Title of this topic is misleading. The connection doesn't actually drop, but some devices bypass VPN tunnels in Sleep Mode.
Prerequisites
Issue Details
- AdGuard VPN version:
0.7.1
- VPN mode:
AdGuard VPN in VPN Mode
- Operating system and version:
Android 10/11 (not rooted)
- Other network-level software:
AdGuard Home DNS server
Expected Behavior
The expectation is that Android devices use AdGuard VPN when in Sleep Mode for all situations if "Always-On" and "Block Connections Without VPN" are enabled in Android Network & Internet settings.
Actual Behavior
Local DNS resolver logs show that Android Sleep Mode WiFi activity includes Android devices attempting to resolve Google domains, such as google.com, connectivitycheck.gstatic.com, and play.googleapis.com outside of AdGuard VPN tunnels using WiFi-assigned DNS resolver address instead of VPN-set resolver address. The same devices do use VPN tunnels in Sleep Mode when receiving email and other internet data. That means that VPN tunnel connection persists and isn't dropped in Sleep Mode.
Additional Information
It is almost as if there is a forced Android-set VPN Split Tunneling that can't be configured in any VPN apps. The same behavior happens with all VPN apps and protocols, but not on all devices. Disabling or enabling Battery Optimization for VPN apps makes no difference.
Some say that Captive Portal check is the issue, but none of following ADB Shell Captive Portal commands resolve this issue for me:
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
settings put global wifi_watchdog_on 0
settings put global wifi_watchdog_background_check_enabled 0
pm disable com.android.captiveportallogin
This behavior is similar to how Android devices use carrier/SIM-card WiFi calling that also bypasses installed VPN apps and exclusively uses IPSec 3GPP ePDG tunnels to make/receive calls and/or SMS/MMS. Only app-based WiFi calling (WhatsApp, Viber, Skype, Telegram, Signal, etc.) and other internet apps can use installed VPN app tunnels.
There is definitely no way to tunnel carrier/SIM-card WiFi calling through installed VPN apps, but is there a way to prevent Android devices in Sleep Mode from trying to connect to google.com, connectivitycheck.gstatic.com, and play.googleapis.com outside of VPN tunnels? Connecting to those Google domains outside of VPN defeats the point of using a VPN!