Skyway A leaky implementation or one that's using the Owner profile VPN is never going to be accepted, which are two fatal flaws with the existing LineageOS implementation used elsewhere. A feature which adds major new VPN leaks is never going to be added. Both the leaks for the tethered clients and sending traffic through the Owner profile VPN are unacceptable. That approach will never be accepted and people might as well accept that. It is not how we do things.

      a month later

      I found a pretty solid solution with the GL.iNet Mudi V2 mobile router. It will function as a hot spot and route all traffic through Mullvad (or other VPN providers). There are many more features and a hidden way to even change the IMEI of the device (but that's illegal in many countries).

      It coats extra money and won't help much with the privacy drawbacks of using SIM cards in general (and you need very good OPSEC if you even want to make use of the IMEI feature). But as a mobile VPN router it's very sufficient for my use case, and it won't drain the phone battery or overheat the phone transceivers.

      I'm not an expert in all of this, so before you rush out and buy such a device, I advise waiting for some experts to chime in and verify/falsify my statements.

        Good thread. I was also caught by surprise in the following scenario.

        I have a secondary Work profile where Wireguard app is running with Always-on VPN and Block connections without VPN toggles enabled in the system settings. I use this profile to access work related stuff on my phone when in need. I was abroad and away from WiFi, so the only internet connection came from the eSim. I needed to submit some code and I did not want to do that on my phone, so I thought that for the first time I will just use my phone as a Hotspot while being logged in on the Work profile and connect my laptop to it. I was surprised to find that once connected my laptop was able to reach the internet but it was bypassing the VPN completely. I thought I misconfigured the Hotspost somehow, but there were no settings regarding this. I double checked the Wireguard app settings, there were no excluded apps or services there as well.

        I would argue that in the context described above such leaky VPN behavior is unexpected. Do I understand correctly from this discussion that this is something Wireguard app developers have missed in their implementation?

          banjon
          Hotspot connections are not routed via any VPN.
          If you want the other devices traffic to be routed to a VPN you need to set up a VPN on that device

            2 months later

            matchboxbananasynergy I know it's discussed a hundret times.

            But I think it should be available because:
            Humans make mistakes.
            And it's just like mistakes WILL happen as time goes by.
            The ONLY possibility, for a user to stay on VPN or tor ALL TIME, without any leaks (unprotected internet connection), is to have the internet connection on a seperate device, and the VPN/tor, on that separate device Installed with a killswitch that works for the client device.
            Otherwise here and there, connections will be unprotected.

            Correct me if I'm wrong but if I am not wrong that is a pretty good reason to implement the feature of "allow connected devices to use the vpn of this device".

            You sayed the whay it's implemented on some devices right now does not make any sense.
            Well then, who could implement it in a way that DOES make sense? I would say Grapheneos developers could do it.

              N1b the imei change feature you are talking about, is that easy to use? I looked it up and I think it's hard for people to use it.
              Or is this wrong and it's something you can do in a matter of a few clicks?
              Did you try it?

              • N1b replied to this.

                  • N1b

                    • Post #38

                    RubenTortillaDip I did not, but it looks like it's just as simple as installing a plugin though.

                    Simple does not mean easy though. For this to make any sense, you have to regularly use new SIM cards whenever you change the IMEI and make sure your identity is not connected to the SIM or IMEI, meaning you buy your cards anonymously and don't use your router at home or very close to it. The effort is usually not worth it (except if you're on an Edward Snowden threat model and really need mobile data).

                    If you just change the IMEI, it won't do anything for your anonymity as it's just like changing your phone but keeping your provider.

                        While it would be nice if GOS let you set a specific VPN to route all hotspot traffic through, that apparently isn't going to happen.

                        The easiest, reasonable likely to occur, solution is the creation of an app that uses Bluetooth to connect to another device and acts as a bridge to the wider internet. Create what is basically a VPN app for the other device to force traffic into the Bluetooth link to the phone app which in turn sends it out to the wider internet via the VPN.

                        N1b yeah I think it's not worth it anyway. I think it pulls unwanted attention. I think to use such a router device in general pulls attention.
                        When you check the first three letters of the emei of your specific router, what outcome does it have? Does it say it's a device by gli net? Or what information do the first 3 letters give?
                        (In case you don't know the first 3 letters of an imei refer to the manufacturer it comes from)