diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
index c8ac965f1b54bdc1eb77aff54b2f0747c7dc1617..29162908d329d977cd16b5d466a38bc28af1ca99 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
@@ -90,6 +90,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
     private VpnNotificationManager notificationManager;
     private ObfsvpnClient obfsVpnClient;
     private FirewallManager firewallManager;
+    private boolean mIsLockdownEnabled = false;
 
     private final IBinder mBinder = new IOpenVPNServiceInternal.Stub() {
 
@@ -561,10 +562,38 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
         return cfg;
     }
 
+    public void determineLockdownState() {
+        Builder builder = new Builder();
+
+        try {
+            builder.addAddress(mLocalIP.mIp, mLocalIP.len);
+        } catch (IllegalArgumentException iae) {
+            return;
+        }
+
+        ParcelFileDescriptor tun = null;
+        try {
+            tun = builder.establish();
+            mIsLockdownEnabled = isLockdownEnabledCompat();
+        } catch (Exception e) {
+            VpnStatus.logError(getString(R.string.error) + e.getLocalizedMessage());
+        } finally {
+            if (tun != null) {
+                try {
+                    tun.close();
+                } catch (Exception e) {
+                    VpnStatus.logError(getString(R.string.error) + e.getLocalizedMessage());
+                }
+            }
+        }
+    }
+
     public ParcelFileDescriptor openTun() {
 
         //Debug.startMethodTracing(getExternalFilesDir(null).toString() + "/opentun.trace", 40* 1024 * 1024);
 
+        determineLockdownState();
+
         if (mProfile == null) {
             VpnStatus.logError("Refusing to open tun device without profile.");
             return null;
@@ -618,6 +647,16 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
 
         builder.setMtu(mMtu);
 
+        // Don't exclude local addresses at all in lockdown mode.
+        // Otherwise, incoming traffic can still bypass lockdown (AOSP quirk/bug).
+        if (mIsLockdownEnabled) {
+            mRoutes.clear();
+            mRoutesv6.clear();
+            addRoute(new CIDRIP("0.0.0.0", 0), true);
+            addRoutev6("::/0", true);
+        }
+
+
         Collection<IpAddress> positiveIPv4Routes = mRoutes.getPositiveIPList();
         Collection<IpAddress> positiveIPv6Routes = mRoutesv6.getPositiveIPList();
 
@@ -692,7 +731,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
             ipv6info = mLocalIPv6;
         }
 
-        if ((!mRoutes.getNetworks(false).isEmpty() || !mRoutesv6.getNetworks(false).isEmpty()) && isLockdownEnabledCompat())
+        if ((!mRoutes.getNetworks(false).isEmpty() || !mRoutesv6.getNetworks(false).isEmpty()) && mIsLockdownEnabled)
         {
             VpnStatus.logInfo("VPN lockdown enabled (do not allow apps to bypass VPN) enabled. Route exclusion will not allow apps to bypass VPN (e.g. bypass VPN for local networks)");
         }