Implement IAN activation flow

Author: rablador

ios/Assets/Localizable.xcstrings

@@ -359,6 +359,7 @@
       }
     },
     "%@ “Local network sharing” requires restarting the VPN connection, which will disconnect you and briefly expose your traffic.\nTo prevent this, manually enable Airplane Mode and turn off Wi-Fi before continuing.\nWould you like to continue to enable “Local network sharing”?" : {
+      "extractionState" : "stale",
       "localizations" : {
         "da" : {
           "stringUnit" : {
@@ -7574,6 +7575,14 @@
         }
       }
     },
+    "Be cautious when using automatic updates as this will trigger the network connectivity loss." : {
+      "comment" : "Text displayed in a settings page explaining the potential consequences of using automatic updates when the IAN is enabled.",
+      "isCommentAutoGenerated" : true
+    },
+    "Because of these iOS limitations, you will lose network connectivity if Mullvad VPN is updated when this is enabled and you are connected to the VPN. Network connectivity can only be restored by rebooting the device." : {
+      "comment" : "Text describing the potential network connectivity loss when the IAN feature is enabled and the device is connected to the VPN.",
+      "isCommentAutoGenerated" : true
+    },
     "Belgium" : {
       "localizations" : {
         "da" : {
@@ -14542,6 +14551,10 @@
         }
       }
     },
+    "Currently there is no way to work around this behaviour, but you can avoid losing network connectivity by disabling this feature or disconnecting before updating Mullvad VPN." : {
+      "comment" : "Text displayed on the last page of the IAN settings info view, explaining that there is no way to work around the current behaviour, but that they can avoid losing network connectivity by disabling the feature or disconnecting before",
+      "isCommentAutoGenerated" : true
+    },
     "Custom" : {
       "localizations" : {
         "da" : {
@@ -17729,6 +17742,7 @@
       }
     },
     "Disabling" : {
+      "extractionState" : "stale",
       "localizations" : {
         "da" : {
           "stringUnit" : {
@@ -19380,6 +19394,10 @@
         }
       }
     },
+    "Due to iOS limitations, this not enabled by default. Our other apps tunnel all traffic via the VPN by default." : {
+      "comment" : "Explanation of why the \"Use Include All Networks\" feature is not enabled by default in the IAN settings view.",
+      "isCommentAutoGenerated" : true
+    },
     "Dusseldorf" : {
       "localizations" : {
         "da" : {
@@ -20678,6 +20696,10 @@
         }
       }
     },
+    "Enable notifications" : {
+      "comment" : "Title of an action button in an alert presented by the IANSettingsCoordinator when the user is prompted to enable notifications.",
+      "isCommentAutoGenerated" : true
+    },
     "Enable recents" : {
       "localizations" : {
         "da" : {
@@ -20797,6 +20819,7 @@
       }
     },
     "Enabling" : {
+      "extractionState" : "stale",
       "localizations" : {
         "da" : {
           "stringUnit" : {
@@ -23628,6 +23651,14 @@
         }
       }
     },
+    "Force all apps" : {
+      "comment" : "Title of the settings screen for forcing all apps to use the IAN tunnel.",
+      "isCommentAutoGenerated" : true
+    },
+    "Forces all app traffic on the device into the VPN tunnel, ensuring that other apps can’t accidentally or maliciously leak data. Apple system apps and services necessary for device functionality are not affected." : {
+      "comment" : "Description of the IAN feature, including a note that Apple system apps and services are not affected.",
+      "isCommentAutoGenerated" : true
+    },
     "Fortaleza" : {
       "localizations" : {
         "da" : {
@@ -24218,6 +24249,10 @@
         }
       }
     },
+    "Given the pros and cons of using this feature, I wish to proceed" : {
+      "comment" : "Label for an action box in the IAN settings view, allowing the user to agree to use the feature.",
+      "isCommentAutoGenerated" : true
+    },
     "Glasgow" : {
       "localizations" : {
         "da" : {
@@ -25988,6 +26023,10 @@
         }
       }
     },
+    "If this is not enabled, malicious apps on your device can leak traffic outside the tunnel." : {
+      "comment" : "Text describing the potential risk of data leakage when the IAN feature is disabled.",
+      "isCommentAutoGenerated" : true
+    },
     "If you are having issues connecting to VPN servers, please contact support." : {
       "localizations" : {
         "da" : {
@@ -28113,6 +28152,7 @@
       }
     },
     "Include all networks" : {
+      "extractionState" : "stale",
       "localizations" : {
         "da" : {
           "stringUnit" : {
@@ -39328,6 +39368,10 @@
         }
       }
     },
+    "Open system settings" : {
+      "comment" : "Title of an action button in an alert that allows the user to open system settings.",
+      "isCommentAutoGenerated" : true
+    },
     "Optional" : {
       "localizations" : {
         "da" : {
@@ -41924,6 +41968,10 @@
         }
       }
     },
+    "Please read through all information above in order to activate this feature" : {
+      "comment" : "Footer text in the IANSettingsView that instructs the user to read through all information before activating a feature.",
+      "isCommentAutoGenerated" : true
+    },
     "Please retry by using the \"Restore purchases\" button." : {
       "localizations" : {
         "da" : {
@@ -64835,5 +64883,5 @@
       }
     }
   },
-  "version" : "1.0"
+  "version" : "1.1"
 }

ios/MullvadSettings/InclueAllNetworksSettings.swift

@@ -0,0 +1,55 @@
+//
+//  InclueAllNetworksSettings.swift
+//  MullvadVPN
+//
+//  Created by Jon Petersson on 2026-01-16.
+//  Copyright © 2026 Mullvad VPN AB. All rights reserved.
+//
+
+import Foundation
+
+/// Whether IAN is enabled.
+public enum InclueAllNetworksState: Codable, Sendable {
+    case on
+    case off
+
+    public var isEnabled: Bool {
+        get { self == .on }
+        set { self = newValue ? .on : .off }
+    }
+}
+
+/// Whether "Local network sharing" is enabled.
+public enum LocalNetworkSharingState: Codable, Sendable {
+    case on
+    case off
+
+    public var isEnabled: Bool {
+        get { self == .on }
+        set { self = newValue ? .on : .off }
+    }
+}
+
+public struct InclueAllNetworksSettings: Codable, Equatable, Sendable {
+    public var includeAllNetworksState: InclueAllNetworksState
+    public var localNetworkSharingState: LocalNetworkSharingState
+    public var consent: Bool
+
+    public var includeAllNetworksIsEnabled: Bool {
+        includeAllNetworksState.isEnabled && consent
+    }
+
+    public var localNetworkSharingIsEnabled: Bool {
+        includeAllNetworksState.isEnabled && localNetworkSharingState.isEnabled && consent
+    }
+
+    public init(
+        includeAllNetworksState: InclueAllNetworksState = .off,
+        localNetworkSharingState: LocalNetworkSharingState = .off,
+        consent: Bool = false
+    ) {
+        self.includeAllNetworksState = includeAllNetworksState
+        self.localNetworkSharingState = localNetworkSharingState
+        self.consent = consent
+    }
+}

ios/MullvadSettings/TunnelSettingsStrategy.swift

@@ -34,11 +34,17 @@ public struct TunnelSettingsStrategy: TunnelSettingsStrategyProtocol, Sendable {
         oldSettings: LatestTunnelSettings,
         newSettings: LatestTunnelSettings
     ) -> TunnelSettingsReconnectionStrategy {
+        // Don't reconnect the tunnel If IAN consent was the setting that triggered the settings update.
+        if oldSettings.includeAllNetworksConsent != newSettings.includeAllNetworksConsent {
+            return .noReconnect
+        }
+
         if oldSettings.localNetworkSharing != newSettings.localNetworkSharing
             || oldSettings.includeAllNetworks != newSettings.includeAllNetworks
         {
             return .hardReconnect
         }
+
         switch (oldSettings, newSettings) {
         case let (old, new) where old != new:
             return .newRelayReconnect
@@ -55,4 +61,5 @@ public enum TunnelSettingsReconnectionStrategy {
     case currentRelayReconnect
     case newRelayReconnect
     case hardReconnect
+    case noReconnect
 }

ios/MullvadSettings/TunnelSettingsUpdate.swift

@@ -10,23 +10,18 @@ import Foundation
 import MullvadTypes
 
 public enum TunnelSettingsUpdate: Sendable {
-    case localNetworkSharing(Bool)
-    case includeAllNetworks(Bool)
     case dnsSettings(DNSSettings)
     case obfuscation(WireGuardObfuscationSettings)
     case relayConstraints(RelayConstraints)
     case quantumResistance(TunnelQuantumResistance)
     case multihop(MultihopState)
     case daita(DAITASettings)
+    case includeAllNetworks(InclueAllNetworksSettings)
 }
 
 extension TunnelSettingsUpdate {
     public func apply(to settings: inout LatestTunnelSettings) {
         switch self {
-        case let .localNetworkSharing(enabled):
-            settings.localNetworkSharing = enabled
-        case let .includeAllNetworks(enabled):
-            settings.includeAllNetworks = enabled
         case let .dnsSettings(newDNSSettings):
             settings.dnsSettings = newDNSSettings
         case let .obfuscation(newObfuscationSettings):
@@ -39,19 +34,22 @@ extension TunnelSettingsUpdate {
             settings.tunnelMultihopState = newState
         case let .daita(newDAITASettings):
             settings.daita = newDAITASettings
+        case let .includeAllNetworks(newIncludeAllNetworksSettings):
+            settings.includeAllNetworks = newIncludeAllNetworksSettings.includeAllNetworksState.isEnabled
+            settings.localNetworkSharing = newIncludeAllNetworksSettings.localNetworkSharingState.isEnabled
+            settings.includeAllNetworksConsent = newIncludeAllNetworksSettings.consent
         }
     }
 
     public var subjectName: String {
         switch self {
-        case .localNetworkSharing: "Local network sharing"
-        case .includeAllNetworks: "Include all networks"
         case .dnsSettings: "DNS settings"
         case .obfuscation: "obfuscation settings"
         case .relayConstraints: "relay constraints"
         case .quantumResistance: "quantum resistance"
         case .multihop: "multihop"
         case .daita: "daita"
+        case .includeAllNetworks: "include all networks"
         }
     }
 }

ios/MullvadSettings/TunnelSettingsV6.swift

@@ -52,8 +52,7 @@ public struct TunnelSettingsV6: Codable, Equatable, TunnelSettings, Sendable {
             tunnelQuantumResistance: tunnelQuantumResistance,
             tunnelMultihopState: tunnelMultihopState,
             daita: daita,
-            localNetworkSharing: false,
-            includeAllNetworks: false
+            includeAllNetworks: InclueAllNetworksSettings()
         )
     }
 }

ios/MullvadSettings/TunnelSettingsV7.swift

@@ -28,30 +28,33 @@ public struct TunnelSettingsV7: Codable, Equatable, TunnelSettings, Sendable {
     /// DAITA settings.
     public var daita: DAITASettings
 
-    /// Local networks sharing.
-    public var localNetworkSharing: Bool
-
-    /// Forces the system to route most traffic through the tunnel
+    /// Forces the system to route most traffic through the tunnel.
     public var includeAllNetworks: Bool
 
+    /// Consent to enable `includeAllNetworks`, understanding the pros and cons.
+    public var includeAllNetworksConsent: Bool
+
+    /// Local network sharing.
+    public var localNetworkSharing: Bool
+
     public init(
         relayConstraints: RelayConstraints = RelayConstraints(),
         dnsSettings: DNSSettings = DNSSettings(),
         wireGuardObfuscation: WireGuardObfuscationSettings = WireGuardObfuscationSettings(),
         tunnelQuantumResistance: TunnelQuantumResistance = .automatic,
         tunnelMultihopState: MultihopState = .off,
         daita: DAITASettings = DAITASettings(),
-        localNetworkSharing: Bool = false,
-        includeAllNetworks: Bool = false
+        includeAllNetworks: InclueAllNetworksSettings = InclueAllNetworksSettings()
     ) {
         self.relayConstraints = relayConstraints
         self.dnsSettings = dnsSettings
         self.wireGuardObfuscation = wireGuardObfuscation
         self.tunnelQuantumResistance = tunnelQuantumResistance
         self.tunnelMultihopState = tunnelMultihopState
         self.daita = daita
-        self.localNetworkSharing = localNetworkSharing
-        self.includeAllNetworks = includeAllNetworks
+        self.includeAllNetworks = includeAllNetworks.localNetworkSharingState.isEnabled
+        self.localNetworkSharing = includeAllNetworks.includeAllNetworksState.isEnabled
+        self.includeAllNetworksConsent = includeAllNetworks.consent
     }
 
     public func upgradeToNextVersion() -> any TunnelSettings {