VPN DNS leak prevention compatibility with iVPN app

indigomadelin

2025021100
I've skipped the updates for the last 4 months. Previously, I've got no issue, so I'd like to find out whether the current experience is a bug or an intended behavior.
I use iVPN. Always-on VPN and Block connections without VPN turned on. The Bypass VPN for local network option in the iVPN app turned on. When I set a LAN IP address (like 192.168.3.1) in the Custom DNS settings in the app, it doesn't work. The solution is to either set Private DNS in the system settings (e.g. Quad9 or NextDNS) or to disable Block connections without VPN. I have to choose the first one.

ryrona

indigomadelin If you don't want DNS queries to go over the VPN, and want to intentionally leak the DNS queries outside VPN, why do you want to use Block connections without VPN? What is it you are trying to achieve with using Block connections without VPN in that scenario? Why cannot you just disable Block connections without VPN in your use-case?

Upstate1618

indigomadelin This setup worked well previously.

This bug is patched now. It was a bug not a feature.

indigomadelin The solution is to either set Private DNS in the system settings (e.g. Quad9 or NextDNS) or to disable Block connections without VPN. I have to choose the first one.

It's not recommended to use VPN along with system-wide private DNS

indigomadelin it doesn't work.

This is intended. Every connection that bypass your IVPN tunnel would be blocked, including your local DNS. Maybe turning off Bypass VPN for local network?

indigomadelin

ryrona I want the only one app to be allowed to send only DNS traffic only to the GW.
This setup worked well previously.
My workaround is better than yours.

ryrona

indigomadelin I want the only one app to be allowed to send only DNS traffic only to the GW.

So you don't want want to "block connections without VPN", but specifically allow that?

Also, I don't think you can make only one app leak DNS traffic outside VPN. If you configure a system DNS that overrides the VPN DNS, you will leak DNS traffic for all apps.

indigomadelin This setup worked well previously.

Possibly because LAN VPN leaks I reported weren't fixed yet previously? And your setup specifically relied on leaking DNS queries to LAN?

indigomadelin My workaround is better than yours.

What?

n3t_admin

indigomadelin that is not how DNS works. What you are asking for cannot be achieved on GrapheneOS currently. My best advice would be to use a separate profile for that specific app without the VPN/different VPN that utilizes your "leaky" DNS.

indigomadelin

n3t_admin that specific app without the VPN

I was talking about a VPN app itself.

n3t_admin

indigomadelin okay, in that case I am not entirely sure how your idea can be implemented. Essentially, (I don't know how iVPN works, probably layer 3) the VPN client is splitting traffic and local addresses aren't routed through the VPN tunnel anymore. Now you block all connections without VPN through system settings and this bypassed traffic is blocked. The only logical solution in my opinion, would be to set up your own WireGuard server at home, set your local DNS server in that WireGuard config and route the traffic from your GOS device home and from home to iVPN through your router/firewall or upstream (I think this should be possible, I don't know if the default WireGuard server supports this out of the box).
Otherwise, as already explained, split tunneling will just be blocked by the system.