For WiFi you can try using IP-based VPN app (such as official WireGuard app) or built-in IPSec / IKEv2 with non-routable DNS address, such as 0.0.0.0, 127.0.0.1, or using public blackhole servers - 192.175.48.1, 192.175.48.6, and 192.175.48.42. For mobile network - no idea...
VPN leaks
You can also use router rules and/or router rules + local DNS server.
RethinkDNS may also do the trick because it can use built-in encrypted DNS, but I don't know if does so outside VPN tunnels.
DeletedUser115 There aren't known issues with the built-in VPN support. There are only known issues with VPN apps and we haven't yet determined if the apps can be doing something to prevent all of it themselves.
OpenSource-Ghost Thanks! Is DNS configured in the Owner profile applies to all user profiles?
GrapheneOS Thank you, that's good to know the built-in VPN client is not affected.
8 days later
GrapheneOS So as I understand this issue only occurs when a disconnect happens from the VPN side exposing the DNS. But wouldn't graphene's own "always on VPN" service prevent the leak since it waits for the VPN to re-connect before releasing traffic? (assuming the user has "always on VPN" turned... on)
- Edited
PenPusher No, unfortunately, that is the issue. Even when "always on VPN" and "block connections not going over VPN" are enabled, DNS will leak in rare circumstances. The issue is apparently very hard to fix due to how DNS is implemented in relation to app based VPNs, but the GrapheneOS developers are working on a solution.
If you use the built-in VPN support instead of a VPN app, no leak will ever happen. The official Wireguard VPN app seemed to be more robust than some VPN provider specific ones, if you need to use Wireguard.
mmmm I tried to setup a native IPSec / IKEv2 client with Proton VPN but couldn't make it work. If you succeed, please post your settings, thank you 🌷
No luck with ProtonVPN free account and Netherlands servers.
Proton is the worst I've seen, it has bad routing. For example, on a Macbook, if you are connected to Proton and set up a VPN with your server, the traffic bypasses Proton. I checked on my server and saw my private IP, which is not observed with PIA (private internet access).
DeletedUser115 hmmm. Thats definitely my bad. It doesnt seem possible. I thought I had set it up like that on a little used profile I have for a specific purpose but in fact I used OpenVPN Connect. I was conflating that with setting up a free proton account using the in built VPN functionality of a windows 10 machine but even the instructions for that seem to have disappeared from Protons website. Sorry for the bad info all.
mmmm No worries and thank you for letting me know
What is the definition of "built-in VPN client" ? IPSec? Isn't it the only one running in kernel mode? Maybe that is why it is not affected. It could be a race condition between OS and user space VPN apps.