nostr:npub1c9d95evcdeatgy6dacats5j5mfw96jcyu79579kg9qm3jtf42xzs07sqfm does this Android bug also affect GrapheneOS?
DNS traffic can leak outside the VPN tunnel on Android
https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android
#cybersecgirl #vpn
Discussion
I think there was something going about last year where disabling internet connectivity checks stopped an IP leak but i'm not sure if this is related or I misunderstood a previous concern
This is different and was also misleading on Mullvad's part, it's intentionally designed that way.
We make an explanation on that here: https://grapheneos.org/faq#default-connections
You can also turn that off in GrapheneOS.
They would have, but we have heavy disagreements with Mullvad on how they phrase this as they fixed it within their app. If it is possible to set up apps in a way that they don't leak without OS changes then it was an app issue, it's premature to blame the OS. They are being unclear about this. The Android OS VPN implementation is unaffected. The OS could also prevent these leaks but it is possible they may not had viewed this in scope of the feature. DNS is handled in a special way and the VPN gets to set DNS separately from the VPN and can send it through it or outside it, etc.
VPN app developers should also be testing these basic cases themselves already ("only affect certain apps") and it appears they had not. As for the second case ("For a short period of time while a VPN app is re-configuring the tunnel or is being force-stopped/crashes"), this is being investigated. It sounds like an OS bug but a leak is not inherently responsible by the OS. Fortunately that second example is very limited.
It is also worth noting they did not discover these issues first rather they were reported to us by a GrapheneOS user which we posted about days before them. We are also aware of a local network multicast leak which is an actual OS bug which they haven't mentioned.
Also see: https://news.ycombinator.com/item?id=40252719
Mullvad are also linking an older article regarding a connectivity check "leak" which is misleading. That connectivity check is needed for determining which networks work, and triggering captive portals the user can interact with to log into WiFi networks with login pages. This would help you deal with the captive portal *without* disabling the VPN which would make everything else leak. GrapheneOS has also had the option to disable or change it for a long time.
Makes total sense. I also have disagreements with the way Mullvad handles a few things, so this kinda checks out. Thank you :)
What VPN you recommend?
Is there a VPN provider that the GrapheneOS team likes? For example, iVPN or ProtonVPN?
I am not on the GrapheneOS team, but as a professional, I use and recommend them both. Each have their own strengths for different purposes. It's important to have at least one backup VPN. I also recommend Mullvad, though I do disagree with the way they've handled some things recently. AFAIK GOS does not have an official VPN recommendation, but team members may have their personal preferences. We'll see what final has to say about it :)
We don't make choices on that since it requires an extremely high degree of trust to use a VPN. I am aware IVPN, Proton VPN and Mullvad have exceptional reputation but that isn't a formal recommendation. Some members go beyond and use Tor. For someone around Nostr I heard IVPN accepts Lightning and Mullvad has lightning resellers so that would likely be better for them.
I just use what I like. There's a lot of things people would enjoy knowing I use, but I also use a lot of things people in a lot of spaces would lynch me for using as well. Use what is best for you and learn more about that choice to help establish trust beforehand.
Great response. Pragmatic. 🙏