VPN leaks when NOT using "block connections without VPN"

whiskeywalrus

I use VPN with split tunneling because I absolutely need to use some apps outside of the VPN connection as they'd otherwise not work (blocking all VPN servers). I have figured that this is better approach than to disconnect from the VPN every time to use those apps.

I'm concerned about the possible leaks that may happen when not using the "Block connections without VPN" killswitch. Can't use it because it prevents the use of split tunneling. My biggest concerns relate to web browsing and any leaks happening with that but other apps as well. Is there any information about what data can leak, how and also if my approach could be improved? Note that for some apps not using VPN connection it would be quite difficult to use them in separate profile (e.g. Bitwarden needs autofill features).

ryrona

whiskeywalrus Is there any information about what data can leak, how and also if my approach could be improved?

When "block connections without VPN" is not enabled, the leak protections are not enabled. Thus apps can leak data traffic both intentionally and unintentionally.

Rather than using split tunneling functionality, it is better to put the apps you want to go over the VPN in a different profile than the apps you do not want to go over the VPN. That way, you can have "block connections without VPN" enabled in the profile with the apps that should use the VPN.

Easiest is probably to use the private space functionality for this, as the private space is a separate user profile from the perspective of apps and VPN configuration, even if it looks integrated with the owner profile.

Byku

whiskeywalrus Rethink has the ability to split tunnel individual apps even when block connections without VPN is on. You must select bypass app from all proxies in per app configuration. This may be a solution for OP.

argante

ryrona Rather than using split tunneling functionality, it is better to put the apps you want to go over the VPN in a different profile than the apps you do not want to go over the VPN.

I think the problem is more complex. Let's say you have Molly on your daily profile and as VPN you have Orbot/Tor. On the second profile you have NewPipe and here is VPN based on WireGuard (it's faster). Molly will work very well with Tor, but calls go through as UDP, so will be blocked. And this applies to other messengers (Signal, SimpleX). Therefore, in my opinion, the right solution is to activate the option "block connections without VPN" to block leaks, but in GOS it is necessary to add exceptions for applications that require it. And here is a request to GOS developers, what do they think about such a solution.

This solution, but ugly, was used in Orbot.

joe22

It seems like some websites need to bypass the VPN, while other websites works with "block connections without VPN"
1)"Block connections without VPN" is set on on my DivestOS android phone. It has no simcard. I connect to the internet via a VPN router using openVPN on proton. Opening website eff.org is no problem. Browser: Brave
2) On my pixel with GrapheneOS, "Block connections without VPN" is on. No simcard. Proton VPN app is on. Weather forcast "yr.no" works, but "eff.org" does not- Browser: Vanadium, cromite, privacy Browser
3) Putting in the simcard in my GrapheneOS phone, and turning off wifi, Block connections without VPN is on: some websites like the weather forcast "yr.no" works, but "eff.org" or "ip.me" does not.
This string is about ip leaks. What is the best configuration on GrapheneOS to avoid ip leaks, even lets say my VPN provider "stops workin" Before I have relyed on the kill switch. What do i do in GrapheneOS?

userofgos

Byku I believe I recall another thread mentioning that the issue is with the implementation of the Split tunneling feature of VPN apps (I think ProtonVPN was mentioned in that thread) and not with Android's "Block connections without VPN" feature. Hence why it doesn't hinder RethinkDNS.

Note: I can't seem to find where I saw this mentioned. So I could be completely wrong.

Probably9857

userofgos

I remember that thread, but I can't seem to find it either.

The explanation from the GrapheneOS account was that VPN apps could route those local or spilt tunnel requests themselves, and the OS would not see that as bypassing the VPN. Instead, it seems that most VPN apps just fallback to letting the OS route those, and they end up blocked.

userofgos

Probably9857 yes that's what I remembered too. I knew I wasn't dreaming, now to find that thread.

ignoramous

rdns dev here

Probably9857 VPN apps could route those local or spilt tunnel requests themselves, and the OS would not see that as bypassing the VPN. Instead, it seems that most VPN apps just fallback to letting the OS route those

I'm not aware how apps can route (at L3) local LAN connections. Android VPN apps could "proxy" (at L4) those but can't route them, as the permissions to create raw sockets (L3 sockets) are not granted.

This is why local-first apps like KDE Connect and Syncthing have issues with all VPN apps, Rethink included.

That said, if there are pointers to how apps like Rethink can make true local routing work, I'd like to know, and possibly, implement it.

Probably9857

userofgos

Found it

https://discuss.grapheneos.org/d/12927-lan-access-with-vpn

userofgos

Probably9857 that didn't take long, must have helped that you were the one replied to in that thread. Though it seems that it was in reference to the LAN traffic routing, I would think the same would apply to split tunneling right?

@GrapheneOS It's possible for the VPN app to route traffic to the local network itself in order to permit it. These apps could implement their local network traffic toggle this way in order for it to not be considered a leak due to the VPN app routing the traffic itself.

Source: https://discuss.grapheneos.org/d/12927-lan-access-with-vpn/3

Probably9857

userofgos

I'm assuming so, but I'm no expert

Probably9857

userofgos

From https://discuss.grapheneos.org/d/12927-lan-access-with-vpn/6

This applies to the standard configuration for excluding apps from the VPN or allowing traffic to pass through to a local network

userofgos

Probably9857 thanks, I must have glazed over that part.

Probably9857

ignoramous

I can't help you there, I was only passing on what I was told by @GrapheneOS. Maybe they can explain.

n3t_admin

ignoramous apps like KDE Connect and Syncthing have issues with all VPN apps, Rethink included.

Damn, you guys still weren't able to solve the KDE Connect riddle? That really sucks :(
I'm still wondering what it does differently compared to e.g. WGTunnel.

ignoramous

niko-goso I'm inclined to look for a more sophisticated VPN client for Linux — can anyone recommend a good Open Source client?

There's a steep learning curve, but use a client that does less not more, like the official WireGuard implementation.

That way, you're in control of how you route traffic and where.

niko-goso It seems like VPN apps and operating systems need to improve interoperability.

Generally true for Android and iOS because the sandbox is restrictive and so VPN apps are left to work with whatever APIs are made available to it. Other OSes don't hinder "VPN apps" that much and most should work well. It is another thing that computer networking isn't all that simple to assume that VPN apps will work in any and all conditions / topologies; but that's a different non-OS problem.

n3t_admin Damn, you guys still weren't able to solve the KDE Connect riddle? That really sucks :(

I'd really like to work with KDE Connect folks to see how I can make Rethink support it or make KDE Connect work from behind a VPN, tbh.

dialecticdaemon

I tried all possible configurations in the IP allowance table on WG - Tunnel with a Wireguard VPN config from Mullvad, added IP addresses to the config file manually under Allowed IPs to bypass pasting errors. I also tried setting up Rethink with exceptions, but I did not get it working without disabling the "Block Connections without VPN" feature. Therefore, I believe the best option would be to have a VPN with an always-on VPN and block connection setting up running in the main profile, and then have a second profile for visiting the Local Area Network (LAN) and configuring a router you are connected to. If there are any solutions or other workarounds to get this going, I am eager to hear.

niko-goso

It seems like VPN apps and operating systems need to improve interoperability. If the OS was aware that some apps were configured to be inside the VPN, and other apps were configured outside, the OS could provide leak protection only on the inside apps.

I've had no end of connectivity problems after enabling Split Tunnelling in Proton VPN on GOS, on MacOS and iOS. I haven't installed Proton VPN on Linux yet.

I'm inclined to look for a more sophisticated VPN client for Linux — can anyone recommend a good Open Source client?