Do not replace default routes on Android

Keep default routes as-is on Android, just as they are kept as-is for
Linux. This allows Android 11+ to recognize Mullvad as an isolated VPN,
properly preventing remote-initiated traffic from other interfaces.

2 files changed, 4 insertions, 2 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc2a8a4f7d..2ca928ab5f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,8 @@ Line wrap the file at 100 chars.                                              Th
 #### Android
 - Add DNS content blockers.
 - Add UDP-over-TCP
+- Prevent incoming connections from outside the VPN in Android 11+ when Local Network Sharing
+  is turned off.
 
 ### Changed
 - In the CLI, update the `tunnel` subcommand to resemble `relay` more. For example, by adding a
diff --git a/talpid-wireguard/src/lib.rs b/talpid-wireguard/src/lib.rs
index cdaaf4cfc0..da70b63bfc 100644
--- a/talpid-wireguard/src/lib.rs
+++ b/talpid-wireguard/src/lib.rs
@@ -914,7 +914,7 @@ impl WireguardMonitor {
 
     /// Replace default (0-prefix) routes with more specific routes.
     fn replace_default_prefixes(network: ipnetwork::IpNetwork) -> Vec<ipnetwork::IpNetwork> {
-        #[cfg(not(target_os = "linux"))]
+        #[cfg(not(any(target_os = "linux", target_os = "android")))]
         if network.prefix() == 0 {
             if network.is_ipv4() {
                 vec!["0.0.0.0/1".parse().unwrap(), "128.0.0.0/1".parse().unwrap()]
@@ -925,7 +925,7 @@ impl WireguardMonitor {
             vec![network]
         }
 
-        #[cfg(target_os = "linux")]
+        #[cfg(any(target_os = "linux", target_os = "android"))]
         vec![network]
     }