Android TV - VPN connection at startup. Why OpenVPN for Android can do it and Eddie not?

[tranquivox69 37]

Basically all in the title. I know Android TV 10 removed the VPN options (eternal shame on Google for this) that would be relevant for this functionality.
I use AndroidTV 12.
But OpenVPN for Android still manages to connect when the machine starts. Is there a reason why Eddie cannot do it or something I could do to achieve the same result?

Thank you.

[Staff 10315]

@tranquivox69

Hello!

Eddie 3.2.1 can not start and connect during the device bootstrap without "Always on VPN". This limitation is being removed and we expect that Eddie 3.3.0 will have this problem fully addressed. 

Kind regards
 

[tranquivox69 37]

1 hour ago, Staff said:

Eddie can not start and connect during the device bootstrap without "Always on VPN". The fact that OpenVPN for Android can is unexpected, as the mentioned option was deemed as compulsory to connect to a VPN during the bootstrap. Can you please tell us your device brand and model?

Same thing with Wireguard: https://github.com/zaneschepke/wgtunnel

I am using a DuneHD Homatics 4K R Plus. I have tested both after a complete reboot (took the power connector out and reinserted, as to avoid any doubt.

Thanks for looking into this. I'd be happy to use Eddie, if at all possible, to serve my needs.

[tranquivox69 37]

One thing: maybe both apps (Open VPN for Android and WG Tunnel) do not actually start the connection at boot. But they do start it immediately when the machine is ready, without user intervention.

This has most definitely added value for the end user, IMHO, it 100% has value for me specifically.
WG Tunnel being open source can probably show what the dev does to achieve this.

[Staff 10315]

12 hours ago, tranquivox69 said:

One thing: maybe both apps (Open VPN for Android and WG Tunnel) do not actually start the connection at boot. But they do start it immediately when the machine is ready, without user intervention.

This has most definitely added value for the end user, IMHO, it 100% has value for me specifically.
WG Tunnel being open source can probably show what the dev does to achieve this.

Hello!

Of course. We will study the matter carefully and we will update this thread.

Kind regards
 

[tranquivox69 37]

I appreciate it. It would surely make Eddie more attractive in the competitive market.

[Staff 10315]

Hello!

The trick (an idea to be verified) is using the current broadcast receiver, implemented in the app since its initial release, without verifying "Always on VPN" (Eddie should not refuse to be configured to start at boot if "Always on VPN" is not available) .

However, this procedure does not work anymore in Android 14 and above, because it is now forbidden to start activities in background. Eddie was planned to pretend "Always on VPN" on various Android versions, otherwise it refuses to start at bootstrap. Since other programs do not verify the activation of that option, they can still start and connect at bootstrap on Android TV 10, 11, 12, 13 versions.

By removing "Always on VPN" and preventing background activities Google closed the loophole of automatic VPN connections during the bootstrap which, we suspect, is detrimental for marketing and profiling reasons. The same decision was taken by various Chinese companies even for Android (and not just TV). 
EDIT: the above sentence in italic is incorrect. While it's true that background activities are extremely limited or forbidden in Android TV 14 and 15, after a deeper investigation, we ascertained that "Always on VPN" and "Block traffic if VPN is inactive" were removed from the UI of Android TV, but they are fully implemented on Android TV just like they are in Android. The framework support is complete and can easily be activated; however, the activation could be hindered by device manufacturer, for purposes related to OEM protections and DRM. Please see here: https://airvpn.org/forums/topic/65815-android-tv-vpn-connection-at-startup-why-openvpn-for-android-can-do-it-and-eddie-not/?do=findComment&comment=255925

Kind regards

 

[tranquivox69 37]

20 hours ago, Staff said:

Hello!

The trick (an idea to be verified) is using the current broadcast receiver, implemented in the app since its initial release, without verifying "Always on VPN" (Eddie should not refuse to be configured to start at boot if "Always on VPN" is not available) .

However, this procedure does not work anymore in Android 14 and above, because it is now forbidden to start activities in background. Eddie was planned to pretend "Always on VPN" on various Android versions, otherwise it refuses to start at bootstrap. Since other programs do not verify the activation of that option, they can still start and connect at bootstrap on Android TV 10, 11, 12, 13 versions.

By removing "Always on VPN" and preventing background activities Google closed the loophole of automatic VPN connections during the bootstrap which, we suspect, is detrimental for marketing and profiling reasons. The same decision was taken by various Chinese companies even for Android (and not just TV).

In Android 14 and 15, the "Always on VPN" option becomes mandatory and it will allow start & connection during the bootstrap even though background activities are not allowed.

Therefore the solution cannot be considered as "universal" but yes, we think we can implement it to overcome the current Eddie limitation, at least it will work in Android TV from 10 to 13.

Kind regards
 

Thanks a lot for looking into it.

So, as I understand it... till Android 13 it could be possible to have it work as I see WG Tunnel working.

I don't understand the differences you describe for Android 14 and 15. You state "Google closed the loophole of automatic VPN connections during bootstrap". But then "In Android 13 and 14 the "Always On VPN" option becomes mandatory and it will allow start & connection during bootstrap even though background activities are not allowed".

Could you explain again what happens with 14 and 15? Sorry for being thick... And great news about implementing it in Eddie. Definitely looking forward to it.

[Staff 10315]

On 12/3/2024 at 1:27 PM, tranquivox69 said:

Could you explain again

Hello!

• Android 14 and 15 and Android TV 14 and 15 do not allow background activities;
• Android 14 and 15 however do have "Always on VPN", unless deleted by the manufacturer;
• Android TV 10, 11, 12, 13, 14 and 15 do not have "Always on VPN"; edit: incorrect, they do have such functionalities, but they are not exposed on the user interface
• Android TV 10, 11, 12, 13 allow background activities.

Therefore:

• on Android TV 14 and 15 the connection to a VPN during the device bootstrap remains impossible on an un-rooted device; incorrect - please follow the updates to this thread
• on Android 14 and 15 connection to a VPN during the bootstrap is possible in spite of the forbidden background activities, thanks to "Always on VPN";
• on Android TV 10, 11, 12, 13, connection to a VPN during the bootstrap is possible in spite of lack of "Always on VPN" feature because background activities are allowed. However Eddie, unlike the other apps you mentioned, will not take advantage of it, due to a coded limitation according to which it doesn't let you configure app start at bootstrap if you are on Android TV. This is Eddie's part that needs to be re-designed and re-implemented in order to allow connection at boot on Android TV 10, 11, 12, and 13.

Kind regards
  Edited ... by Staff

[Mikeyy 50]

On 12/3/2024 at 2:32 PM, Staff said:

• However Eddie, unlike the other apps you mentioned, will not take advantage of it, due to a coded limitation according to which it doesn't let you configure app start at bootstrap if "Always on VPN" is not available on any Android TV 10 and higher versions and other specific Android versions. This is Eddie's part that needs to be re-designed and re-implemented in order to allow connection at boot on Android TV 10, 11, 12, and 13.

Did you manage to update EDDIE? Just runned into this issue with Philips Google TV running Android 12. Managed to install app, setup up everything, but app isn't starting with TV.

Is there maybe solution to start EDDIE and automatically connect every time I start one other app on TV, as an second option?

[Staff 10315]

On 1/11/2025 at 5:25 PM, Mikeyy said:

Did you manage to update EDDIE? Just runned into this issue with Philips Google TV running Android 12. Managed to install app, setup up everything, but app isn't starting with TV.

Is there maybe solution to start EDDIE and automatically connect every time I start one other app on TV, as an second option?

Hello!

Currently not, we're sorry. However, Eddie 3.3.0 is addressing this problem.

Kind regards
 

[Staff 10315]

Hello!

We're glad to update this thread for due clarifications and additional options for advanced users. Please note that this post pertains only to Android TV, not to Android.

In Android TV, Google removed the "Always on VPN" and "Block connections without VPN" features from the user interface for customer experience related issues, but such features remain implemented, available and working. However, their activation requires "advanced" usage. Furthermore, the device manufacturer is free to hinder their usage.

For the above reasons, Eddie 3.3 will implement an additional, comfortable and not "Always on VPN" based procedure to start and connect to AirVPN during the device bootstrap on all Android TV versions currently available, so you won't need any complex procedure: you'll just have to turn on an option.

In spite of the above, we wish to inform you how to activate, when possible, both "Always on VPN" and "Block connections without VPN" for Eddie on Android TV, because those options together are a very convenient leak prevention method regardless of the procedure that can be used to start Eddie either during the device bootstrap or not.

Please be aware that you proceed at your own risk and do not modify any other field in any database table. Should you do so, you could brick your device and the only way out would be forcing a factory reset. Consider to dump the secure table before any modification.
 

Prepare the device to accept shell commands

1. Activate developer's options on the device and enable debugging via USB and/or local network. Procedures to do so slightly vary from device to device, general instructions are here: https://developer.android.com/studio/debug/dev-options
2. Install Android Debug Bridge (adb) on your computer: https://www.xda-developers.com/install-adb-windows-macos-linux/

Enable Always on VPN and Block connections without VPN options for Eddie

1. To start, please make sure that Eddie is installed in your Android TV device and that it is configured NOT to start during the device bootstrap
2. Connect your computer to the Android TV box, either via USB or local network (see the above linked instructions)
3. Via adb shell, in the secure db table, set always_on_vpn_app to org.airvpn.eddie and always_on_vpn_lockdown to 1. Exact commands:

adb shell settings put secure always_on_vpn_app org.airvpn.eddie
adb shell settings put secure always_on_vpn_lockdown 1

Verify that the settings are not wiped out by the firmware or manufacturer's supervision programs 

1. Reboot the device (do not run Eddie)
2. Verify that the device does not have Internet connectivity
3. Verify that the mentioned settings have not been modified or deleted:

adb shell settings list secure | grep always_on_vpn

If you get Internet connection and/or the settings have not survived the reboot, then your manufacturer probably modified the system in order to reject such settings, or removed the required framework to have them working properly. In this case, you can not enjoy the features (unless you find some hack that's specific for your device).

Now, it everything works as expected, run Eddie and verify that Eddie can connect to any VPN server. Once connected, verify that you have regular Internet connectivity via VPN. Disconnect Eddie, and verify that you lose again Internet connectivity. If everything went fine, you have now a nice leaks prevention at system level!  
 

How to disable both Always on VPN and lockdown

You need again the shell to do it:
 

adb shell settings delete secure always_on_vpn_lockdown
adb shell settings delete secure always_on_vpn_app

Then reboot the machine.

 

Why would manufacturers hinder Always on VPN and lockdown usage when Google offered them in the API?

This is a nice question and we do not have a precise answer, we're sorry. Some people speculate that it's easier to obtain specific DRM related certifications such as Widevine L1 when the mentioned features are reset or forbidden altogether. According to other speculations, it's easier to profile the device owner when VPN usage is intermittent, and nowadays profiling and personal data selling is probably a relevant source of revenue. Since Google allows the removal of the mentioned options without prejudice for its own certifications, manufacturers are indeed free to act as they deem appropriate.
 

Who or what can block my Always on VPN and lockdown features?

This table (created by ChatGPT) can be useful to summarize:

+--------------------------------------------------------------+
|                        VPN Applications                      |
+--------------------------------------------------------------+
| - The app must support Always-on VPN                         |
| - If not declared, the framework ignores the configuration   |
| - Auto-start only possible if the app has proper privileges  |
+--------------------------------------------------------------+
             ^
             |
             v
+--------------------------------------------------------------+
|                VpnService / ConnectivityService              |
+--------------------------------------------------------------+
| - Manages VPN connections at system level                    |
| - Reads ALWAYS_ON_VPN_APP and LOCKDOWN from secure settings  |
| - Cannot force-start an incompatible VPN app                 |
+--------------------------------------------------------------+
             ^
             |
             v
+--------------------------------------------------------------+
|                     Settings Provider                        |
+--------------------------------------------------------------+
| - Stores secure/global settings values                       |
| - Write access only for SYSTEM/SHELL/privileged apps         |
| - ADB changes may work but are not guaranteed                |
+--------------------------------------------------------------+
             ^
             |
             v
+--------------------------------------------------------------+
|                     Firmware / OEM Layer                     |
+--------------------------------------------------------------+
| - Can disable the UI toggle for Always-on VPN                |
| - Can kill VPN apps in background (Task Manager / Guard)     |
| - Can overwrite secure settings at boot                      |
| - May block auto-start for DRM / streaming compatibility     |
+--------------------------------------------------------------+
             ^
             |
             v
+--------------------------------------------------------------+
|                   Certifications & DRM                       |
+--------------------------------------------------------------+
| 1. CTS / CTS-Verifier                                        |
|    - Ensures API compatibility                               |
|    - Does not require exposing Always-on VPN in the UI       |
| 2. CDD (Compatibility Definition Document)                   |
|    - Defines minimum behavior for Android TV devices         |
|    - Regulates background/startup for media stability        |
| 3. Widevine / PlayReady / HDCP                               |
|    - Can block Always-on VPN if it interferes with DRM       |
|    - Prevents unauthorized geo-spoofing                      |
| 4. GMS Certification                                         |
|    - Requires Play Store / Google apps compliance            |
|    - Restricts background tasks, startup, and VPN lockdown   |
+--------------------------------------------------------------+

Do you have a list of devices where Always on VPN + VPN lockdown work or do not work?

Please feel free to report your experience with your own device! 

List of devices where both features work properly.

• nVidia Shield TV running Android TV 11
• stock emulated Android TV 9, 11, 13, 14 and 16
• Strong SRT420 running Android TV 11

List of devices where Always on VPN works but VPN lockdown does not and/or causes relevant problems:

• Amazon FireTV Cube with FireOS 7.1.x: lockdown works but if you disconnect the VPN the system enters a sort of network permanent freeze which requires a reboot

Kind regards