"Block Connections Without VPN" local discovery

OpenSource-Ghost

Apps like NordVPN and ProtonVPN allow for local network discovery even when "Block Connections Without VPN" is enabled.

Does that mean that "Block Connections Without VPN" does not prevent local network discovery by default?
Does GrapheneOS block local network discovery when "Block Connections Without VPN" is enabled?
- Does GrapheneOS block local multicast traffic when "Block Connections Without VPN" is enabled?

I want to follow GrapeheneOS recommendation to use official WireGuard app, but official WireGuard app does not have any options to block local network discovery or traffic. I am concerned enabling UPnP or local peer discovery in torrent apps may bypass WireGuard app tunnel.

alfred

Hi OpenSource-Ghost

"Block Connections Without VPN" Does block local traffic. i.e. You can't access your wifi router on local IP.
What do you mean by local network discovery? Accessing the local network?
Multicast only works in a local network and is not currently blocked. See below

OpenSource-Ghost but official WireGuard app does not have any options to block local network discovery or traffic

If your Allowed IPs is 0.0.0.0/0, it blocks the local network traffic. You can hit the check mark to Exclude Private IPs. but "Block connection without VPN" will need to be disabled.

Multicast
multicast is not blocked when the VPN is on. Not sure if this is by design or not. There is currently a report on Github about it and there has been some discussion here on the forum. Multicast traffic is limited to the local network and does not go beyond the router and does not route over a VPN.

It looks like torrent local peer discovery uses multicast for discovery, so it may bypass wireguard.

If you are on a VPN, is there a reason to have local peer discovery or UPnP turned on? Just curious, I am not very familiar with torrent apps, but if you don't want it available on the local network, can't you disable that option in the app?

OpenSource-Ghost

UPnP and similar technologies are blocked when using provider (NordVPN) software that comes with local discovery disablement options. I checked that via previous router packet logs, but current ISP-supplied router does not have access to such logs and I have no way to test whether official WireGuard app blocks UPnP, SSDP, and other local discovery packets used by torrents.

I refuse to use NordVPN software though. Their apps are officially closed-source for Windows, Android, and iOS. They add a ton of remote access sharing features, use MQTT over TLS + keepalive TLS feed outside of VPN tunnel, and act shady by not giving out their clients WireGuard keys. You have to use Ubuntu to generate special token via NordVPN account page, and convert it with a script to finally obtain your private WireGuard keys.

I think GrapheneOS should add multicast block and IP isolation feature of their own, not dependent on use of any VPN interfaces.

matchboxbananasynergy

This is now resolved via https://github.com/GrapheneOS/os-issue-tracker/issues/3443