VPN leaks

Bben_sherp · May 4, 2024

As you may have seen, Mullvad is reporting a VPN leak affecting, as far as I understand, all Android versions.

I know mullvad is planning to release an update, but it only updates 1 out of 2 leaks.

Can anyone please confirm this also affects GrapheneOS?
Is there anything else people should be doing?

https://www.mullvad.net/en/blog/2024/5/3/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android/

Ffirepotato · May 4, 2024

https://grapheneos.social/@GrapheneOS/112316307560525598

akc3n · May 4, 2024

ben_sherp see https://twitter.com/GrapheneOS/status/1786408484973564282

Also, more here:
https://news.ycombinator.com/item?id=40252719

Rryrona · May 4, 2024

This is the DNS leak I found in the context of GrapheneOS a few weeks ago.

https://github.com/GrapheneOS/os-issue-tracker/issues/3442

SStewart · May 4, 2024

Configuring private DNS in Android settings plus VPN can help solve the problem?

[deleted] · May 5, 2024

Stewart
is this correct?

GrapheneOS · May 20, 2024

Stewart [deleted] It might prevent leaks for the Owner user but Private DNS does not mix well with VPN usage on secondary users, and using Private DNS should not be needed to prevent leaks when using VPN apps. Using different DNS will make your traffic stand out from other VPN users.

DDeletedUser115 · May 22, 2024

Is using built-in IPSec / IKEv2 VPN client the best mitigation as of now?

Or what else we can practically do to prevent DNS leaks?

OOpenSource-Ghost · May 22, 2024

For WiFi you can try using IP-based VPN app (such as official WireGuard app) or built-in IPSec / IKEv2 with non-routable DNS address, such as 0.0.0.0, 127.0.0.1, or using public blackhole servers - 192.175.48.1, 192.175.48.6, and 192.175.48.42. For mobile network - no idea...

OOpenSource-Ghost · May 22, 2024

You can also use router rules and/or router rules + local DNS server.

OOpenSource-Ghost · May 22, 2024

RethinkDNS may also do the trick because it can use built-in encrypted DNS, but I don't know if does so outside VPN tunnels.

GrapheneOS · May 22, 2024

DeletedUser115 There aren't known issues with the built-in VPN support. There are only known issues with VPN apps and we haven't yet determined if the apps can be doing something to prevent all of it themselves.

DDeletedUser115 · May 23, 2024

OpenSource-Ghost Thanks! Is DNS configured in the Owner profile applies to all user profiles?

DDeletedUser115 · May 23, 2024

GrapheneOS Thank you, that's good to know the built-in VPN client is not affected.

PPenPusher · May 30, 2024

GrapheneOS So as I understand this issue only occurs when a disconnect happens from the VPN side exposing the DNS. But wouldn't graphene's own "always on VPN" service prevent the leak since it waits for the VPN to re-connect before releasing traffic? (assuming the user has "always on VPN" turned... on)

Rryrona · Jun 1, 2024

PenPusher No, unfortunately, that is the issue. Even when "always on VPN" and "block connections not going over VPN" are enabled, DNS will leak in rare circumstances. The issue is apparently very hard to fix due to how DNS is implemented in relation to app based VPNs, but the GrapheneOS developers are working on a solution.

If you use the built-in VPN support instead of a VPN app, no leak will ever happen. The official Wireguard VPN app seemed to be more robust than some VPN provider specific ones, if you need to use Wireguard.

AArnauld · Jun 2, 2024

ryrona If you use the built-in VPN support instead of a VPN app

Do you think it is possible with Protonvpn? Thank you.

Mmmmm · Jun 2, 2024

Arnauld yes, you can find the credentials to do so within your pvpn account pages

DDeletedUser115 · Jun 2, 2024

mmmm I tried to setup a native IPSec / IKEv2 client with Proton VPN but couldn't make it work. If you succeed, please post your settings, thank you 🌷