VPN-6523: Fix Android LAN exclusions

[oskirby]

Description

In PR #9674 we tried to improve the LAN exclusion implementation for Windows and Linux. However, this introduced a bug in Android where the LAN exclusion calculation would cause routes to the internal Mulvad network to get lost. This causes the VPN's connectivity checks to fail, and results in the client entering the No Signal state shortly after connecting.

The cause of the bug is that IPAddress::excludeAddresses() doesn't handle routes nested inside an excluded route. For example, excludeAddresses({"0.0.0.0/0", "10.64.0.1/32"},{"10.0.0.0/8"}) will ignore the route to 10.64.0.1 because it is excluded by 10.0.0.0/8 despite having a longer prefix length.

Reference

JIRA issue: VPN-6523
Previous PR: #9674

Checklist

• My code follows the style guidelines for this project
• I have not added any packages that contain high risk or unknown licenses (GPL, LGPL, MPL, etc. consult with DevOps if in question)
• I have performed a self review of my own code
• I have commented my code PARTICULARLY in hard to understand areas
• I have added thorough tests where needed

[oskirby]

I actually went down the rabbit hole of implementing this with VpnService.Builder.excludeRoute() and it worked great, and only afterwards did I realize that it requires a higher API level than we ship with. So this implementation here is just crudely working around the issue, but in a way that doesn't require a change to our minimum Android version.

[mcleinman]

Questions answered via real time convo. Thanks!