"Always-on VPN" is supposed to tunnel all WiFi and mobile data through VPN tunnel without having to enable "Block connections without VPN" feature, also known as VPN Lockdown/Killswitch. The "Block connections without VPN" feature is there for cutting off non-VPN traffic to prevent leaks in case VPN connection is lost,. When VPN connection is established and is stable, there shouldn't be leaks even when "Block connections without VPN" feature is not enabled. Such isn't the case and leaks with stable VPN connection do happen when "Block connections without VPN" feature is not enabled.

I test this on my WiFi and it shows phone trying to resolve domains for various apps outside VPN tunnel if "Block connections without VPN" feature is not enabled. Again, that should not be happening if VPN connection is stable.

Isn't that flawed implementation? Perhaps GrapheneOS can harden the "Always-on VPN" feature?

Always on VPN allows for split tunneling a useful feature.

Data leaks outside of tunnels with "Always-on VPN" enabled even when split tunneling is not enabled for any apps.

One reply from developer was this - https://github.com/GrapheneOS/os-issue-tracker/issues/1477#issuecomment-1273655848 . I just wish "how it works" was explained...

I've monitored traffic on Windows PC's for a long time to know that Killswitch feature is only there to stop data leaks outside of VPN tunnel in case VPN disconnects. The exact defintion is "Disable Internet in case VPN disconnects". How is that different on Android?

This is a choice being made by your VPN app, not part of the OS design for this feature. It sounds like your VPN app is quite buggy.

Nope. BleepingComputer (in today's article) reports a confrontation about VPN leakge between Google and Mullvad VPN about Google deliberately selecting design that leaks data - https://www.bleepingcomputer.com/news/google/android-leaks-some-traffic-even-when-always-on-vpn-is-enabled/ . Some of it is related to connectivity check mechanism and the article specifically mentions GrapheneOS as OS that allows to disable such checks, but there are NTP leaks and some others upon device reboot.

MullvadVPN, NordVPN, ProtonVPN are affected, but its Android design issue, not VPN app issue. That is why I suggest to harden VPN killswitch.

https://issuetracker.google.com/issues/249990229

I think allowing inbound traffic not established by client is of greater concern than outbound leaks, but VPN's protocols like WireGuard leverage P2P and as such, inbound VPN traffic not established by client is expected.

    5 months later

    I second this. Google has confirmed that the problem exists but they wont fix it or add on option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled because, and I quote:
    "We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."
    https://issuetracker.google.com/issues/250529027
    I am officially requesting that this function be either added to lockdown or for there to be a togglable setting for this added below it.

    There already exists a toggle to disable connectivity checks under Network & internet

      tmp What does a connectivity check do exactly? What are the benefits of turning it off or to standard?

        tmp There already exists a toggle to disable connectivity checks under Network & internet

        OpenSource-Ghost Does this solve the issue, or do you still detect leaks even after disabling connectivity checks?

        WiFi calling traffic is allowed outside the VPN also.
        If your goal is to tunnel all traffic thru a VPN better to configure a VPN on your firewall (router).

        Resurr Connectivity check means it pings a server on the Internet, bypassing the VPN. It is used to tell whether you have a working connection so you can get an alert if there's no Internet.