• GeneralSolved
  • Are VPN leaks a ghost of the past from now on? GrapheneOS version 2024091700

I saw this:

"extend standard Android eBPF filter to prevent apps sending multicast packets outside of the VPN tunnel either directly or separately via kernel-generated multicast traffic (IGMP, MLD) when leak blocking is enabled"

In the release notes of the current update 2024091700.
I remember a video from Mental Outlaw, where he showed how many non VPN connections his phone made, even he turned on "block all connections without vpn" I directly wondered if it would be the same on graphene os.
I don't remember that i found it out back then.
Now i see the the release notes, so i wonder again: have there bin non vpn connections the whole time? How many? How often?
And is it all over now?

    Qurstionquoter And is it all over now?

    Well, no, because that change is being rolled back temporarily because it caused a lot of compatibility issues. See https://discuss.grapheneos.org/d/15819-grapheneos-version-2024091700-released/37 and https://discuss.grapheneos.org/d/15853-grapheneos-version-2024091900-released

    Qurstionquoter have there bin non vpn connections the whole time?

    Only to the local network via multicast, if apps were making those broadcasts (which some were known to be doing) but not beyond the router, and not via mobile networks. However, this could still be quite bad, depending on how much you trust the local wifi network.

      Probably9857 so if i used the phone without sim and with wifi only and the wifirouter is a simcard mobile router than i haf no vpn leaks at all in this picture?

        Qurstionquoter

        I remember a video from Mental Outlaw, where he showed how many non VPN connections his phone made, even he turned on "block all connections without vpn" I directly wondered if it would be the same on graphene os.

        Connectivity checks, NTP and the Wi-Fi calling/texting tunnel are not leaks. They're frequently misinterpreted as leaks but are not leaks. This multicast issue we're in the process of closing is not really known outside of the GrapheneOS project.

          GrapheneOS so if i make a phonecall and i use orbot as a vpn (i knoe its not) on my device, thennit does not go through the tor network?
          Or how do i understand "wifi calling texting tunnel"
          Brcause i am always on wifi. But with orbot on the phone or with a tor router.
          As of now i thaught on both of my used 2 connection options i thaught everything goes through tor, texting and calling. (Both over third party apps only)

            Quotesquestioner If you are using an eSIM/SIM card and WiFi calling is enabled, it sets up its own IPsec tunnel (VPN) to the providers network. It does not route calls over the phone users VPN.

            If you are using a 3rd party phone app, with a VOIP number (NO eSIM/SIM card), then it will route over the user VPN.

            Quotesquestioner Or how do i understand "wifi calling texting tunnel"

            I do not understand what context this is in.

            If you have an external router that tunnels all traffic over Tor or a VPN, then all traffic is going to go over Tor/VPN. You wouldn't need a VPN on your phone as the router would be handling it.

            Carrier-based calls/texts don't go through the user's VPN whether it's using the cellular connection or Wi-Fi. VoLTE, VoNR and VoWi-Fi are based on using SIP via IMS over an IPSec tunnel. The IPSec tunnel to the carrier is the VPN and there's always one.

            VoWi-Fi could theoretically go through another VPN but it would need to support sending IPSec traffic through it which is not usually the case. You can't trivially send IPSec through another VPN. Linux kernel doesn't support nesting IPSec itself and it causes MTU issues when doing it multiple machines / virtual machines.

            Connectivity checks are optional and inherently need to check the underlying networks. NTP is UDP and correct time is required for certificate verification including for a VPN so Android has it bypass the VPN, but we don't use NTP and we don't have our HTTPS network time bypass the VPN. There are also the DNS requests to the DNS resolver provided by the network in order to do these things and to connect to the VPN server that's being used.

            None of this is a leak but rather just how things are designed to work. It's not possible to send VoLTE through a VPN and VoWi-Fi would normally break, although it is technically possible for the VPN and the IPSec tunne lto be set up in a way that cooperates and manages to work with some types of VPNs but not most. It definitely can't go via Tor which can't even handle UDP.