Hello everyone!
English is not my native language, so i let AI to help me translate.
I’ve spent some time trying to figure out the built-in IPSec client. Specifically, the built-in one - not StrongSwan or anything else, but the one that comes "out of the box."
I conducted tests with two providers: IVPN and SurfShark.
The configuration for these clients varies slightly for each provider.
For SurfShark, you need to import a certificate. You can follow the instructions on their website [1].
In my case, I had to set the "IPSec identifier" to match the "Username." This was previously mentioned on our forum [2]. Additionally, it’s worth noting that Android might show a warning notification when importing the User CA Certificate.
With IVPN, things are simpler. The connection is established without a certificate, only with a username. There is an official guide for StrongSwan (you need to understand a bit to adapt it for the built-in client) [3], or you can use the most straightforward version from our forum [4].
There are no more hidden traps here.
Until recently, it was impossible to connect to some of the IVPN servers using the built-in client (I was interested in the Canadian servers). It shows "Unsuccessful" status. I contacted their support team, and we resolved this issue (many thanks to Jordan S.).
What are the advantages of the built-in VPN client over VPN applications?
- The first and most important advantage is the level of operation. It works at the SystemSpace level, unlike VPN applications, which operate in UserSpace. A good illustration of this can be found here [5].
- The second point is the absence of additional virtual adapters.
- No additional applications are needed, no matter how "secure and optimized" they might be.
- Stable performance. Over a week, I never faced an unplanned VPN stops or failure to launch when connecting to the network, even though my network type changes 10-20 times a day, and my phone is in airplane mode overnight.
- Finally, the built-in client was resistant to the latest data leak issues affecting VPN. [8]
However, there are a number of issues with the built-in client.
The first issue appears if you enable the “Always-on-VPN” checkbox.
The problem here is that in this configuration, the networkType is set to “VPN,” and many applications (even Google Messages) that usually handle network connectivity correctly (adjusting behavior based on networkType) don’t process this value. Such applications assume they are offline. This issue partially disappears if the checkbox is left unchecked. Based on the logs the networkType set to a carrier value, like WIFI or MOBILE. [7]
Even with the “Always-on-VPN” checkbox disabled, the network doesn’t function fully. From the logs networkType is correctly set, but applications still behave as though they are on a mobile network. I discovered this by configuring Telegram (setting rules to avoid loading images automatically on mobile and to load them on WIFI). I noticed this while configuring NewPipe (different video quality settings for Mobile and WIFI), in the Play Market, Google Photos, and other applications. Everywhere, the rules for mobile connections are applied, even though I am on WIFI with the built-in VPN client enabled and in airplane mode.
You won’t be able to set rules for each applications to make them bypass or use the VPN selectively.
Conclusion:
Despite these noticeable issues with connection types, I consider the built-in client a good option. Most applications can be adjusted to ignore network type distinctions, which helps to avoid most inconveniences. I hope this guide will help answer for all basic questions in one place.
Keywords:
IPSec, IKEv2, Built-in VPN, SurfShark, IVPN, VPN quirks, VPN configuration
References for further details:
1) https://surfshark.com/blog/how-to-setup-a-vpn (Раздел "How to set up a VPN on Android")
2) https://discuss.grapheneos.org/d/11162-grapheneos-vpn-problem-with-ipsec-identifier/2
3) https://www.ivpn.net/setup/android-ipsec-with-ikev2/
4) https://discuss.grapheneos.org/d/12550-built-in-ipsec-tunnel-networking-quirks/3
5) https://developer.android.com/develop/connectivity/vpn
6) https://en.wikipedia.org/wiki/IPsec
7) https://discuss.grapheneos.org/d/12550-built-in-ipsec-tunnel-networking-quirks/8
8) https://grapheneos.social/@GrapheneOS/112316307560525598