Notifications (FCM) bypass misconfigured VPN on rooted phones with bad config

Hhorde · May 5, 2024

Saw someone mentioning that notifications can bypass VPNs

https://discuss.privacyguides.net/t/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android/18152/5

https://discuss.privacyguides.net/t/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android/18152/8

https://discuss.privacyguides.net/t/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android/18152/19

Dde0u · May 5, 2024

horde If the reports are from Google's stock OS it might be because the Play apps are privileged on the stock OS, in which case presumably the experiment would yield different results on GrapheneOS.

Hathaway_Noa · May 5, 2024

This is so tiresome :(

fid02 · May 5, 2024

This happens when I use the kernel module backend for wireguard.
[…]
This doesn’t happen when I use the userspace backend of wireguard.

And how exactly are we supposed to reproduce this, then?

other8026 · May 5, 2024

First, it would be nice if someone can see if they can reproduce this on GrapheneOS. I will later if I have time.

It's important to note that the "proof" for VPN "leaks" is setting up a dummy VPN on Wireguard. This could be a problem with their app, not with Android (and therefore not GrapheneOS).

It's also important to remember that computers are stupid and programmers sometimes fail to plan ahead for odd things to happen. In this case, misconfiguration can very well lead to unexpected behavior. So far, there is no evidence that Google apps can bypass the VPN on the stock OS or GrapheneOS when a VPN is properly configured.

Edit: I just tried on my phone with multiple dummy configs. I even copied a config from screenshots I found in the forum linked in the OP. I am NOT able to reproduce this. Notifications only come through when I connect to a correctly configured WireGuard server via the WireGuard app.

FFibonacci · May 5, 2024

other8026 did you try with the kernel module backend on wireguard ? You can enable it in the settings but it requires root AFAIK

other8026 · May 6, 2024

Fibonacci I'm not familiar with this, though if it requires root (or changing things in developer tools) then it's not supported.

I did see the official project account mention some sort of WireGuard support in the kernel. Here's what they said:

There is kernel WireGuard support in Android which doesn't do any good yet because it hasn't been integrated into the network management infrastructure. Having support for it in the kernel doesn't accomplish anything without having the infrastructure developed to make use of it.

Also, my phone isn't rooted so I couldn't test it even if I wanted to.

fid02 · May 6, 2024

other8026 The original reporter has confirmed that root is required to reproduce this: https://discuss.privacyguides.net/t/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android/18152/21

This is not possible on GrapheneOS without a rooted phone – which would no longer be a GrapheneOS system, and you risk far worse privacy leaks on a rooted phone anyway – so there is no actual concern here.

boldsuck · May 11, 2024

^^ I love the edited title. :-)