Share VPN with hotspot ?

Carlos-Anso

banjon
Hotspot connections are not routed via any VPN.
If you want the other devices traffic to be routed to a VPN you need to set up a VPN on that device

RubenTortillaDip

matchboxbananasynergy I know it's discussed a hundret times.

But I think it should be available because:
Humans make mistakes.
And it's just like mistakes WILL happen as time goes by.
The ONLY possibility, for a user to stay on VPN or tor ALL TIME, without any leaks (unprotected internet connection), is to have the internet connection on a seperate device, and the VPN/tor, on that separate device Installed with a killswitch that works for the client device.
Otherwise here and there, connections will be unprotected.

Correct me if I'm wrong but if I am not wrong that is a pretty good reason to implement the feature of "allow connected devices to use the vpn of this device".

You sayed the whay it's implemented on some devices right now does not make any sense.
Well then, who could implement it in a way that DOES make sense? I would say Grapheneos developers could do it.

RubenTortillaDip

N1b the imei change feature you are talking about, is that easy to use? I looked it up and I think it's hard for people to use it.
Or is this wrong and it's something you can do in a matter of a few clicks?
Did you try it?

N1b

RubenTortillaDip I did not, but it looks like it's just as simple as installing a plugin though.

Simple does not mean easy though. For this to make any sense, you have to regularly use new SIM cards whenever you change the IMEI and make sure your identity is not connected to the SIM or IMEI, meaning you buy your cards anonymously and don't use your router at home or very close to it. The effort is usually not worth it (except if you're on an Edward Snowden threat model and really need mobile data).

If you just change the IMEI, it won't do anything for your anonymity as it's just like changing your phone but keeping your provider.

RubenTortillaDip

N1b yeah I think it's not worth it anyway. I think it pulls unwanted attention. I think to use such a router device in general pulls attention.
When you check the first three letters of the emei of your specific router, what outcome does it have? Does it say it's a device by gli net? Or what information do the first 3 letters give?
(In case you don't know the first 3 letters of an imei refer to the manufacturer it comes from)

JollyRancher

While it would be nice if GOS let you set a specific VPN to route all hotspot traffic through, that apparently isn't going to happen.

The easiest, reasonable likely to occur, solution is the creation of an app that uses Bluetooth to connect to another device and acts as a bridge to the wider internet. Create what is basically a VPN app for the other device to force traffic into the Bluetooth link to the phone app which in turn sends it out to the wider internet via the VPN.

onehalf3544

(sorry for necroposting, but I hope I found the latest thread regarding this topic)

What's the current status of this?
Sadly, the https://github.com/GrapheneOS/os-issue-tracker/issues/30 got deleted, so it's completely unclear ;(
(btw, https://divestos.org/pages/broken#papercuts is also broken)

Is there a list of concerns that prevent the implementation? So that those could be discussed one by one..

Thanks.

r134a

onehalf3544 I would advice to read the thread again, then i would assume one could conclude the 'status', aswell as the reasoning behind it.

onehalf3544

GrapheneOS A leaky implementation or one that's using the Owner profile VPN is never going to be accepted, which are two fatal flaws with the existing LineageOS implementation used elsewhere. A feature which adds major new VPN leaks is never going to be added. Both the leaks for the tethered clients and sending traffic through the Owner profile VPN are unacceptable. That approach will never be accepted and people might as well accept that. It is not how we do things.

Ok, so there could be a separate profile for the tethered/hotpot clients, right? Is that something hard to implement? Or is it against some other security aspect?
What exactly is leaking in their implementation? What make that impossible to be fixed?

Thanks.

de0u

onehalf3544 So there could be a separate profile for the tethered/hotpot clients, right? Is that something hard to implement? Or is it against some other security aspect?

I don't speak for the GrapheneOS project, but my sense is:

This would not be impossible.
This would also not be easy.
The GrapheneOS developers are aware that some people want this a lot, but do not believe that it is more important to work on this than to work on other things.

Because GrapheneOS is an open-source project, one way to resolve this sort of disagreement would be for people who want this a lot to hire an Android developer to contribute code. If that code were of sufficiently high quality (including having been well tested), it might well be accepted (other community contributions have been).

What might make this non-easy?

I suspect a fair amount of code would need to be written, to change from the current situation, where activating the hotspot launches a system service so that activating the hotspot would activate a user profile, and also some filtering to "catch" the hotspot traffic and treat it as if it were coming the hotspot profile,
I suspect a some amount of UI code would need to be written along the way,
There would be a fair amount of testing work,
Finally, this feature (as with other features that change upstream code in a significant way) would need to be re-applied several times a month for each release. This is an issue that some Android distributions don't face, because some Android distributions do not stay up to date.

Clearly adding a hotspot profile would not be impossible! But there is a gap between "possible" and "easy", and at the moment the GrapheneOS developers have an estimate of the size of that gap. It may seem easy for people who haven't written that kind of code before (and haven't debugged Android VPN code) to have estimate that gap as small, but that doesn't mean it is small.

onehalf3544 What exactly is leaking in their implementation? What make that impossible to be fixed?

It is not clear to me that anybody wrote that it would be impossible to fix the leaks in the LineageOS implementation.

onehalf3544

Yeah, I'm ok with (trying to) doing it myself - I wasn't trying to re-prioritize this feature request somehow, but rather wanted to get a list of requirements for a possible implementation (along with any tips/pieces of advice).

de0u

onehalf3544 I wasn't trying to re-prioritize this feature request somehow, but rather wanted to get a list of requirements for a possible implementation (along with any tips/pieces of advice).

Here's what I think I know:

Running hotspot traffic through the owner profile's VPN setup seems likely to be rejected,
One source of leaks is when a VPN connection is being set up, being torn down, or fails (i.e., the VPN client loses its connection to the current VPN server),
Another source of leaks is when a VPN app is updated while it's running.

In addition, I can imagine there might be issues related to multiple hotspot devices, e.g., leakage of information about one hotspot device to another hotspot device.

« Previous Page