Fix WireGuard custom config LAN bypass and IPv6 traffic leak

Ginder-Singh · claude · Ginder-Singh · commit 46fcae25a867 · 2025-07-10T15:47:52.000-04:00
- Added LAN bypass functionality for WireGuard custom configs by implementing createModifiedPeersForLanBypass() - Fixed WireGuard ParseException by properly extracting endpoint values from Optional objects - Created separate IPv4-only LAN bypass function (modifyAllowedIpsIPv4Only) for custom configs to prevent IPv6 parsing errors - Preserved IPv6 handling in regular server configs to prevent IPv6 traffic leaks - Added comprehensive debug logging for troubleshooting peer building process - Custom configs now properly exclude private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) from routing - Regular server configs maintain full IPv4+IPv6 LAN bypass functionality Technical details: - Custom configs use IPv4-only public IP array to avoid "::0/0" ParseException - Regular server configs retain "::0/0" in publicIpV4Array for IPv6 traffic capture - Fixed API 21 compatibility by removing Optional.get() calls - Enhanced error handling for endpoint parsing and AllowedIPs modification 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -42,6 +42,55 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 ./gradlew bundleFdroidRelease    # Build F-Droid AAB
 ```
 
+### Building Specific Modules
+```bash
+# Mobile App
+./gradlew :mobile:assembleGoogleDebug    # Build mobile debug APK
+./gradlew :mobile:assembleGoogleRelease  # Build mobile release APK
+
+# TV App  
+./gradlew :tv:assembleGoogleDebug        # Build TV debug APK
+./gradlew :tv:assembleGoogleRelease      # Build TV release APK
+```
+
+### Install and Launch Apps
+
+#### Mobile App
+```bash
+# Build and install mobile app
+./gradlew :mobile:assembleGoogleDebug
+"$ANDROID_HOME/platform-tools/adb" install -r mobile/build/outputs/apk/google/debug/mobile-google-debug.apk
+
+# Launch mobile app
+"$ANDROID_HOME/platform-tools/adb" shell am start -n com.windscribe.vpn/com.windscribe.mobile.ui.AppStartActivity
+```
+
+#### TV App
+```bash
+# Build and install TV app
+./gradlew :tv:assembleGoogleDebug
+"$ANDROID_HOME/platform-tools/adb" install -r tv/build/outputs/apk/google/debug/tv-google-debug.apk
+
+# Launch TV app
+"$ANDROID_HOME/platform-tools/adb" shell am start -n com.windscribe.vpn/com.windscribe.tv.splash.SplashActivity
+```
+
+#### ADB Commands
+```bash
+# Check connected devices
+"$ANDROID_HOME/platform-tools/adb" devices
+
+# Target specific device (if multiple connected)
+"$ANDROID_HOME/platform-tools/adb" -s emulator-5554 install -r app.apk
+"$ANDROID_HOME/platform-tools/adb" -s emulator-5554 shell am start -n package/activity
+
+# Check if app is running
+"$ANDROID_HOME/platform-tools/adb" shell ps | grep windscribe
+
+# View logs
+"$ANDROID_HOME/platform-tools/adb" logcat -s "vpn" -v time
+```
+
 ### Testing
 ```bash
 ./gradlew test                   # Run unit tests
diff --git a/base/src/main/java/com/windscribe/vpn/backend/utils/VPNProfileCreator.kt b/base/src/main/java/com/windscribe/vpn/backend/utils/VPNProfileCreator.kt
@@ -83,7 +83,7 @@ class VPNProfileCreator @Inject constructor(
             "172.32.0.0/11", "172.64.0.0/10", "172.128.0.0/9", "173.0.0.0/8", "174.0.0.0/7",
             "176.0.0.0/4", "192.0.0.0/9", "192.128.0.0/11", "192.160.0.0/13", "192.169.0.0/16",
             "192.170.0.0/15", "192.172.0.0/14", "192.176.0.0/12", "192.192.0.0/10",
-            "193.0.0.0/8", "194.0.0.0/7", "196.0.0.0/6", "200.0.0.0/5", "208.0.0.0/4", "10.255.255.0/24","::0/0"
+            "193.0.0.0/8", "194.0.0.0/7", "196.0.0.0/6", "200.0.0.0/5", "208.0.0.0/4", "::0/0", "10.255.255.0/24"
     )
 
     fun createIkEV2Profile(
@@ -412,8 +412,15 @@ class VPNProfileCreator @Inject constructor(
 
         val reader: Reader = StringReader(configFile.content)
         val bufferedReader = BufferedReader(reader)
-        val config: Config = bufferedReader.use {
-            Config.parse(bufferedReader)
+        val config: Config = try {
+            bufferedReader.use {
+                Config.parse(bufferedReader)
+            }
+        } catch (e: Exception) {
+            logger.error("Full WireGuard config parse exception: ${e.javaClass.simpleName}: ${e.message}")
+            logger.error("Stack trace: ${e.stackTrace.joinToString("\n")}")
+            logger.error("Config content: ${configFile.content}")
+            throw e
         }
         interFaceBuilder.parsePrivateKey(config.getInterface().keyPair.privateKey.toBase64())
         interFaceBuilder.addAddresses(config.getInterface().addresses)
@@ -426,10 +433,16 @@ class VPNProfileCreator @Inject constructor(
         } else {
             interFaceBuilder.addDnsServers(config.getInterface().dnsServers)
         }
-        val configWithSettings = Config.Builder()
-                .addPeers(config.peers)
+        val configWithSettings = try {
+            val modifiedPeers = createModifiedPeersForLanBypass(config.peers)
+            Config.Builder()
+                .addPeers(modifiedPeers)
                 .setInterface(interFaceBuilder.build())
                 .build()
+        } catch (e: Exception) {
+            logger.error("Exception creating config with LAN bypass: ${e.javaClass.simpleName}: ${e.message}")
+            throw e
+        }
         val lastSelectedLocation =
                 LastSelectedLocation(configFile.getPrimaryKey(), nickName = configFile.name)
         saveSelectedLocation(lastSelectedLocation)
@@ -576,6 +589,96 @@ class VPNProfileCreator @Inject constructor(
         return builder.build()
     }
 
+    private fun createModifiedPeersForLanBypass(originalPeers: List<Peer>): List<Peer> {
+        return if (preferencesHelper.lanByPass) {
+            originalPeers.mapIndexed { index, peer ->
+                try {
+                    val builder = Peer.Builder()
+                    builder.parsePublicKey(peer.publicKey.toBase64())
+                    
+                    // Handle endpoint safely - extract value from Optional
+                    val endpointStr = try {
+                        if (peer.endpoint != null && peer.endpoint.isPresent) {
+                            val endpoint = peer.endpoint.orElse(null)
+                            if (endpoint != null) {
+                                "${endpoint.host}:${endpoint.port}"
+                            } else {
+                                ""
+                            }
+                        } else {
+                            ""
+                        }
+                    } catch (e: Exception) {
+                        ""
+                    }
+                    if (endpointStr.isNotEmpty()) {
+                        builder.parseEndpoint(endpointStr)
+                    }
+                    
+                    // Handle persistent keepalive - check if present first
+                    val keepalive = try {
+                        if (peer.persistentKeepalive != null && peer.persistentKeepalive.isPresent) {
+                            peer.persistentKeepalive.orElse(0)
+                        } else {
+                            0
+                        }
+                    } catch (e: Exception) {
+                        0
+                    }
+                    builder.setPersistentKeepalive(keepalive)
+                    
+                    // Format allowedIPs properly - separate IPv4 and IPv6
+                    val allowedIpsString = peer.allowedIps.joinToString(", ")
+                    val dnsRoutes = ""
+                    
+                    // Split IPv4 and IPv6, only modify IPv4 part
+                    val ipParts = allowedIpsString.split(",").map { it.trim() }
+                    val ipv4Parts = ipParts.filter { !it.contains(":") }
+                    val ipv6Parts = ipParts.filter { it.contains(":") }
+                    
+                    // Only modify IPv4 part for LAN bypass - use IPv4-only function
+                    val modifiedIpv4 = if (ipv4Parts.isNotEmpty()) {
+                        modifyAllowedIpsIPv4Only(ipv4Parts.joinToString(", "), dnsRoutes)
+                    } else {
+                        ""
+                    }
+                    
+                    // Combine modified IPv4 with original IPv6 - clean up trailing commas
+                    val finalAllowedIps = if (modifiedIpv4.isNotEmpty() && ipv6Parts.isNotEmpty()) {
+                        "${modifiedIpv4.trim(' ', ',')}, ${ipv6Parts.joinToString(", ")}"
+                    } else if (modifiedIpv4.isNotEmpty()) {
+                        modifiedIpv4.trim(' ', ',')
+                    } else if (ipv6Parts.isNotEmpty()) {
+                        ipv6Parts.joinToString(", ")
+                    } else {
+                        allowedIpsString
+                    }
+                    
+                    builder.parseAllowedIPs(finalAllowedIps)
+                    
+                    // Handle pre-shared key if present - safely check Optional
+                    try {
+                        if (peer.preSharedKey != null && peer.preSharedKey.isPresent) {
+                            val key = peer.preSharedKey.orElse(null)
+                            if (key != null) {
+                                builder.parsePreSharedKey(key.toBase64())
+                            }
+                        }
+                    } catch (e: Exception) {
+                        // No pre-shared key present, which is valid
+                    }
+                    
+                    builder.build()
+                } catch (e: Exception) {
+                    logger.error("Exception building peer $index: ${e.javaClass.simpleName}: ${e.message}")
+                    throw e
+                }
+            }
+        } else {
+            originalPeers
+        }
+    }
+
     private fun getIkev2Credentials(): Pair<String, String> {
         val serverCredentials = getServerCredentials(true)
         val mUsername: String
@@ -729,6 +832,34 @@ class VPNProfileCreator @Inject constructor(
         return Attribute.join(output)
     }
 
+    private fun modifyAllowedIpsIPv4Only(allowedIps: String, dnsRoutes: String): String {
+        // Create IPv4-only array by filtering out IPv6 addresses
+        val ipv4OnlyNetworks = publicIpV4Array.filter { !it.contains(":") }.toTypedArray()
+        val ipv4PublicNetworks = HashSet(listOf(*ipv4OnlyNetworks))
+        val ipv4Wildcard = "0.0.0.0/0"
+        val allNetworks = HashSet(listOf(ipv4Wildcard))
+        val input: Collection<String> = HashSet(listOf(*Attribute.split(allowedIps)))
+        val outputSize = input.size - allNetworks.size + ipv4PublicNetworks.size
+        val output: MutableCollection<String?> = LinkedHashSet(outputSize)
+        var replaced = false
+        for (network in input) {
+            if (allNetworks.contains(network)) {
+                if (!replaced) {
+                    for (replacement in ipv4PublicNetworks) {
+                        if (!output.contains(replacement)) {
+                            output.add(replacement)
+                        }
+                    }
+                    replaced = true
+                }
+            } else if (!output.contains(network)) {
+                output.add(network)
+            }
+        }
+        output.addAll(listOf(*Attribute.split(dnsRoutes)))
+        return Attribute.join(output)
+    }
+
     private fun setSplitMode(profile: VpnProfile) {
         if (preferencesHelper.splitTunnelToggle && (preferencesHelper.splitRoutingMode == PreferencesKeyConstants.EXCLUSIVE_MODE)) {
             preferencesHelper.lastConnectedUsingSplit = true
