[client] Fix Android internet blackhole caused by stale route re-injection on TUN rebuild

[pappz]

Describe your changes

On Android, users lose all internet connectivity while the VPN is active.

• Internal NetBird mesh traffic still works
• External traffic results in 100% packet loss

---

Root Cause

extraInitialRoutes() (introduced in #5739) was intended to preserve only the fake IP block route (240.0.0.0/8) across TUN rebuilds. However, it re-injects any initial route whose prefix is missing from the current route set.

Since every network map update delivers the full route set (not a diff), the initial routes become stale after the first update.

When the route selector filters out an unselected exit node (0.0.0.0/0):

• extraInitialRoutes() re-injects it during the TUN rebuild
• The Android VPN captures all traffic
• There is no peer to handle it

---

Fix

• Store the fake IP route (240.0.0.0/8) explicitly on the notifier
• Append only this route in notify()

This preserves the DNS fake IP fix from #5739 without re-injecting stale routes.

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• Bug Fixes
  • Improved fake IP route handling across Android, iOS, and other platforms for more reliable network routing management.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2e1402b2-756c-4a1b-b605-3a01bcbe6877

📥 Commits

Reviewing files that changed from the base of the PR and between 5259e5d and f9a07ce.

📒 Files selected for processing (4)

• client/internal/routemanager/manager.go
• client/internal/routemanager/notifier/notifier_android.go
• client/internal/routemanager/notifier/notifier_ios.go
• client/internal/routemanager/notifier/notifier_other.go

---

📝 Walkthrough

Walkthrough

This PR refactors fake IP route handling in the route manager by introducing a new SetFakeIPRoute method across all notifier implementations. The Android notifier changes from computing fake IP routes via diffing logic to explicitly tracking a dedicated fakeIPRoute field, simplifying the route notification flow.

Changes

Cohort / File(s)	Summary
Fake IP Route Integration client/internal/routemanager/manager.go	Route manager now explicitly registers the fake IP route with the notifier via SetFakeIPRoute before setting initial client routes.
Android Notifier Refactoring client/internal/routemanager/notifier/notifier_android.go	Added fakeIPRoute field and SetFakeIPRoute method; refactored notify logic to use explicit field instead of computing routes via prefix diffing.
Platform Stubs client/internal/routemanager/notifier/notifier_ios.go, client/internal/routemanager/notifier/notifier_other.go	Added no-op SetFakeIPRoute method stubs to maintain consistent interface across all platform implementations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [client] Fix Android DNS routes lost after TUN rebuild #5739: Refactored Android notifier fake-IP route preservation logic using a different approach (extra initial routes diffing vs. explicit field tracking).

Suggested reviewers

• lixmal

Poem

🐰 A route so fake, now tracked with care,
No diffing dance through network air,
Just store it straight, explicit and clear,
Across all platforms, far and near! 🛣️

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main fix: addressing an Android internet blackhole caused by stale route re-injection on TUN rebuilds.
Description check	✅ Passed	The description is comprehensive, explaining the problem, root cause, and solution. However, the checklist items lack selections and the issue ticket field is empty.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/android-route-blackhole-on-tun-rebuild

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud