- Edited
MARKU5 No, you can only have one private space and only on the owner profile.
How does Private Spaces isolation compare to secondary user profile?
flighty_sloth Thanks. Yeah I just found that question was answered in another thread as well.
I wonder if adding support for private spaces in secondary profiles is something the GrapheneOS team would consider doing?
- Edited
flighty_sloth In the scenario you described the private space should see your real IP
If this is true then the VPNs are not nested
- Edited
ignition True not nested, not sure why I wrote "correct" at the beginning, my apologies that was an error, the rest of what I wrote after the first word is what I meant.
ignition Does this mean VPNs can be nested?
I don't understand what this means.
ignition If the VPN in your Owner profile is turned on, and the VPN in the private space is turned off, does the private space see your real IP or the IP of the active VPN in your Owner profile?
What do you mean by a profile "seeing" the IP address of another profile? Unless the question is deeper than what I've already explained, I think my previous explanation that the Owner and PrS profiles have separate VPN slots should be sufficient to answer your question. I've already derailed this topic enough with my usability perspective of PrS. I won't answer any further questions.
fid02 I don't understand what this means.
That was in the question that followed. If the VPN in your Owner profile is active, but there is no active VPN in your private space, is the reported IP of the private space your real IP or the IP of the Owner's active VPN when you check an IP testing site in a browser (or even the disconnected private space's VPN)?
I think my previous explanation that the Owner and PrS profiles have separate VPN slots should be sufficient to answer your question
Being able to run more than one VPN simultaneously would require this regardless so I am not sure how this could possibly be relevant.
I've already derailed this topic enough with my usability perspective of PrS. I won't answer any further questions.
My question is very literally about the topic, VPNs and isolation, so I am not sure how this is spun as a derailment but I cannot force you to answer.
- Edited
ignition "That is an unfortunate design choice." Out of interest, why do you say it's an unfortunate design coice? Surely this way is preferred, as you can have a separate 'identity' in each profile.
If you want to have a VPN in each profile, you can. You can also have one profile with one VPN and one with another, or one as your actual IP. Then you can keep certain apps in each profile, depending on which IP you wish them to be routed through.
I know that having seperate IP addresses aren't enough on their own to stop cross profile fingerprinting, but it is an element of it at least.
If I'm misunderstanding what you mean, let me know though
roamer4223 why do you say it's an unfortunate design coice? Surely this way is preferred, as you can have a separate 'identity' in each profile.
Because it means it's impossible to nest VPNs, which is necessary for certain higher privacy and anti-censorship postures, but also impossible to simultaneously run a full, privacy-preserving VPN app and something like Blokada because the VPN connection from your Owner profile isn't carried over to the private space.
If there was at least a toggle to allow sharing, I could run a VPN in the Owner profile and Blokada or something else in the private space, and stick to using the private space for everything I cared for while remaining confident I had full coverage across my device. The current design means my Owner profile VPN is meaningless to the apps in my private space, so I'm forced to choose either running the same VPN again in the private space, forfeiting Blokada, or Blokada, forfeiting the VPN.
I know that having seperate IP addresses aren't enough on their own to stop cross profile fingerprinting, but it is an element of it at least.
This type of fingerprinting is a very insignificant concern compared to the inability to simultaneously run a full VPN app that allows you to switch locations as needed plus offers obfuscation/anti-censorship measures and a firewall app like Blokada.
The current compromise often recommended is a not particularly intuitive hack offered by some firewall apps that have secondary VPN functionality but you forfeit expedient location changes and now have to place your trust in them to not introduce subtle bugs that break the VPN, a big ask for something of secondary concern to them, while they're focused on building out their firewall/dns features. Even worse, this compromise is off the table if you rely on the anti-censorship/obfuscation measures the full VPN provides.
There is also the nesting VPN case which is increasingly relevant in today's political climate where more privacy-respecting VPNs and services are censored in favor of those that, while secure, are more useful to goverments because of data they retain. If such a toggle existed, I could run my privacy-respecting VPN in the Owner profile and the less privacy-respecting one in the private space without exposing my real IP to nested VPN. This is the principle underlying iCloud Private Relay but without being limited to Safari browser or their mail app.
- Edited
ignition I think the main issue here is, this is not what the Private Spaces feature is for. Unless I'm mistaken, It's basically similar to using a work profile with an app like Shelter, but without the need to use a third party app, or without needing to switch between the built-in user profiles either. It allows you to keep certain apps seperated from each other so they can not use IPC, or see each other. I assume it's not as isolated as the built-in user profiles but it's also slightly more convenient. You are looking for a completely different feature, as far as I can tell.
I don't know much about Blokada at all. However, I know RethinkDNS allows you to essentially do these things. You can download a bunch of multi-hop Wireguard configs from your VPN of choice, such as Mullvad, then import them into RethinkDNS. You can then use your VPN's DNS server or a seperate one if you want (though that would make you stand out more, generally speaking). It has a firewall built in, which tells you which app made which request, and allows you to block DNS or IPs. It also allows you to block an app's internet access entirely, though of course the built-in GOS network toggle is better to use in that case.
I'm not necessarily recommending RethinkDNS or anything. It just seems to be similar to what you're looking for? Maybe I'm way off.
I'm not really an expert so if I'm talking rubbish then please feel free to ignore me. Just wanted to help / understand what you were saying :)
roamer4223 You are looking for a completely different feature, as far as I can tell.
Can't see how because nothing in your description is incompatible with the nesting VPN use case. This is also how things work in the desktop equivalents of a private space.
roamer4223 It just seems to be similar to what you're looking for?
No, because as I said
The current compromise often recommended is a not particularly intuitive hack offered by some firewall apps that have secondary VPN functionality but you forfeit expedient location changes and now have to place your trust in them to not introduce subtle bugs that break the VPN, a big ask for something of secondary concern to them, while they're focused on building out their firewall/dns features. Even worse, this compromise is off the table if you rely on the anti-censorship/obfuscation measures the full VPN provides.
This applies to RethinkDNS as much as it does to Blokada. Rethink is nice but asking me to trust them for critical VPN function is a bridge too far, and not even possible when you need anti-censorship/obfuscation features of a proper VPN app.
ignition Fair enough then. As I said, I wasn't particularly recommending RethinkDNS, I just misunderstood what you were looking for. There are some VPN providers that have multi-hop on their Android clients as well, such as iVPN. iVPN also has a reasonably customisable DNS blocklist built in to their app. Anyway I guess you'll have to submit a feature request for what you're after. Good luck :)
- Edited
roamer4223 There are some VPN providers that have multi-hop on their Android clients as well
You are misunderstanding something. While similar, multi-hop and nesting VPNs are two different things.
Multi-hop is a same provider feature, with servers of both hops owned by the same provider and known to not just them but also its adversaries. The exit hop here is the important one and, for very private VPN providers like IVPN, your internet use gets blasted with a mountain of captchas or outright blocked by websites and apps because all of IVPN's servers are publicly known.
Nesting is multi-provider. If you read through the iCloud relay article, you'd see how they explain this. One provider is used for the entry relay and a different, unrelated provider for the exit relay. From a privacy and anti-censorship angle, this means you can use IVPN, which is highly private, as your entry relay and they'll know your real IP but you could now, assuming it wasn't deprecated, much more safely use something like Google One VPN as your exit relay without exposing your real IP to Google.
Advantages of nesting in comparison to multi-hop are significant, including much fewer, if any, captchas and blocks since the algorithm is almost always Google's or trusts Google, and websites and apps (some of the biggest owned by Google themselves) will only see Google controlled IPs, deeming it safer because its VPN is not at all as private as IVPN. Another privacy and censorship advantage is your ISP, and government that may know about IVPN, gets blinded to the details of your use of the less private nested VPN. Yet another advantage is you can retain your privacy while gaining high availability in the sense that you can use IVPN, which has servers in only a few locations, as your entry relay but another, less private VPN with a wider selection of locations as your exit.
ignition
Unless Im misunderstanding something it should be possible to create an app which sits in the VPN slot of an Android profile which provides the nested vpn functionality you are looking for. Private space is functionally a profile, just a different type. Similar to work profiles and clone profiles.
An app in the VPN slot has control of pretty much all network traffic from the profile in which its installed and can route it as it wishes.
Carlos-Anso Unless Im misunderstanding something it should be possible to create an app which sits in the VPN slot of an Android profile which provides the nested vpn functionality you are looking for.
Isn't that just, if it even is possible, the Rethink and Blokada compromise discussed above but worse?
An app in the VPN slot has control of pretty much all network traffic from the profile in which its installed and can route it as it wishes.
But this is about the chosen design of profiles themselves, not some app. The always active Owner profile is privileged amongst its peers, giving users the option to route calls, messages, even notifications, and also DNS but when it comes to a VPN, an arbitrarily impenetrable wall is erected. A user isn't even given the option to make a choice save for going scorched-earth by rooting the device.
ignition A user isn't even given the option to make a choice save for going scorched-earth by rooting the device.
That's a little unfair. You obviously know you can run a VPN in the secondary profile too.
I suspect this is not exactly a GrapheneOS design decision, but a result of how profiles work in AOSP, and making it work differently would likely be quite a large amount of work.
Probably9857 That's a little unfair. You obviously know you can run a VPN in the secondary profile too.
Don't see how when compared to the many things the Owner profile provides options to let through the boundary. If anything is unfair, it's the lack of similar options for a VPN which leads to, among other things, needing to run the same thing over and over. You wouldn't recommend running the same app with the same accounts in multiple profiles just to receive notifications.
I suspect this is not exactly a GrapheneOS design decision
I know. That's why I said it was unfortunate design decision in response to how it works in ordinary Android. An unfortunate, arbitrary restriction by Google on a base that would normally allow it.
- Edited
ignition You wouldn't recommend running the same app with the same accounts in multiple profiles just to receive notifications.
I wouldn't. But I also wouldn't waste my time ranting about the choices of projects that are providing me with amazing free software. If what you want doesn't exist, you can build it yourself, or you can find a way to make do with the options that are available to you.