VPN leaks

ben_sherp

As you may have seen, Mullvad is reporting a VPN leak affecting, as far as I understand, all Android versions.

I know mullvad is planning to release an update, but it only updates 1 out of 2 leaks.

Can anyone please confirm this also affects GrapheneOS?
Is there anything else people should be doing?

https://www.mullvad.net/en/blog/2024/5/3/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android/

akc3n

ben_sherp see https://twitter.com/GrapheneOS/status/1786408484973564282

Also, more here:
https://news.ycombinator.com/item?id=40252719

firepotato

https://grapheneos.social/@GrapheneOS/112316307560525598

ryrona

This is the DNS leak I found in the context of GrapheneOS a few weeks ago.

https://github.com/GrapheneOS/os-issue-tracker/issues/3442

Stewart

Configuring private DNS in Android settings plus VPN can help solve the problem?

[deleted]

Stewart
is this correct?

GrapheneOS

Stewart [deleted] It might prevent leaks for the Owner user but Private DNS does not mix well with VPN usage on secondary users, and using Private DNS should not be needed to prevent leaks when using VPN apps. Using different DNS will make your traffic stand out from other VPN users.

DeletedUser115

Is using built-in IPSec / IKEv2 VPN client the best mitigation as of now?

Or what else we can practically do to prevent DNS leaks?

GrapheneOS

DeletedUser115 There aren't known issues with the built-in VPN support. There are only known issues with VPN apps and we haven't yet determined if the apps can be doing something to prevent all of it themselves.

OpenSource-Ghost

For WiFi you can try using IP-based VPN app (such as official WireGuard app) or built-in IPSec / IKEv2 with non-routable DNS address, such as 0.0.0.0, 127.0.0.1, or using public blackhole servers - 192.175.48.1, 192.175.48.6, and 192.175.48.42. For mobile network - no idea...

DeletedUser115

OpenSource-Ghost Thanks! Is DNS configured in the Owner profile applies to all user profiles?

OpenSource-Ghost

You can also use router rules and/or router rules + local DNS server.

OpenSource-Ghost

RethinkDNS may also do the trick because it can use built-in encrypted DNS, but I don't know if does so outside VPN tunnels.

DeletedUser115

GrapheneOS Thank you, that's good to know the built-in VPN client is not affected.

PenPusher

GrapheneOS So as I understand this issue only occurs when a disconnect happens from the VPN side exposing the DNS. But wouldn't graphene's own "always on VPN" service prevent the leak since it waits for the VPN to re-connect before releasing traffic? (assuming the user has "always on VPN" turned... on)

ryrona

PenPusher No, unfortunately, that is the issue. Even when "always on VPN" and "block connections not going over VPN" are enabled, DNS will leak in rare circumstances. The issue is apparently very hard to fix due to how DNS is implemented in relation to app based VPNs, but the GrapheneOS developers are working on a solution.

If you use the built-in VPN support instead of a VPN app, no leak will ever happen. The official Wireguard VPN app seemed to be more robust than some VPN provider specific ones, if you need to use Wireguard.

Arnauld

ryrona If you use the built-in VPN support instead of a VPN app

Do you think it is possible with Protonvpn? Thank you.

mmmm

Arnauld yes, you can find the credentials to do so within your pvpn account pages

DeletedUser115

mmmm I tried to setup a native IPSec / IKEv2 client with Proton VPN but couldn't make it work. If you succeed, please post your settings, thank you 🌷

mmmm

DeletedUser115 hmmm. Thats definitely my bad. It doesnt seem possible. I thought I had set it up like that on a little used profile I have for a specific purpose but in fact I used OpenVPN Connect. I was conflating that with setting up a free proton account using the in built VPN functionality of a windows 10 machine but even the instructions for that seem to have disappeared from Protons website. Sorry for the bad info all.