• GeneralSolved
  • VPN leaks without default-enabled toggle for blocking leaks enabled

I was not connected to my always on VPN when Graphene started updating. If I didn't want my ISP to know what I was doing (such as being in a country in which custom ROMs are not legal) this would be very bad. This was not an error by me the user.

    tyron I would disable the updater and also use Googles timeservers instead of GOS default timeservers if you live in a country where GOS can get you legally in trouble...or not have it connected to the internet at all.

    I'm sure there are other identifiers, but those two come to mind

    You can sideload updates using adb

    matchboxbananasynergy I'm not sure if block connections without VPN is enabled before the user unlocks the device, but I'm not able to test it, although I think the updater can run before the user is unlocked

      On GrapheneOS, "Always on VPN" and "Block connections without VPN" are enabled by default. If the VPN stops running, or isn't connected, or anything like that, no traffic goes through. Therefore, there isn't an IP leak before it's had a chance to connect to whatever VPN server you're connecting to.

      @sfdhsgjjdkdh The device being locked or unlocked doesn't matter, the VPN is running in both cases, and the same principle re: blocking connections without VPN applies.

      Likewise, if you had an issue with connecting to updates before installing the VPN - the option to disable the updater, time server, SUPL proxy, connectivity check servers have always existed.

      In the installation you can set up the device without connecting to the internet and disable this before you do anything. Information on GrapheneOS infrastructure and not using them have been documented in detail. If a user considers themselves in such high risk then they should be reading the documentation extensively on this.

      GrapheneOS changed the title to VPN leaks without default-enabled toggle for blocking leaks .

      tyron

      I was not connected to my always on VPN when Graphene started updating.

      Always-on VPN is a separate toggle from blocking leaks when the VPN is down. GrapheneOS enables both by default, unlike standard Android where neither is enabled by default.

      This was not an error by me the user.

      You had the toggle for blocking connections without. It's enabled by default on GrapheneOS.

      GrapheneOS changed the title to VPN leaks without default-enabled toggle for blocking leaks enabled .

      @raccoondad Please don't recommend people disable OS or app updates, especially for a reason that's not correct. The VPN kill switch feature works perfectly. If you want to avoid showing that you're using GrapheneOS based on connections, all you need is to switch to standard connectivity checks (or disable them, not really recommended due to loss of ability to use captive portals without disabling VPN and less importantly loss of internet downtime detection) and use a correctly working VPN with the default settings since GrapheneOS enables both of those toggles by default.

      I'm sure there are other identifiers, but those two come to mind

      Both of the connections you mentioned go through the VPN, so it's inaccurate. Connectivity checks are the only exception on GrapheneOS. NTP also doesn't go through the VPN on the stock OS, partly because it uses UDP which doesn't always work via a VPN and partly because correct time is needed to authenticate certificates and it makes it easier for users if it doesn't go through the VPN. We made the GrapheneOS HTTPS time connections go through the VPN by not making an exception for them like Android does for NTP.

        sfdhsgjjdkdh Blocking leaks is enabled before the user unlocks, even if the VPN doesn't support Direct Boot. If you have a VPN without Direct Boot support, which is normally the case, then you simply don't have working internet access before first unlock. The initial post is wrong about this. It's a configuration issue, and the default has the leak blocking toggle enabled.

          prompter It's in the OS settings for the VPN right underneath the always-on VPN toggle, which are both enabled by default on GrapheneOS. It's not something you need to manually enable on GrapheneOS but rather avoid turning it off when you enable the VPN.

            Some android system components bypass the VPN, like Captive Portal check, connectivity check and SUPL request.

            If you would live in such a country switching all those back to Google may be best.

            Btw it could be an idea to allow the download of the required OS components over another channel than the Website. Torbrowser uses many, where email, Telegram and others are allowed I think. It is a smaller file, so mirroring things on a Google Server for example may help? Or possibly over Tor?

              GrapheneOS thank you! so the "always-on" toggle also makes sure the vpn stays enabled when the device is locked, and the "block connections" toggle also makes sure there is no traffic before first unlock after rebooting for example?

              GrapheneOS all you need is to switch to standard connectivity checks

              What's the diference between standard and graphene?

                Resurr
                From https://grapheneos.org/faq
                See the difference below in bold.

                Connectivity checks are performed for each network connection and for VPN connections on top of those. This allows the OS to choose the right underlying network for a VPN and to handle many types of captive portals without the user turning off their VPN.

                You can change the connectivity check URLs via the Settings ➔ Network & Internet ➔ Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.

                missing-root

                Some android system components bypass the VPN, like Captive Portal check, connectivity check and SUPL request.

                Connectivity / captive portal checks are the same thing. SUPL doesn't bypass the VPN on Tensor Pixels, only Snapdragon where it's implemented by the radio. NTP on AOSP / stock OS does, but this isn't AOSP / stock OS and GrapheneOS doesn't use NTP.

                Connectivity checks are the only default connection on GrapheneOS which don't go through the VPN.

                SUPL is only used after adding a carrier. Carrier IMS uses a dedicated VPN for Wi-Fi calling/texting which is another non-default connection which doesn't go through the Owner VPN but rather another VPN.

                If you would live in such a country switching all those back to Google may be best.

                Only connectivity checks are relevant to this on current devices. SUPL is only relevant for Pixel 5a and earlier.

                Btw it could be an idea to allow the download of the required OS components over another channel than the Website. Torbrowser uses many, where email, Telegram and others are allowed I think. It is a smaller file, so mirroring things on a Google Server for example may help? Or possibly over Tor?

                Updates aren't hosted on our website and we don't want or need any third party hosting for them. Updates are done via the VPN like all other default connections which aren't connectivity checks.

                Resurr The default servers used across Android vs. our equivalent servers. There's no VPN by default so using our servers makes the most sense as the default. If users want to blend in with Android users with the same VPN provider rather than being visibly a GrapheneOS user to the network, they can change connectivity checks to Standard. It's covered in our FAQ.