Show Android components that can bypass VPN even in lockdown mode

[ignoramous]

That list can be retrieved from android.provider.Settings.Secure key'd to ALWAYS_ON_VPN_LOCKDOWN_WHITELIST.

https://cs.android.com/android/platform/superproject/+/android-11.0.0_r3:frameworks/base/core/java/android/provider/Settings.java;l=6283-6291

[ignoramous]

See also: https://cs.android.com/android/platform/superproject/+/master:system/netd/server/NetworkController.cpp;l=862;drc=e6f198c9c5042f4c59032b55170a61d274dc5491 (courtesy: Oliver).

[ignoramous]

See also: Mullvad found "a leak" but Google wouldn't fix it: https://issuetracker.google.com/issues/250529027

[MasterKia]

NetGuard developer:

In general it has appeared that Android routes all traffic into the VPN, even traffic of system applications and components, but a manufacturer could decide to exclude certain traffic types, reducing the security that can be achieved by a VPN based firewall.

https://android.stackexchange.com/questions/152087/any-security-difference-between-root-based-firewall-afwall-and-non-root-based

[ignoramous]

Mullvad found another leak (when the VPN app does not set a DNS server): https://issuetracker.google.com/issues/337961996

No, [Mullvad] didn't discover these DNS leaks. They posted about the DNS leaks found by the GrapheneOS community which impact their app and filed issues about some of them. Our community discovered both DNS leaks and multicast packet leaks implementing these apps which [GrapheneOS is] well on the way to having fully solved despite VPN apps making it difficult for us with compatibility problems from how they do things.

Also: GrapheneOS/os-issue-tracker#3442

[ignoramous]

"protectable apps" (ex: Chrome) that can bypass the VPN on certain networks: https://android-review.googlesource.com/c/platform/system/netd/+/3056382

[ignoramous]

Inbound (but not outbound) LAN connections bypass Block connections without VPN (VPN Lockdown) if the tunnel does not have the default route (:: or 0.0.0.0), ie the VPN is not "isolated" code: https://issuetracker.google.com/issues/280462382

via: #1618 (comment)

[thestinger]

"protectable apps" (ex: Chrome) that can bypass the VPN on certain networks: https://android-review.googlesource.com/c/platform/system/netd/+/3056382

No, you're misinterpreting this.

[thestinger]

Mullvad found another leak (when the VPN app does not set a DNS server): https://issuetracker.google.com/issues/337961996

Also: GrapheneOS/os-issue-tracker#3442

No, they didn't discover these DNS leaks. They posted about the DNS leaks found by the GrapheneOS community which impact their app and filed issues about some of them. Our community discovered both DNS leaks and multicast packet leaks implementing these apps which we're well on the way to having fully solved despite VPN apps making it difficult for us with compatibility problems from how they do things.

[thestinger]

Inbound (but not outbound) LAN connections bypass Block connections without VPN (VPN Lockdown) if the tunnel does not have the default route (:: or 0.0.0.0), ie the VPN is not "isolated" code: https://issuetracker.google.com/issues/280462382

via: #1618 (comment)

Even attempting to block inbound connections was missing before Android 14.

[ignoramous]

"protectable apps" (ex: Chrome) that can bypass the VPN on certain networks: https://android-review.googlesource.com/c/platform/system/netd/+/3056382

No, you're misinterpreting this.

Thanks. I could very well be as my knowledge of the network stack is very limited.

Given that, I read the commit msgs & code comments again, and I can't make out what the intention is other than to let apps that can "protect sockets" to bypass certain networks, including VPN in "secure" mode (which I take it to mean, either VPN Lockdown mode is enabled or VpnService.allowBypass isn't set by the VPN app)?

Even attempting to block inbound connections was missing before Android 14

Wow. Only multicast and broadcast or ALL traffic?

[thestinger]

Wow. Only multicast and broadcast or ALL traffic?

Essentially all inbound traffic, before Android 14. It only mattered if apps listened for connections which is rare and why it was an issue for so long. We have major improvements to make and we've been doing a lot of testing uncovering assorted issues to make sure our fixes are complete. Our work on both fixing all the DNS and multicast issues is nearly complete. Fixing remaining holes in the inbound leak blocking after we address all the outbound issues is next.