Skip to content

Block non-VPN incoming traffic in lockdown mode#235

Draft
t-m-w wants to merge 1 commit intoleapcode:masterfrom
t-m-w:block-incoming-traffic-in-lockdown
Draft

Block non-VPN incoming traffic in lockdown mode#235
t-m-w wants to merge 1 commit intoleapcode:masterfrom
t-m-w:block-incoming-traffic-in-lockdown

Conversation

@t-m-w
Copy link

@t-m-w t-m-w commented Oct 17, 2022

[This request needs further examination/work! See remaining issues/concerns at the bottom.]

Work around AOSP issue that allows incoming traffic from non-VPN interfaces such as Wi-Fi when VPN is configured to "Block connections without VPN" (lockdown mode).

Mullvad has pointed out that Android does not block incoming traffic on non-VPN interfaces, such as Wi-Fi, when running a VPN in lockdown mode ("Block connections without VPN"). However, it's only partially true: Android does block such traffic when the VPN is fully-routed.

Although it would be nice if Google fixed this issue upstream, they have yet to acknowledge it as a problem. Still, it can be worked around in particular VPN apps, such as this one.

You can find more detailed information about this problem here: https://gitlab.com/CalyxOS/calyxos/-/issues/1255

Remaining issues/concerns:

  • Does setting a default route for IPv4 and IPv6 cause problems for VPNs that do not actually provide this? If so, can we have the VpnService take over these routes but simply drop or block the traffic?
  • The lockdown state is only checked once, and it is never updated if the user changes it, unless the VPN is disconnected and reconnected. Can we respond to an event that lockdown mode has changed? I could be wrong, but this does not seem to be possible. It could potentially be checked periodically, though.

@t-m-w
Block non-VPN incoming traffic in lockdown mode
3693872 
Work around AOSP issue that allows incoming traffic from non-VPN
interfaces such as Wi-Fi when VPN is configured to "Block connections
without VPN" (lockdown mode).
t-m-w
t-m-w commented Oct 17, 2022
View reviewed changes
app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
return cfg;
}

public void determineLockdownState() {
Copy link
Author

@t-m-w t-m-w Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was added to work around the fact that isLockdownEnabled() always returns false unless the VPN is established.

@cyBerta
Copy link
Collaborator

cyBerta commented Oct 19, 2022
edited
Loading

Thanks @t-m-w for your research (https://gitlab.com/CalyxOS/calyxos/-/issues/1255), summary and your proposal!

Our main repo to report issues is normally this one https://www.0xacab.org/leap/bitmask_android/ while github acts as a mirror. It will take a bit until we come to the best solution in the current situation.
Right now I think having a separate setting to disallow local network addresses might be more straight forward than making default routes dependend on the systems lockdown state, which is - as you also pointed out - hard to track and results in work-arounds as this one.

In any case all your helpful work really helps to wrap our heads around this problem.

@t-m-w
Copy link
Author

t-m-w commented Oct 19, 2022

No worries, and that sounds reasonable to me! If there's any way I can help, let me know.

@cyBerta
Copy link
Collaborator

cyBerta commented Oct 20, 2022

for further consideration, Android's connectivity checks can be disabled: https://issuetracker.google.com/issues/250529027#comment6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@t-m-w @cyBerta