diff --git a/android/src/main/java/com/tailscale/ipn/IPNService.java b/android/src/main/java/com/tailscale/ipn/IPNService.java
index 875adf5..7e00814 100644
--- a/android/src/main/java/com/tailscale/ipn/IPNService.java
+++ b/android/src/main/java/com/tailscale/ipn/IPNService.java
@@ -62,12 +62,6 @@ public class IPNService extends VpnService {
 			.setConfigureIntent(configIntent())
 			.allowFamily(OsConstants.AF_INET)
 			.allowFamily(OsConstants.AF_INET6);
-		try {
-			b.addDisallowedApplication(BuildConfig.APPLICATION_ID);
-		} catch (PackageManager.NameNotFoundException e) {
-			// This error means com.tailscale.ipn isn't
-			// installed. That shouldn't happen, so pretend it didn't.
-		}
 		if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q)
 			b.setMetered(false); // Inherit the metered status from the underlying networks.
 		if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M)
diff --git a/cmd/tailscale/main.go b/cmd/tailscale/main.go
index 62a0358..efc8fd1 100644
--- a/cmd/tailscale/main.go
+++ b/cmd/tailscale/main.go
@@ -22,6 +22,7 @@ import (
 	"github.com/tailscale/tailscale-android/jni"
 	"tailscale.com/ipn"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netns"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/netmap"
 	"tailscale.com/wgengine/router"
@@ -221,7 +222,7 @@ func (a *App) runBackend() error {
 	var (
 		cfg       configPair
 		state     BackendState
-		service   jni.Object
+		service   jni.Object // of IPNService
 		signingIn bool
 	)
 	for {
@@ -328,6 +329,17 @@ func (a *App) runBackend() error {
 				if service != 0 {
 					jni.DeleteGlobalRef(env, service)
 				}
+				netns.SetAndroidProtectFunc(func(fd int) error {
+					return jni.Do(a.jvm, func(env *jni.Env) error {
+						cls := jni.GetObjectClass(env, s)
+						m := jni.GetMethodID(env, cls, "protect", "(I)Z")
+						ret, err := jni.CallBooleanMethod(env, s, m, jni.Value(fd))
+						if err != nil || ret == false {
+							log.Printf("[unexpected] VpnService.protect(%d) = %v, %v", fd, ret, err)
+						}
+						return nil
+					})
+				})
 				service = s
 				return nil
 			})
@@ -352,6 +364,7 @@ func (a *App) runBackend() error {
 			jni.Do(a.jvm, func(env *jni.Env) error {
 				defer jni.DeleteGlobalRef(env, s)
 				if jni.IsSameObject(env, service, s) {
+					netns.SetAndroidProtectFunc(nil)
 					jni.DeleteGlobalRef(env, service)
 					service = 0
 				}