https://github.com/Acionyx/tunguska/compare/v0.11.2...v0.11.3/

Tunguska is a security-focused Android VPN client for managed encrypted tunnels. Rather than being tied to one specific protocol family, it is built around a saved profile library, explicit routing policies, runtime compatibility guidance, and fail-closed Android VPN behavior. Product Focus Tunguska prioritizes user control, runtime capability clarity, and privacy-safe daily operation: - Encrypted local profile library with explicit active-profile selection. - Staged local profile import review prior to making manual profile storage changes. - Provider subscription feeds featuring automatic add/import, automatic refresh, read-only subscribed profiles, and a top-level Subscriptions screen. - Multi-protocol profile editing with lane-specific runtime guidance. - Comprehensive routing options, including full-tunnel, app allowlist, app denylist, routing presets, adblock, named custom routing rules, and offline route simulation. - Default-on sing-box routing hardening that rejects traffic when Android cannot identify the source app's owner. - Reusable app-tunneling configurations, an optional global routing policy, and a curated Russian-apps direct-exclusion template. - Clear status visibility across Home, notifications, Quick Settings, and diagnostics, showing: ready, connecting, protected, degraded, attention, retrying, and idle states. - Persistent Android notification featuring runtime control, privacy-aware status text, and traffic speed details (displayed only when Enhanced Security is turned off). - Android Quick Settings tile with generic start/stop/status behavior that hides profiles, endpoints, IPs, or connection speeds. - Opt-in Enhanced Security mode that hides notification details, protects sensitive screens from screenshots, marks copied secrets as sensitive, and disables the automation relay while automation is off. - Compact Home traffic-speed chart, one-minute latency probes, runtime resilience telemetry, and redacted advanced diagnostics. - Runtime recovery after standard Android service recreation, task removal, Doze exit, screen wake, user unlock, and default-network handoffs. - Font-scale-aware layouts validated against compact, default, Poco-like, and expanded screens with English and Russian UI verification. - Owner-encrypted bug report exports assembled from the current state and recent in-memory events; silent app-data migration for same-signer updates; versioned portable migration backups for reinstallation/device migration; and canonical JSON/share-link exports where supported by the profile family. - Metadata-only in-app update checks with user-controlled "skip this version" and auto-check settings; Tunguska never auto-downloads or auto-installs APKs. - Optional token-gated automation for controlled external orchestration. App Structure The app is organized into five main sections: - Home: Displays protection state, active profile picker, traffic chart, ping/speed summary, connect/disconnect controls, and current or exit IP. - Profiles: Houses the saved profile library, staged imports, Tunguska profile/bundle links, QR/image payloads, duplicate warnings, detail cards, JSON/share/export actions, and created/modified timestamps. - Subscriptions: Manages saved provider feeds, add/edit/delete source actions, automatic add/import, manual refresh, update-on-open/background refresh, and read-only grouped subscription profiles. - Routing: Configures app tunneling with searchable installed-app selection, reusable/global routing policies, Russia direct/local bypass/adblock presets, named direct/proxy/block rules, and offline route tests. - Settings: Controls security posture, Enhanced Security, encrypted bug report exports, migration backups, automation, update checks, statistics preferences, the About section, and advanced diagnostics. Supported Profile Model Tunguska stores profiles as a canonical typed model and projects each profile into the selected runtime lane at connect time. Supported profile shapes include: - VLESS + REALITY with TCP, HTTP, WebSocket, gRPC, HTTP Upgrade, QUIC, XHTTP, SplitHTTP, packet encoding, and ML-DSA-65 fields where supported by the selected lane. - VMess - Trojan - Shadowsocks, including prefix links through the sing-box embedded sidecar path. - SOCKS - HTTP proxy - Hysteria1 and Hysteria2 - TUIC - WireGuard - SSH - AnyTLS - ShadowTLS - NaiveProxy - OpenVPN .ovpn profiles, imported into a dedicated OpenVPN runtime lane. Imports and Exports Supported imports include protocol share links, Tunguska profile and bundle links, WireGuard config text, OpenVPN .ovpn text/file imports with selected sidecar files, image/camera QR input (where supported by Android), and canonical JSON ProfileIr. AnyTLS, ShadowTLS, NaiveProxy, WireGuard, SSH, and OpenVPN currently use canonical JSON or their native config text for full-fidelity export instead of using public share-link round trips. VLESS URL query snapshots are preserved so lane-specific details—such as XHTTP, SplitHTTP, and ML-DSA-65 settings—are not lost even when another runtime cannot consume them. VLESS packetEncoding imports are normalized, editable, shared, and projected to the sing-box lane when configured. Protocol Coverage Summary - VLESS + REALITY Import: Yes Edit: Yes Share / Export: Yes Runtime Lane: sing-box and Xray, depending on the transport. - VMess / Trojan Import: Yes Edit: Yes Share / Export: Yes Runtime Lane: sing-box and Xray, subject to tun2socks limitations. - Shadowsocks Import: Yes Edit: Yes Share / Export: Yes Runtime Lane: sing-box and plain Xray; prefix handling requires a sing-box sidecar. - SOCKS / HTTP proxy Import: Yes Edit: Yes Share / Export: Yes Runtime Lane: sing-box and Xray, subject to tun2socks limitations. - Hysteria1 / Hysteria2 / TUIC Import: Yes Edit: Yes Share / Export: Yes Runtime Lane: sing-box embedded. - WireGuard / SSH Import: Yes Edit: Yes Share / Export: Canonical JSON Runtime Lane: sing-box embedded. - AnyTLS / ShadowTLS / NaiveProxy Import: Canonical JSON Edit: Yes Share / Export: Canonical JSON Runtime Lane: sing-box embedded. - OpenVPN .ovpn Import: Yes Edit: Raw .ovpn editor Share / Export: Canonical JSON Runtime Management Runtime support is strictly lane-specific: - SINGBOX_EMBEDDED: The primary embedded lane for the broad protocol set, DNS, routing, and native TUN behavior. - XRAY_TUN2SOCKS: The compatibility lane for VLESS + REALITY shapes. This includes transports currently exposed only by the pinned Xray path (such as XHTTP and SplitHTTP), as well as pinned Xray projections for VMess, Trojan, plain Shadowsocks, SOCKS, and HTTP proxy profiles. - OPENVPN3_EMBEDDED: The dedicated lane for imported OpenVPN .ovpn profiles. Tunguska bundles OpenVPN 3 Core native artifacts for the shipped ABIs and maps pushed addresses, routes, DNS, MTU, and per-app policies into the Android VpnService. The selected runtime never silently downgrades an unsupported profile. Instead, Tunguska displays capability guidance and blocks unsupported starts with a specific error message. While connected, Tunguska monitors default-network handoffs and executes low-frequency routed recovery probes. Repeated probe failures restart the active lane rather than leaving a stale dataplane state marked as healthy. Removing Tunguska from Android Recents is not treated as a hidden disconnect: the foreground VPN service maintains the encrypted resume request and either keeps the active tunnel alive or restarts it via the same recovery path. However, an explicit Disconnect, VPN permission revocation, startup failure, or a fail-closed state will clear all transient runtime states. Traffic statistics are stored exclusively in memory. The current history window keeps up to five minutes of one-second samples and drops older samples automatically. This feature can be disabled from the Statistics screen; disabling it clears current samples and replaces the Home chart with a neutral disabled state. Security Posture Tunguska treats the following vectors as security-critical: - No unauthenticated localhost proxy surface. - No enabled Xray or sing-box management APIs. - No release-path debug listeners. - Fail-closed behavior on runtime health or exposure violations. - Encrypted local profile and automation storage. - Explicit import validation for unsafe flags, debug endpoints, and insecure TLS settings. - Owner-encrypted bug reports built from redacted state and transient in-memory events. - Token-gated automation through an explicit exported activity, rather than a public start/stop API. - Owner-restricted transient runtime files stored under the app-private cache, with sing-box runtime configs deleted immediately after native startup. - Release artifacts published exclusively through GitHub Releases accompanied by checksums. On Android builds that restrict low-level socket inventory, Tunguska reports a limited exposure check instead of claiming full listener-audit confidence. Enhanced Security is disabled by default. When enabled, it reduces notification, clipboard, screenshot, and disabled-automation relay exposure. However, it does not hide the Android system VPN indicator, package identity, or platform-level VPN transport observations. Privacy Tunguska does not include analytics, advertising identifiers, or telemetry by default. Profile material, routing policies, runtime status, and automation metadata remain strictly local unless the user explicitly connects, exports an artifact, shares a profile, or enables an optional integration. Public-IP probes are a user-facing feature for current/exit IP display; they are not used for analytics. Routing Tunguska supports multiple routing modes: - Full Tunnel: Routes all traffic through the VPN. - Default Full Tunnel: Routes all traffic through the VPN with no destination direct rules unless a preset or custom rule is explicitly enabled. - App Allowlist: Only selected apps use the VPN. - App Denylist: Selected apps bypass the VPN (stay direct) while all other traffic uses the tunnel. - Reusable per-profile app-tunneling configurations. - An optional global app-tunneling policy that overrides profile-linked policies when enabled. - An action-only Russian apps template that checks matching installed apps for direct exclusion. - Russia direct, local/private bypass, and adblock presets that materialize as visible routing rules. - Explicit direct, proxy, and block rules. - DNS Policy Modes: Default System DNS, stricter Android network DNS, explicit VPN DNS, and custom encrypted DNS. - Offline route simulation. The Russian apps template is a source-backed package manifest for actual installed apps. It is not a saved policy object and is not capped by an arbitrary package count; applying it simply updates the visible app switches for user review, adjustment, undo, and saving. The route test is a policy simulation. It does not generate actual network traffic and remains operational even when the VPN is disconnected. Automation Automation is strictly opt-in and designed for controlled orchestrators like Anubis. It is disabled by default, token-gated, rotatable, and backed by the same runtime control path used by the UI and notification controls. Updates and Migration Standard updates install a newer APK over the existing app, preserving Android's app-private data. Starting with the stable release-signing line, public release APKs are signed with a single pinned release certificate, allowing Android to verify that a newer APK is authorized to replace the installed one. Tunguska then runs a silent, automatic migration on the first startup for that installed versionCode. Any migration failures are displayed in Settings -> Security and included in owner-encrypted bug reports. For uninstallation/reinstallation or device transfers, use Settings -> Security -> Migration backup before removing Tunguska. The migration backup is a versioned, encrypted JSON envelope protected by a user-defined passphrase. During restoration, the app reads the backup schema version and applies fixed migrations before importing profiles, subscription sources, selected language, update settings, statistics configurations, Enhanced Security states, and per-profile runtime metadata. Automation tokens are intentionally excluded from restoration. Some early internal APKs were signed with different test certificates. Android cannot update those builds in place; to upgrade, install the new release after removing the old app and re-import your profiles, or use a migration backup created by a newer build that supports this feature. License The open-source license covers the Android client code exclusively. It does not grant paid server access, production credentials, private backend APIs, or any rights to use the Tunguska brand for modified builds. GNU General Public License v3.0