i just found a combination of steps in order to remove always VPN on + Block Connections Without VPN to be disabled, even when phone and data is at rest (not unlocked after restart)

Steps to recreate:

Turn On Always VPN + Block connections without VPN or just always On

Lock Thr Phone and restart

Put it to Safe Mode

Bingo Safe Mode just disabled all settings and now your traffic is routed through without encryption

Worst Part After Leaving Safe Mode Settings Arent Recovered Back So Unless you notice it, your without VPN

Somehow It also Disables VPNs Ability To Autostart On boot so no auto connection either, ofc unless you notice it

    Rookie Lock Thr Phone and restart

    Put it to Safe Mode

    Bingo Safe Mode just disabled all settings and now your traffic is routed through without encryption

    How much network traffic is there before the first unlock?

    Rookie Worst Part After Leaving Safe Mode Settings Arent Recovered Back So Unless you notice it, your without VPN

    I have used safe mode, and for sure not all of my settings were lost. If VPN settings in particular are lost that might be a bug, especially if it happens for all VPN clients. Which VPN clients have you observed this happening with?

      This is important!

      An attacker could just reboot into safe mode and reboot again. As auto-reboot is a thing, especially when frequent the user would not be surprised the phone rebooted.

      Having some basic wireguard app as system app would be great. It is somewhat big/ bloat, but may be essential. It is not orbot though, so not for generalized anonymity.

      Arti is licensed under Apache V2 or MIT license which means it is fitting for GrapheneOS right? It is on 1.0.0 now. (Arti is an official rewrite of tor in Rust)

      tor is licensed under 3-clause BSD as is Orbot.

        missing-root auto-reboot performs a normal reboot, not reboot into safe-mode.
        Even if it did/could, it doesn't bypass BFU

        missing-root Having some basic wireguard app as system app would be great. It is somewhat big/ bloat, but may be essential. It is not orbot though, so not for generalized anonymity.

        Arti is licensed under Apache V2 or MIT license which means it is fitting for GrapheneOS right? It is on 1.0.0 now. (Arti is an official rewrite of tor in Rust)

        This is out of scope for GoS team, but you are welcome to fork and make a build including whatever you want. Just br sure to remove any GrapheneOS branding as it would no longer officially be GoS

          Rookie Yea that was my point, adversary can reboot me to safe mode and read traffic open

          But how much network traffic happens before the device is unlocked?

          4 days later

          N3rdTek yeah I can imagine you would say that and it is understandable.

          "Simply Forking GrapheneOS" is not sustainable at all. So I dont see this as a real request.

          Including for example the official Wireguard App would neutrally solve this problem, and users could still disable the app.

          It is Apache 2.0 licensed btw.

          So I dont see GrapheneOS implementing it. At the same time, it may be required for some threat models, or also for for example work phones.

          The threat model is not completely clear, as no identifiable data is probably sent over whatever router the attacker would be on that may log the traffic.

          The only solution would be allowing another small app into the empty system partition. The disadvantages, apart from maintenance, would be tiny, as people can just disable it.

          But the other way around is not possible.

          Another option would be allowing to disable safe mode.

          • de0u replied to this.

            missing-root The threat model is not completely clear, as no identifiable data is probably sent over whatever router the attacker would be on that may log the traffic.

            Can somebody explicitly state one or more threatening scenarios? Here's what I can think of:

            1. While I'm not looking at it, somebody reboots my phone into safe mode. Because it's BFU, it mostly just sits there. But I don't notice it's in safe mode, so I unlock it and all of my apps start communicating with their favorite servers without my VPN client being active.
            2. Somebody confiscates my phone and reboots it into safe mode. Because it's BFU, it mostly just sits there. It might contact the GrapheneOS time servers or something like that, but because my user profiles are all locked, my VPN client isn't running and none of my other apps are running either, so they aren't making network connections.

            Are there other potentially problematic scenarios? Or did I make mistakes above?