ignition A user isn't even given the option to make a choice save for going scorched-earth by rooting the device.
That's a little unfair. You obviously know you can run a VPN in the secondary profile too.
I suspect this is not exactly a GrapheneOS design decision, but a result of how profiles work in AOSP, and making it work differently would likely be quite a large amount of work.
Probably9857 That's a little unfair. You obviously know you can run a VPN in the secondary profile too.
Don't see how when compared to the many things the Owner profile provides options to let through the boundary. If anything is unfair, it's the lack of similar options for a VPN which leads to, among other things, needing to run the same thing over and over. You wouldn't recommend running the same app with the same accounts in multiple profiles just to receive notifications.
I suspect this is not exactly a GrapheneOS design decision
I know. That's why I said it was unfortunate design decision in response to how it works in ordinary Android. An unfortunate, arbitrary restriction by Google on a base that would normally allow it.
ignition You wouldn't recommend running the same app with the same accounts in multiple profiles just to receive notifications.
I wouldn't. But I also wouldn't waste my time ranting about the choices of projects that are providing me with amazing free software. If what you want doesn't exist, you can build it yourself, or you can find a way to make do with the options that are available to you.
Probably9857 I also wouldn't waste my time ranting about the choices of projects that are providing me with amazing free software.
Ranting? You clearly didn't even comprehend the title but this is a thread of questions about how something works and I asked mine, got my answer and made a comment which someone was curious about. Maybe pay more attention next time before jumping in when you're triggered by an exchange you don't even understand?
ignition
I apologize. My last comment was uncalled for.
So private space is simply an additional work profile?
This is pretty great, and among the first feature I find useful that is implemented in AOSP XD Cant wait for the upgrade
(Btw people, switch to alpha or beta releases if you can and report bugs!)
ignition This is also how things work in the desktop equivalents of a private space.
I am not sure what you consider "the desktop equivalent" but suspect this may be a big part of he reason you are disappointed. You are attempting to replicate a somewhat complex setup in another OS, there are big differences as to how things work in these operating systems, and nobody has created something that provides what you want.
The way networking, profiles and VPNs work in Android may appear a bit strange when compared to what you are familiar with from desktop operating systems but there are reasons. Much network functionality is split per profile running through the VPN of that profile. Some things are handled solely by the kernel and effect the whole device. This contributes to the leaks we have been fixing. There is a lot of complexity to everything which has made fixing the leaks very difficult. It also makes making any changes difficult. Also potentially maintaining those changes. Which means any changes have to be very carefully considered and, particularly if complex, ideally avoided. We cant risk big changes landing in AOSP which could completely break networking or changes we have made which people rely upon.
ignition The current compromise often recommended is a not particularly intuitive hack offered by some firewall apps that have secondary VPN functionality but you forfeit expedient location changes and now have to place your trust in them to not introduce subtle bugs that break the VPN
I would not call it a hack or presume that an app designed just for running a VPN would be higher quality. Many VPN apps are not great. Notice the project has a very short list of recommended VPN apps.
"The only app we can recommend is the official WireGuard app."
ignition Isn't that just, if it even is possible, the Rethink and Blokada compromise discussed above but worse?
Its technically possible to have networking from any given profile run through nested VPNs. Any VPN company could make their VPN app support this kind of nesting.
An independent project could make an app that sits in the VPN slot and offers this nesting and likely also the location switching and other features you desire.
It appears your imagined ideal is a device wide VPN but also being able to run VPN apps in individual profiles with any VPN connections also nested/routed through the device wide VPN. I am not at all sure GrapheneOS will ever take on the work to implement and maintain this.
I think it may be wise to split this conversation off to a new thread as its veered significantly off topic. There are existing apps and methods that can achieve nesting of network connections. Also GrapheneOS aims to offer the possibility to run desktop operating systems, which would have their own networking stacks, in virtual machines.
but it's also slightly more convenient
I've only skimread some of the comments here and I don't fully understand private spaces, but from what I can tell, since you can only use private spaces in the owner profile this makes it less convenient. I don't use my owner profile for anything except changing settings and updating the system, I use secondary profiles for everything. I'm not entirely sure what purpose private spaces actually serve, I disagree with the notion that they are more convenient than profiles. And I feel like the ability to daisy-chain VPNs (ie. VPN-over-VPN) is a highly desired feature for many people, as well as various other features to do with VPNs.
This might be very useful for devices not using GrapheneOS, but it appears GrapheneOS already kinda serves the same purpose but is much more flexible. I'm open to being corrected since I'm only just learning about this.
Is the feature you're looking for the ability to do VPN-over-VPN?
Carlos-Anso I am not sure what you consider "the desktop equivalent"
VMs.
You are attempting to replicate a somewhat complex setup in another OS, there are big differences as to how things work in these operating systems, and nobody has created something that provides what you want.
The way networking, profiles and VPNs work in Android may appear a bit strange when compared to what you are familiar with from desktop operating systems
I use a different Android variant where this is already possible, so I'm not sure what 'complex setup' is in reference to, but nesting is pressing one toggle in the main profile and then connect in the sub profile's VPN. Just like on desktop. You can definitely get more elaborate in a desktop environment but it's not necessary.
I would not call it a hack or presume that an app designed just for running a VPN would be higher quality.
That's fine. I would. It's true that there are many poor VPN apps but the solution is higher quality apps, not third-party apps that are really 'and we support VPN functionality'. With the increasing captcha-blasting, outright blocking, and AI-powered analysis of more privacy-respecting VPN use, I cannot depend on a team that does not have the VPN and its continued improvement as their primary focus, critical to their bottom line. It's definitely off the table when their real focus has the capacity to introduce bugs that subtly break the VPN. This is no different from how I wouldn't depend on a VPN for ad blocking features that are secondary.
Its technically possible to have networking from any given profile run through nested VPNs. Any VPN company could make their VPN app support this kind of nesting.
An independent project could make an app that sits in the VPN slot and offers this nesting and likely also the location switching and other features you desire.
There are existing apps and methods that can achieve nesting of network connections.
This is mixing things up and contradictory. What is being talked about here is an option to share the Owner's profile connection with a sub profile, not yet another third-party app that handles assumed-to-be extractable configurations of yet two other VPNs.
VPN companies don't need to add any feature for this because they already do support nesting by design. There's no special sauce needed. It's not something the app makes an effort to 'support', it's something the OS itself makes an effort to restrict. The inability to nest profiled VPNs on Android is a uniquely Google introduction. Not even ChromeOS has this restriction as far as I can tell.
So unless you're covering up some secret god-mode app or setting that can pierce through the private space or profile boundary, or suggesting I root an installation Graphene, this is an OS problem thanks to Google, not a user-space app concern.
It appears your imagined ideal is a device wide VPN but also being able to run VPN apps in individual profiles with any VPN connections also nested/routed through the device wide VPN
An option for this in relation to the private space, or profiles more generally, yes. In a similar fashion to those that, for profiles, allow setting a private DNS, notifications, etc. or, locally, allow blocking connections without a VPN, having the VPN always on.
I am not at all sure GrapheneOS will ever take on the work to implement and maintain this.
Yes, which is why I was holding out hope that Google didn't bungle the private space like they did profiles in this matter, forcing downstream forks to have to work to fix it. Unfortunately, no such luck.
I think it may be wise to split this conversation off to a new thread as its veered significantly off topic.
I guess, though I'm not sure what would be the point because I've only really been answering questions about my earlier answer and, as you've said, that's unlikely to bear fruit in terms of being implemented. I did ask for it here in the hope that since it isn't fully baked, it may be easier to fix but that's a long shot. There's also this more general thread but same thing.
All of this sounds and looks exactly like a work profile. Is there any difference?
Also how do you add apps to the private space? I assume they need to be installed within the private space from an app like Play Store or F-Droid. Is it also possible to clone apps from the main profile to the private space and they get updated when you update them in the main profile?
Viewpoint0232 All of this sounds and looks exactly like a work profile. Is there any difference?
I've never used a work profile before, so I don't know.
rdns dev here
ignition This applies to RethinkDNS as much as it does to Blokada.
I take insult to be lumped with Blokada.
ignition Rethink is nice but asking me to trust them for critical VPN function is a bridge too far, and not even possible when you need anti-censorship/obfuscation features of a proper VPN app.
Rethink is focused on anti-censorship, and we continually add (and want to add) improvements to that end, even if you may not notice it.
Also, it is a bit of a stretch passing your opinion (about what's critical for our project) as a fact. Have you got a personal email from me where I decried that WireGuard is a bridge too far for Rethink (a bit rich as we've been working on just the WireGuard bits for close to a year now, btw)? If not, you should consider if deriding our little project is of any constructive use to anyone.
ignoramous I take insult to be lumped with Blokada.
Okay?
Rethink is focused on anti-censorship, and we continually add (and want to add) improvements to that end, even if you may not notice it.
Also, it is a bit of a stretch passing your opinion (about what's critical for our project) as a fact.
I've known of Rethink long before it added the ability to import WireGuard configs so I'm not sure what you think it is I don't notice. I'm also not sure what you think is not a fact about the fact that Rethink is not a VPN and that mere support for configs does not make that a priority to its overall offering. You don't host servers, provision IP addresses and monitor their reputation, experiment with designs not based on WireGuard, undertake (or even as yet support) pioneering tech on obfuscation/anti-censorship measures in the space, deal with the realities of facing the GFW and its variants, etc.
It's no more 'opinion' than saying the Mullvad app isn't an ad blocker and that its ad blocking isn't a priority. It isn't, and that's perfectly fine. It's a great VPN though, and in this case, is one.
Have you got a personal email from me where I decried that WireGuard is a bridge too far for Rethink (a bit rich as we've been working on just the WireGuard bits for close to a year now, btw)?
Email? What? What does this have to do with anything here?
If not, you should consider if deriding our little project is of any constructive use to anyone.
Simply explaining why your app is a bad fit for what's being discussed is not 'deriding' it any more than explaining why Mullvad, IVPN, and Proton are a bad fit for ad blocking in a browser is 'deriding' any of them. You can find it unconstructive, but it was suggested and I was asked. I only answered.
ignition I'm also not sure what you think is not a fact about the fact that Rethink is not a VPN and that mere support for configs does not make that a priority to its overall offering
You don't get to decide what is and isn't priority for a project you don't control.
ignition pioneering tech on obfuscation/anti-censorship measures in the space
Anti-censorship is more than just GFW. Also, I've developed two other FOSS projects in this space, Rethink isn't my first or last foray.
ignition Simply explaining
Your simple explanations are rather too verbose and opinionated.
ignoramous You don't get to decide what is and isn't priority for a project you don't control.
No, but I have eyes and can apply reason to observations. That allows me to determine what is and isn't a priority in comparison to things where it is a priority as a matter of fact.
Anti-censorship is more than just GFW
It is nice the goalposts are moving. The authority posturing is also a nice touch.
Your simple explanations are rather too verbose
Simple things get simple explanations, 'verbose' replies merit the same, and repeating 'opinionated' doesn't make it so just because you're offended about what you've confused yourself into thinking it says about your app.
ignition authority posturing
If anyone talks about my projects to me, that's just me, in my comfort zone. Not my intention to "posture".
ignition priority as a matter of fact
How is the developers spending the past 10 months (16 releases!) working mostly on WireGuard be not priority to them? (it is a rhetorical question)
ignition goalposts are moving
I said "anti censorship", and you went GFW. I built an app that can supports WireGuard, and you go "but where is your VPN network"?
ignition you're offended about what you've confused
tbh, I'm astounded, not offended. I'm amused, not confused.
(I hope we can drop our disagreements here as this thread is getting derailed. Hopefully, you find answers you're looking for, from contributors better than I).
I have no issues with people who represent a project here defending it if they feel it's being attacked or misrepresented by someone, but I hope that we can all collectively end it there, as it's getting a bit too far away from what this thread is supposed to be about.
ignoramous How is the developers spending the past 10 months (16 releases!) working mostly on WireGuard be not priority to them?
The part where supporting WireGuard and or OVPN is so table stakes for a centralized VPN, the absolute barest minimum, that being able to get by with 'later support' speaks for itself. The Mullvad, ProtonVPN, and IVPN teams spent even longer getting ad block support integrated. It still doesn't make it a priority, sorry.
I said "anti censorship", and you went GFW
Nice goalpost shift but, no. You jumped in here offended that I called your non-VPN that, claiming it was mere 'opinion', and when I listed numerous properties of real VPNs for which the VPN is the priority, you cherry-picked one and decided to posture about irrelevant apps you've built elsewhere like it grants some sort of authority.
as this thread is getting derailed
Would be nice if you thought of that before you decided to make it about your project.
ignition Refer to matchboxbananasynergy.
