VPN leaks when NOT using "block connections without VPN"

whiskeywalrus

I use VPN with split tunneling because I absolutely need to use some apps outside of the VPN connection as they'd otherwise not work (blocking all VPN servers). I have figured that this is better approach than to disconnect from the VPN every time to use those apps.

I'm concerned about the possible leaks that may happen when not using the "Block connections without VPN" killswitch. Can't use it because it prevents the use of split tunneling. My biggest concerns relate to web browsing and any leaks happening with that but other apps as well. Is there any information about what data can leak, how and also if my approach could be improved? Note that for some apps not using VPN connection it would be quite difficult to use them in separate profile (e.g. Bitwarden needs autofill features).

ryrona

whiskeywalrus Is there any information about what data can leak, how and also if my approach could be improved?

When "block connections without VPN" is not enabled, the leak protections are not enabled. Thus apps can leak data traffic both intentionally and unintentionally.

Rather than using split tunneling functionality, it is better to put the apps you want to go over the VPN in a different profile than the apps you do not want to go over the VPN. That way, you can have "block connections without VPN" enabled in the profile with the apps that should use the VPN.

Easiest is probably to use the private space functionality for this, as the private space is a separate user profile from the perspective of apps and VPN configuration, even if it looks integrated with the owner profile.

argante

ryrona Rather than using split tunneling functionality, it is better to put the apps you want to go over the VPN in a different profile than the apps you do not want to go over the VPN.

I think the problem is more complex. Let's say you have Molly on your daily profile and as VPN you have Orbot/Tor. On the second profile you have NewPipe and here is VPN based on WireGuard (it's faster). Molly will work very well with Tor, but calls go through as UDP, so will be blocked. And this applies to other messengers (Signal, SimpleX). Therefore, in my opinion, the right solution is to activate the option "block connections without VPN" to block leaks, but in GOS it is necessary to add exceptions for applications that require it. And here is a request to GOS developers, what do they think about such a solution.

This solution, but ugly, was used in Orbot.