I'm looking for more info, tips and any other useful tidbits regarding the app and its usage with GrapheneOS.

Usage is not for the DNS functions (wireguard 3rd party VPN and its own DNS), rather the firewall/little snitch type functionality.

Anyone who uses it got any thoughts?

Thanks!

16 days later

ignoramous I really appreciate this. Its this type of thing I was after; 'best settings' and then a bit of instruction on the 'play it by ear' stuff.

The split tunnel wireguard thing, does that mean i can set up a couple of wireguard VPN (say one based in the UK and one based in Italy) and then wire individual apps to either? How about specific ips whikst usekng a browser? How does that work of so, can the both effectively work at the same time? Maybe I have my wires crossed, as it were.

      mmmm The split tunnel wireguard thing, does that mean i can set up a couple of wireguard VPN (say one based in the UK and one based in Italy) and then wire individual apps to either

      Yes, this works like you describe, with the only caveat that the DNS resolver used for ALL apps is whatever is setup with Rethink, discounting WireGuard's DNS (which is running in Advanced mode). That's because it isn't trivial to implement split-tunneling for DNS, but we've been making progress to make it work; though, it will tend to misbehave as Android itself does not support it and what we've built is an elaborate... hack (ref).

      Rethink does use WireGuard's DNS resolver when running in Simple mode.

      Rethink will proxy user-set DNS resolver (when WireGuard is in Advanced mode) over any Always-on WireGuard, unless Never proxy DNS is turned ON in Configure -> DNS.

      mmmm How about specific ips whikst usekng a browser?

      Rethink doesn't split-tunnel based on IPs and domains, yet. Only based on apps.

      mmmm How does that work of so, can the both effectively work at the same time?

      It does work, but of course there exists bugs with running multiple WireGuards that we're ironing out over the past 8 months or so and continue to, as they get reported or as we find them ourselves.

              ignoramous thanks again for all the useful info.

              ignoramous WireGuard's DNS

              When you speak of this, do you just mean the DNS of the VPN I'm running via wireguard? In my case proton? My goal is to only ever run the same DNS as the VPN provider I'm using is using. This is for privacy concerns. So all that info you gave me regarding using multiple wireguard connections will indeed run through the DNS of the VPN app?
              I'm sorry to ask potentially obvious clarification but I'm always everso confused when talking network set ups.

              Another thing I was interested in, and I saw some discussion on your github regarding it, is potential Tailscale integration. What are the current state of affairs/ideas regarding this? I have opted to just omit my home lab services from my GrapheneOS device in favour of rethink + protonVPN, due to the functionality of your app, but that comes at a cost of not having the instances I want to use available.
              In an ideal world I would have both!

                    mmmm do you just mean the DNS of the VPN I'm running via wireguard? In my case proton? My goal is to only ever run the same DNS as the VPN provider I'm using is using.

                    Yes, by "WireGuard's DNS" I mean the DNS of the VPN as setup via its WireGuard configuration. Rethink doesn't use that DNS when running multiple WireGuards at the same time. In Simple WireGuard mode however, Rethink uses WireGuard's DNS.

                    mmmm What are the current state of affairs/ideas regarding this?

                    Tailscale integration wasn't straight-forward, so I've paused working on it. It is do-able but it is not priority given the complexity, and other pending bugs / features.

                    • mmmm replied to this.

                          ignoramous Tailscale integration wasn't straight-forward, so I've paused working on it. It is do-able but it is not priority given the complexity, and other pending bugs / features.

                          Thats a shame but I understand.

                          ignoramous Rethink doesn't use that DNS when running multiple WireGuards at the same time. In Simple WireGuard mode however, Rethink uses WireGuard's DNS

                          Ah OK. Thanks for clearing it up for me. So what DNS does rethink use in this case?

                          Another little question I had concerns "on device blocklists". I know I probably should know, but what is this exactly and how does it related to the stuff provided by the DNS we have been discussing? Could you explain it like I'm 5 years old please? For example, is it simply and literally on device? So bears no privacy implications?

                          Thanks for your great app and excellent support.

                                ignoramous

                                Ok I’m really sorry to seemingly ask the same question over and over but I am straight up microwaving my frontal cortex trying to comprehend this galaxy brain app

                                I’m trying to set up an internet connection that uses mullvad vpn and DNS to minimize fingerprint uniqueness, and use something to locally control what traffic is allowed in and out of my GOS phone

                                From what I can understand so far… I do not need the mullvad app.

                                I only need the RDNS app to actually manage everything, right?

                                I am trying to enter an unused wire guard key in Mullvad’s website into RDNS, but I must be getting my key from the wrong place because RDNS is asking for a public key (or will generate one?) and a private key and addresses, and I don’t even know if this key I’m looking at is public or private, and I only have the one, and it’s erroring because I don’t have anything in addresses. What do I put in addresses? Do I need to put the custom port provided my mullvad into the listen port or let it be random? Do I need to worry about the MTU, too?

                                    GlytchMeister I am trying to enter an unused wire guard key in Mullvad’s website into RDNS,

                                    Those fields (public key, private key, endpoint etc) are almost never setup "manually". You need to download / scan the QR code of your Mullvad profile's WireGuard configuration (I believe, from here: https://mullvad.net/en/download/wireguard-config/).

                                    1. In Rethink, go to Configure -> Proxy -> Setup WireGuard
                                    2. Tap on the + floating button near the footer.
                                    3. Tap on QR CODE if you're scanning a QR code, or on Import if you've downloaded the WireGuard configuration.

                                        mmmm So what DNS does rethink use in this case?

                                        In case of Advanced WireGuard, Rethink uses user-preferred DNS upstream as set in Configure -> DNS, but this upstream is tunneled over any one of the Always-on WireGuard (if setup) AND if Never proxy DNS is turned OFF (in Configure -> DNS).

                                        mmmm For example, is it simply and literally on device? So bears no privacy implications?

                                        Yes, these DNS blocklists must be downloaded from Rethink's servers. These help Rethink make decision on what domains to block locally on-device.

                                        One privacy implication I can think of right now is one has to trust Rethink (to keep those blocklists untouched and updated).

                                              ignoramous

                                              But RDNS is open source, so people can check for themselves and raise the alarm if, hypothetically, RDNS started misbehaving or was compromised, right?

                                                ignoramous

                                                Maybe its because I'm using my old iPhone to look at mullvad's website. I'll try again on my laptop later.

                                                  ignoramous In case of Advanced WireGuard, Rethink uses user-preferred DNS upstream as set in Configure -> DNS, but this upstream is tunneled over any one of the Always-on WireGuard (if setup) AND if Never proxy DNS is turned OFF (in Configure -> DNS).

                                                  So just to be clear, advanced mode will use the DNS of say proton or mullvad setting the config as you directed?

                                                  Also a quick side question. On another thread a user claimed (and until I did a cursory check I also presumed) that on simple mode there is no such thing as a true always on mode, like the rethink app would 'take over' that function from android and be always on, but if I disconnected the wireguard VPN connection within the app it wouldn't hold true in the same sense. Can you please verify this? It seems it does sever connections but I'm worried as I have heard multiple claims to the contrary

                                                  Thanks for all the help, the app is powerful but quite complicated for the uninitiated. To clarify, the app probably isn't but the actual concepts are.

                                                      a month later

                                                      mmmm So just to be clear, advanced mode will use the DNS of say proton or mullvad setting the config as you directed?

                                                      No, but the exact opposite: Only Simple mode will.

                                                      A "preferred" DNS upstream is whatever upstream the user has set from Configure -> DNS in Rethink (or Android's Private DNS, if that is set).

                                                      mmmm Can you please verify this?

                                                      Sorry, will you please reword your query? I couldn't understand it fully.

                                                      mmmm o clarify, the app probably isn't but the actual concepts are.

                                                      Yep. We plan to use the open-source Gemma 2 2B model on-device to let users talk to the app's database and our documentation in natural language in a bid to help ease this. We've applied for a grant to work on this from Mozilla. Let's see how that goes.

                                                              ignoramous Sorry, will you please reword your query? I couldn't understand it fully.

                                                              Sorry. I suppose the question can be: asked of the of simple mode, how is the the additional vpn 'always on' VPN used? Is it the first vpn as such? If,say proton is it, is it that? Or merely the connecrion to Rethink?

                                                                  mmmm sorry I don't know how to put that in workable English!

                                                                    mmmm asked of the of simple mode, how is the the additional vpn 'always on' VPN used? Is it the first vpn as such? If,say proton is it, is it that? Or merely the connection to Rethink?

                                                                    If you mean Android's Always-on VPN setting, then it is Android that enforces it, as in Android makes sure the "always on" VPN is always up and running. If not, the user is shown a notification.

                                                                    If you mean Rethink's Always-on WireGuard, then that's a different concept.

                                                                    1. An Always-on WireGuard cannot be turned OFF.
                                                                    2. An Always-on WireGuard is used by any app that isn't proxied by any other WireGuard configuration.
                                                                    3. If multiple WireGuards are set Always-on, then any one (that is connected / working) among them is selected.
                                                                    4. If ALL Always-on WireGuards don't work (aren't connected / working) then Rethink does not bypass it. This manifests as connection timeouts / connectivity loss for apps.

                                                                    Rethink's Simple mode WireGuard configurations are by default Always-on.

                                                                        ignoramous sorry for being confusing. I'm referring to the fact that androids always on VPN ensures that rethink is always on. Does rethink mitigate that by ensuring it itself has an always on VPN connection. I wouldn't want rethink to accidentally trick android (and me) into thinking I'm protected via a VPN service, when really I'm just connected to rethink.

                                                                        I think from your previous response that rethink's always on connection (in simple mode) does work as intended.

                                                                            mmmm previous response that rethink's always on connection (in simple mode) does work as intended

                                                                            Yes. You got it.