How does Private Spaces isolation compare to secondary user profile?

roamer4223

but it's also slightly more convenient

I've only skimread some of the comments here and I don't fully understand private spaces, but from what I can tell, since you can only use private spaces in the owner profile this makes it less convenient. I don't use my owner profile for anything except changing settings and updating the system, I use secondary profiles for everything. I'm not entirely sure what purpose private spaces actually serve, I disagree with the notion that they are more convenient than profiles. And I feel like the ability to daisy-chain VPNs (ie. VPN-over-VPN) is a highly desired feature for many people, as well as various other features to do with VPNs.

This might be very useful for devices not using GrapheneOS, but it appears GrapheneOS already kinda serves the same purpose but is much more flexible. I'm open to being corrected since I'm only just learning about this.

ignition

Is the feature you're looking for the ability to do VPN-over-VPN?

Carlos-Anso I am not sure what you consider "the desktop equivalent"

VMs.

You are attempting to replicate a somewhat complex setup in another OS, there are big differences as to how things work in these operating systems, and nobody has created something that provides what you want.

The way networking, profiles and VPNs work in Android may appear a bit strange when compared to what you are familiar with from desktop operating systems

I use a different Android variant where this is already possible, so I'm not sure what 'complex setup' is in reference to, but nesting is pressing one toggle in the main profile and then connect in the sub profile's VPN. Just like on desktop. You can definitely get more elaborate in a desktop environment but it's not necessary.

I would not call it a hack or presume that an app designed just for running a VPN would be higher quality.

That's fine. I would. It's true that there are many poor VPN apps but the solution is higher quality apps, not third-party apps that are really 'and we support VPN functionality'. With the increasing captcha-blasting, outright blocking, and AI-powered analysis of more privacy-respecting VPN use, I cannot depend on a team that does not have the VPN and its continued improvement as their primary focus, critical to their bottom line. It's definitely off the table when their real focus has the capacity to introduce bugs that subtly break the VPN. This is no different from how I wouldn't depend on a VPN for ad blocking features that are secondary.

Its technically possible to have networking from any given profile run through nested VPNs. Any VPN company could make their VPN app support this kind of nesting.

An independent project could make an app that sits in the VPN slot and offers this nesting and likely also the location switching and other features you desire.

There are existing apps and methods that can achieve nesting of network connections.

This is mixing things up and contradictory. What is being talked about here is an option to share the Owner's profile connection with a sub profile, not yet another third-party app that handles assumed-to-be extractable configurations of yet two other VPNs.

VPN companies don't need to add any feature for this because they already do support nesting by design. There's no special sauce needed. It's not something the app makes an effort to 'support', it's something the OS itself makes an effort to restrict. The inability to nest profiled VPNs on Android is a uniquely Google introduction. Not even ChromeOS has this restriction as far as I can tell.

So unless you're covering up some secret god-mode app or setting that can pierce through the private space or profile boundary, or suggesting I root an installation Graphene, this is an OS problem thanks to Google, not a user-space app concern.

It appears your imagined ideal is a device wide VPN but also being able to run VPN apps in individual profiles with any VPN connections also nested/routed through the device wide VPN

An option for this in relation to the private space, or profiles more generally, yes. In a similar fashion to those that, for profiles, allow setting a private DNS, notifications, etc. or, locally, allow blocking connections without a VPN, having the VPN always on.

I am not at all sure GrapheneOS will ever take on the work to implement and maintain this.

Yes, which is why I was holding out hope that Google didn't bungle the private space like they did profiles in this matter, forcing downstream forks to have to work to fix it. Unfortunately, no such luck.

I think it may be wise to split this conversation off to a new thread as its veered significantly off topic.

I guess, though I'm not sure what would be the point because I've only really been answering questions about my earlier answer and, as you've said, that's unlikely to bear fruit in terms of being implemented. I did ask for it here in the hope that since it isn't fully baked, it may be easier to fix but that's a long shot. There's also this more general thread but same thing.

fid02

All of this sounds and looks exactly like a work profile. Is there any difference?

Also how do you add apps to the private space? I assume they need to be installed within the private space from an app like Play Store or F-Droid. Is it also possible to clone apps from the main profile to the private space and they get updated when you update them in the main profile?

Viewpoint0232 All of this sounds and looks exactly like a work profile. Is there any difference?

I've never used a work profile before, so I don't know.

ignoramous I take insult to be lumped with Blokada.

Okay?

Rethink is focused on anti-censorship, and we continually add (and want to add) improvements to that end, even if you may not notice it.

Also, it is a bit of a stretch passing your opinion (about what's critical for our project) as a fact.

I've known of Rethink long before it added the ability to import WireGuard configs so I'm not sure what you think it is I don't notice. I'm also not sure what you think is not a fact about the fact that Rethink is not a VPN and that mere support for configs does not make that a priority to its overall offering. You don't host servers, provision IP addresses and monitor their reputation, experiment with designs not based on WireGuard, undertake (or even as yet support) pioneering tech on obfuscation/anti-censorship measures in the space, deal with the realities of facing the GFW and its variants, etc.

It's no more 'opinion' than saying the Mullvad app isn't an ad blocker and that its ad blocking isn't a priority. It isn't, and that's perfectly fine. It's a great VPN though, and in this case, is one.

Have you got a personal email from me where I decried that WireGuard is a bridge too far for Rethink (a bit rich as we've been working on just the WireGuard bits for close to a year now, btw)?

Email? What? What does this have to do with anything here?

If not, you should consider if deriding our little project is of any constructive use to anyone.

Simply explaining why your app is a bad fit for what's being discussed is not 'deriding' it any more than explaining why Mullvad, IVPN, and Proton are a bad fit for ad blocking in a browser is 'deriding' any of them. You can find it unconstructive, but it was suggested and I was asked. I only answered.

ignition I'm also not sure what you think is not a fact about the fact that Rethink is not a VPN and that mere support for configs does not make that a priority to its overall offering

You don't get to decide what is and isn't priority for a project you don't control.

ignition pioneering tech on obfuscation/anti-censorship measures in the space

Anti-censorship is more than just GFW. Also, I've developed two other FOSS projects in this space, Rethink isn't my first or last foray.

ignition Simply explaining

Your simple explanations are rather too verbose and opinionated.

ignoramous You don't get to decide what is and isn't priority for a project you don't control.

No, but I have eyes and can apply reason to observations. That allows me to determine what is and isn't a priority in comparison to things where it is a priority as a matter of fact.

Anti-censorship is more than just GFW

It is nice the goalposts are moving. The authority posturing is also a nice touch.

Your simple explanations are rather too verbose

Simple things get simple explanations, 'verbose' replies merit the same, and repeating 'opinionated' doesn't make it so just because you're offended about what you've confused yourself into thinking it says about your app.

I have no issues with people who represent a project here defending it if they feel it's being attacked or misrepresented by someone, but I hope that we can all collectively end it there, as it's getting a bit too far away from what this thread is supposed to be about.

ignoramous How is the developers spending the past 10 months (16 releases!) working mostly on WireGuard be not priority to them?

The part where supporting WireGuard and or OVPN is so table stakes for a centralized VPN, the absolute barest minimum, that being able to get by with 'later support' speaks for itself. The Mullvad, ProtonVPN, and IVPN teams spent even longer getting ad block support integrated. It still doesn't make it a priority, sorry.

I said "anti censorship", and you went GFW

Nice goalpost shift but, no. You jumped in here offended that I called your non-VPN that, claiming it was mere 'opinion', and when I listed numerous properties of real VPNs for which the VPN is the priority, you cherry-picked one and decided to posture about irrelevant apps you've built elsewhere like it grants some sort of authority.

as this thread is getting derailed

Would be nice if you thought of that before you decided to make it about your project.

matchboxbananasynergy That's fair. My question was answered days ago actually. I definitely didn't expect a one-liner comment I made then to cause this much engagement.

fid02

The Owner and PrS have separate VPN slot

So lame :(

ignition Chaining VPN connections is supported. Using local filtering at the same time as a VPN is supported. You're simply wrong about these things. Your issue is that you're using apps not supporting it. It has nothing to do with profiles and it wouldn't make any sense for secondary profiles to go through the Owner user VPN as an additional layer. It goes against the whole purpose of profiles of acting as separate devices as well as they can on the same device. Nesting VPNs is entirely possible and something VPN apps can support already. They can provide configuration for this inside the app or simply support chaining through multiple providers as the default approach. Some apps do support this in some form such as bridge support for Tor which is essentially exactly that provided in a specific way.

The current compromise often recommended is a not particularly intuitive hack offered by some firewall apps that have secondary VPN functionality but you forfeit expedient location changes and now have to place your trust in them to not introduce subtle bugs that break the VPN, a big ask for something of secondary concern to them, while they're focused on building out their firewall/dns features. Even worse, this compromise is off the table if you rely on the anti-censorship/obfuscation measures the full VPN provides.

No, there are apps with first class VPN support in addition to first class filtering support. Apps can support chaining VPN connections too. None of this is relevant to profiles and is something VPN apps need to provide. Most of these apps focusing on 1 specific thing instead of providing everything users want from a VPN app is because almost none of them are trying to make a high quality Android VPN app. Most are simply adding Android support to an existing project and use the VPN service feature for it without considering what makes a good Android VPN service app. There are a few apps trying to provide a good Android VPN service app and fulfilling multiple use cases at once.

Rizzler Separate VPN is a major part of why profiles exist.

Probably9857 No need to apologize. The user you're responding to has derailed multiple threads with their grievances about unrelated things, attacking GrapheneOS and other projects for illogical reasons. They were permanently suspended for doing this same thing in another thread in a much more severe way.