Allow apps to bypass the VPN

[bemasc]

In practice, apps could easily bypass Intra anyway, e.g. by
sending queries to a hardcoded resolver. Explicitly allowing
bypass fixes #18 (interference with some WebRTC-based apps).

[cjhenck]

LGTM

[ignoramous]

Isn't allowBypass required only for apps that don't offer full routing (unlike Intra which does route all of the IPv4 space)?

I read the source and I see either RULE_PRIORITY_SECURE_VPN or RULE_PRIORITY_BYPASSABLE_VPN fwmarks set on netId and sockets depending on if the VPN is secure (which it is when allowBypass is not set or the VPN is in "lockdown mode" aka the "Block connections without VPN" mode settable by the user through Android's VPN settings), which (I am not sure) are used to make routing decisions later?

Regardless, it remains unclear to me whether webrtc ICE sessions benefit from allowBypass? Is there a way to validate this?

An unintended effect of setting allowBypass is the VPN is without Internet connectivity if the user also chooses to start it in "lockdown mode": Ref; and so, allowBypass must be unset when the VPN is locked-down, like so celzero/rethink-app@71e1a840b, to unblock connectivity to the Internet.

[ignoramous]

Isn't allowBypass required only for apps that don't offer full routing (unlike Intra which does route all of the IPv4 space)?

In addition to this, it might be worth taking a look at IntraVpnService#setUnderlyingNetworks which only adds one network, the current active-network, but could also add all other networks the OS is connected to (with active-network in the first position in the array).

Also: allowBypass, from the documentation, lets an app bind its sockets to any network, but if all networks are also bound to VPN, then they might not need to bypass the VPN in the first place?