户操作。
• 同一时刻只能运行一个VPN连接。当一个新的VPN被创建时，已经存在的会失效。
• 在VPN连接的生命周期中，会显示一个系统管理级通知。
• 一个系统管理级的对话框提供当前VPN连接的信息。也提供了一个按钮去关闭连接。
• 当文件描述关闭时，网络会自动恢复。当一个VPN应用崩溃或者被系统杀死后，它的配置仍然有效。

There are two primary methods in this class: prepare(Context) and establish(). The former deals with user action and stops the VPN connection created by another application. The latter creates a VPN interface using the parameters supplied to the VpnService.Builder. An application must call prepare(Context) to grant the right to use other methods in this class, and the right can be revoked at any time. Here are the general steps to create a VPN connection:

这个类中有两个主要的方法：prepare(Context)和establish()。前者用于用户操作和停止在其他应用中创建的VPN连接。后者使用参数创建一个VPN接口提供给VpnService.Builder。应用必须调用prepare(Context)授权，才能使用本类中的其他方法，并且权限可以随时撤销。以下是创建一个VPN连接的一般步骤：

1. When the user presses the button to connect, call prepare(Context) and launch the returned intent, if non-null.
2. When the application becomes prepared, start the service.
3. Create a tunnel to the remote server and negotiate the network parameters for the VPN connection.
4. Supply those parameters to a VpnService.Builder and create a VPN interface by calling establish().
5. Process and exchange packets between the tunnel and the returned file descriptor.
6. When onRevoke() is invoked, close the file descriptor and shut down the tunnel gracefully.

1. 当用户按下Button去连接时，调用prepare(Context)返回一个intent，如果这个intent不为空，就启动它。
2. 当应用准备好后，启动这个服务。
3. 创建一个到远程服务器的通道，为VPN连接协商网络参数。
4. 提供这些参数给VpnService.Builder，通过调用它establish()创建一个VPN接口。
5. 在通道与返回的文件描述之间，处理和交换数据包。
6. 当onRevoke()被调用时，优雅地关闭文件描述与通道。

Services extended this class need to be declared with appropriate permission and intent filter. Their access must be secured by BIND_VPN_SERVICE permission, and their intent filter must match SERVICE_INTERFACE action. Here is an example of declaring a VPN service in AndroidManifest.xml:

 <service android:name=".ExampleVpnService"
          android:permission="android.permission.BIND_VPN_SERVICE">
      <intent-filter>
          <action android:name="android.net.VpnService"/>
      </intent-filter>
 </service>

继承自此类的Services需要声明权限和intent filter。它们必须通过BIND_VPN_SERVICE权限才能安全访问，并且它们的intent filter必须匹配SERVICE_INTERFACE的action。以下是在AndroidManifest.xml中声明一个VPN service的案例：

  <service android:name=".ExampleVpnService"
          android:permission="android.permission.BIND_VPN_SERVICE">
      <intent-filter>
          <action android:name="android.net.VpnService"/>
      </intent-filter>
  </service>