"Virtual IP Address of Tunnel Device Leaks to Network Adjacent Participant"

asd

"The Linux kernel (and consequently Android) by default replies to ARP requests for any local target IP address, configured on any interface. This allows an attacker on the same local network to learn the IP address of the VPN tunnel interface by sending an ARP request for every private IPv4 address to the device.

This can be used by an adversary on the same local network to make a qualified guess if the device is using Mullvad VPN. Furthermore, since the in-tunnel IP only changes monthly, the adversary can also possibly identify a device over time.
...
Android apps, including Mullvad VPN, do not have the permission to change this OS behavior. All Android devices that we know of are affected. We have reported this issue upstream to Google, and recommended that they change the relevant settings to prevent this issue.
..."

https://mullvad.net/en/blog/the-report-for-the-2024-security-audit-of-the-app-is-now-available
https://issuetracker.google.com/issues/378814597

Does this also apply to GrapheneOS, respectively what is the kernel arp_ignore setting?

ignoramous

asd This allows an attacker on the same local network to learn the IP address of the VPN ... This can be used ... to make a qualified guess if the device is using Mullvad VPN.

Doesn't sound more of a vulnerability than what else an adversary can achieve if they're allowed to be on the same network? For example (and I'm not wrong), this hypothetical adversary can just as easily observe destination IPs on egress packets and make a conclusive guess if the origin is using Mullvad?

asd

I have no idea what the exact thoughts of the audit firm and Mullvad are on this.

What is the setting in GrapheneOS for this? If this coincides with the change request, the matter is settled for me.