Incompatible with Block Connections Without VPN Setting #52
Comments
|
Thank you for the feedback and for using the app! This issue goes along with a kill switch feature I have been thinking about implementing. I think that is what might be necessary in order to block internet traffic but still allow traffic on the local network. I have noticed other apps like Surfshark have this feature. I am pretty sure, regardless of what is implemented at an app level, the Android native Block connections without VPN will always block anything and everything that isn't over the VPN. This is why I think an app kill switch is needed. Question: Have you tried using the exclude private IP addresses feature of the official wireguard app along with the native block connections without VPN? |
|
Thanks for the reply. Yes, the exclude private IPs feature doesn't work with the Block connections without VPN enabled and it's less than ideal. As and when you are not on a trusted network, which is likely with a mobile device, you are allowing the device or apps to be able to communicate with that local network. It's both a security and privacy issue. In reality it's better only to allow specific traffic.
This option is the kill switch in Android. The reason I think lots of VPN apps don't work with it is because their handling of excluding apps from the VPN is poorly implemented. The discussion I linked to explains the same. As I understand it most of the VPN apps simply allow the traffic outside of the app, which is then caught by the block because the block feature only allows traffic via the VPN app. This doesn't mean traffic has to actually traverse the VPN. What we need is for the app to continue to own the connection, but rather than route the traffic over VPN, route it back locally. It seems possible. As a workaround, if you own your VPN server, one can simply direct traffic between peers over the VPN tunnels. But if you are communicating between two devices on the same LAN this is unnecessary latency. Directing traffic from one peer to a remote WG server and back to a LAN peer is inefficient to say the least. If you're trying to cast video, for example, this is a real performance hit. Moreover it's not generally possible with many commercial VPN providers because they tend not to route traffic between peers. -- bvs |
|
Thank you for the detailed response. I agree with everything you said. I will have to investigate further what would be needed to implement these changes. WG Tunnel uses the same core implementation of WG as the official app via their library. I suspect I might need to make these changes to the library itself. This makes things a bit more complicated, but it should be doable. |
zaneschepke
added
the
wg-lib
Migrated app to a forked version of wireguard-android to enable development work on features that require changes to the core lib, like #107 #104 #87 #52 #6 Improved first launch flow by change vpn permission to only launch on first tunnel start Changed to proper database seeding strategy Updated README to account for GitHub packages auth requirement Migrated from deprecated UI components and libs Bump versions
|
+1, this is absolutely the most annoying thing about using a VPN on Android. There should be a toggle to allow LAN connections (or not) in lockdown mode, but I guess Google doesn't care. |
|
This addition seems like it will do the job as an app kill switch, and on testing it seems to work well. However, it doesn't appear to take account of the trusted WiFi settings. Now the VPN tunnel isn't dropped at all even when on a trusted network. When the native kill switch is off but app kill switch on, and you're on a trusted network, the VPN tunnel gets dropped but Android still sees a VPN active with the little key icon in the status bar. As a result, on a trusted network you have no Internet access in this case. -- bvs |
Yeah, I did not really think about integrating trusted networks as the mentality of using a kill switch is usually that no network is trusted. If it took into account trusted networks, when would the kill switch be used/active? This feature was designed more as an alternative to Android's native kill switch that allows you to have LAN traffic (as this is one of the big complaints with the native kill switch). |
|
I assume most use of your software is for the additional features over the standard WireGuard app. For me:
The option to disable VPN on a trusted network is the primary use case, but the lack of kill switch made it unusable for me. So really appreciate you implementing that.
But then, by definition, if you mark the network as trusted you are treating it as not hostile so kill switch seems less relevant.
On all other networks other than the trusted ones. Ideally the two work together or it makes it a choice between one or the other. For example, now I can have the kill switch but can't have the automated option to disable the tunnel, or there is no Internet access. Often I connect to networks that already have a VPN on the gateway so want to avoid double VPN scenarios. Ideally with a trusted network you have no need for a local device kill switch. You are trusting the LAN. If you don't trust the LAN you have the VPN and kill switch for untrusted or hostile environments to avoid leaks. Kill switch is usually secondary protection for the VPN disabling itself on untrusted networks. -- bvs |
Hi,
Firstly, thank you for a great app. The auto-tunneling features are great.
I have been looking for an alternative Wireguard app for Android to fix a few issues with the official Wireguard app. One of these was being able to have VPN disabled on trusted networks. The second, being able to bypass the VPN for select apps to communicate on a local LAN whilst also having the Android setting 'Block connections without a VPN' enabled. It's important to have this option enabled so one can be sure nothing is able to communicate outside of the VPN.
It seems as though it should work as per this GrapheneOS issue here but the issue seems to be that the exclude app from VPN options in many VPN apps work by allowing the app to bypass the VPN app altogether. It's apparent that how they should work is still to own the connection, so the OS believes traffic is going over VPN but then for the selected apps to direct it to the LAN.
As per the official Wireguard app it seems this also doesn't work in WG Tunnel upon testing. If I exclude an app it can communicate on a local network but as soon as 'Block connections without a VPN' is enabled the connection gets blocked. I was hopeful this was one of the features.
Is it possible to look at how this is implemented and apply a fix?
-- bvs
The text was updated successfully, but these errors were encountered: