> The only regret with rdns is that it’s either using that, or a VPN—from how I understand it.
This is an unforunate limitation imposed by Android (for good reasons I must add). We're fixing up our network stack to shoulder in WireGuard; should land in a month or two. With that, one would be able to upstream connections to any WireGuard endpoint: https://github.com/celzero/rethink-app/issues/52
> rdns is an awesome app, I am unsure why it’s not more widespread
Thanks for your kind words. There may be other reasons, but the surprising one is (going from what we see on other forums and emails that we get), folks are reluctant to trust a security / privacy product that's made by Indians.
> There's nothing to stop any VPN from scary levels of metadata collection, but Apple did close the door to one way of promoting or selling these services.
What I do now -though on Android- is using WireGuard as VPN to my home router which runs basically a Pi-Hole (and WireGuard).
The benefits:
1) I get a system-wide adblocker on top of uBlock Origin.
2) My mobile provider cannot perform DPI (Though its owned by same company as my cable company. YMMV, plus it will work when you roam internationally. Heck, I can perform DPI on it via my router.)
3) When on a public WiFi (e.g. railway station) all my data is encrypted.
4) When I switch networks it automatically swaps connection.
5) Far less performance hit and battery usage than traditional VPNs such as OpenVPN. Home router also barely uses any Watt.
Brilliant software, I can highly recommend. My only beef with it is that a full blown SDN such as ZeroTier is a lot easier to set up.
> I'm always concerned with an app that routes all my traffic through a VPN.
Many of these use the VPN subsystem of Android, but are not actually VPNs -- that is, they aren't routing anything off of your device. Using the VPN subsystem is just a way to be able to filter network traffic without having to have rooted your device.
The only downside is that you can't use such an app and a real VPN at the same time.
While I am not a big fan of VPNs in general, I have to admit, that Wireguard performs exceptionally well. I tested it a week ago and the added latency is pretty much just the network latency and the bandwidth loss is minimal (so small I couldn't even measure it reliably). What I found most interesting, was that there were some use-cases when the network with Wireguard performed even better than without it (probably related to congestion control).
>Do you have a firewall running on your phone to block or redirect DNS requests? Since hardcoding and bypassing the one in network settings is extremely easy and done by default by even some Google apps. DNS leaking VPN is trivial.
I assume wireguard's DNS field sets/redirects all DNS traffic through the VPN. If it ignores that setting, then Android's VPN design itself is broken. Switching to blokada won't fix this problem either.
Either way, Android's Firewall/Network aspects don't give me enough control here. But I can see enough hits on my pihole to have some reasonable confidence.
>What logs are you talking about? Blokada can use the same upstream DNS as your pihole so the logs are exactly the same if any exists.
I don't have to trust the owners of blokada aren't keeping logs? Why would I need to trust them when I can use my pihole which I know doesn't keep logs?
You are offering no advantages here compared to using my setup.
>Without a firewall and a VPN (both on the phone) you are not secure.
Well there is no competent firewall on the phone without root. Yes there is a VPN on both and it seems to work.
>With a VPN and a custom DNS service with blocklists you have an identical setup as one who uses Blokada, but without an external service.
Yes, I have an identical setup that I run myself without trusting some random owner of blokada. It runs externally just fine using my home network.
> I had a seamless time using wireguard (via a streisand installation) ...
I've been using Wireguard via https://github.com/trailofbits/algo for a while now. Of all of the VPN experiences over the last couple of decades, Wireguard has been light-years ahead of the rest.
First: it's fast. If the server is up and you don't have packet loss, you can't tell when it is turned on. For fun, I wrote some trivial automation to automatically and randomly switch between a few wireguard back ends, and I generally can't detect it.
Second: it's easy. For me, an experienced technical user. I don't know enough about the ecosystem to recommend it to less technical people, though given how basically sound it is, I'll be surprised if there aren't really easy and robust front-ends coming up.
>AFAIK Jason does use wireguard for himself now, but is cautious to recommend that to everyone.
For me this means he's appropriately cautious for working in security-minded applications like this. A lot of VPN providers would probably release something like an alpha release.
Unfortunately this is a big part of trusting your VPN provider. It’s shocking how bad the situation is, especially it seems on those marketed via Android apps. [1]
> Interesting, didn't know that. Maybe I should file an issue with the official WireGuard app asking them to support this. It would be nice if "multiple VPNs" was provided as an OS feature.
Apps have to implement it unless you mean supporting multi-hop WireGuard VPNs within the OS. Apps can support multi-hop and apps can also support doing filtering, etc. in addition to supporting an actual VPN. It's not exclusive unless the apps make it exclusive. Apps can also decide they want to support forwarding traffic through another app but they should really do that in a way that's secure instead of how some apps are currently offering this...
> This only applies to rules intended for specific apps and not system-wide rules, no? I'd hope so, since as you said people are already applying system-wide (or at least user-wide) rules using the VPN interface.
Sure, but output filtering doesn't really work well in general. For example, if you allow resolving any DNS names then you allow 2 way communication with anyone through your DNS resolver. The requests only go to your DNS resolver, but they can be for <data>.<random>.example.com where the name servers for example.com are set up to receive that data and the random value avoids it being served from the resolver's cache. The value of the DNS result can return data in the other direction. It's easier with a TXT record but can simply be an A/AAAA record too. DNS is commonly used to mask traffic by malware. It's not an obscure approach but rather very normal. Similarly, many services can be used as some form of proxy at least to communicate with arbitrary people.
The main purpose of a firewall is when you're actually hosting services and need to filter inbound connections for DDoS mitigation, etc. by limiting the number of connections per IP or IP block, rate limiting, etc. It also acts as a way to prevent listening on ports you didn't intend to be listening on due to default-enabled services or services which listen on all interfaces by default, etc. On platforms where loopback is commonly used for communication, it's also a way to do access control based on uid, gid, SELinux context, etc. None of those 3 things applies much to Android. It's very rare for apps to use loopback for communication, although some do it. Hopefully they already do their own authentication... GrapheneOS does plan to use network namespaces to provide the option of per-profile or per-app loopback interfaces, although we could also just start with a toggle for access to it.
Worth noting Android uses eBPF for controlling per-app access to the network for our Network toggle, not netfilter (iptables/nftables). They've gradually moved more and more to eBPF and away from netfilter since they have the resources to develop things that way.
> The software pretends to be a VPN client in order to get the network traffic and filter it.
This is why I stick with root firewalls -- I also use a VPN, and I don't think you can have your Android device use more than one VPN at a time (without rooting it).
> GrapheneOS already has fine-grained firewall support exposed to the user via the standard VPN service feature which despite misconceptions can be used while also using an actual VPN and there are multiple apps supporting this.
Interesting, didn't know that. Maybe I should file an issue with the official WireGuard app asking them to support this. It would be nice if "multiple VPNs" was provided as an OS feature.
> It's not simply difficult to set up firewall rules where leaks aren't possible but rather it doesn't really work because not everything is done via direct socket access from the apps.
This only applies to rules intended for specific apps and not system-wide rules, no? I'd hope so, since as you said people are already applying system-wide (or at least user-wide) rules using the VPN interface.
> Blokada uses the Private DNS feature of the phone to block ads
Oh, good, I had interpreted "Cloud filtering" as some sort of content blocking API. DNS makes sense.
> It should also be noted that you can use the VPNService in android to only set a DNS server to use, without actually sending any traffic through a VPN. Using the VPNService in this way is not going to be allowed with the new Developer Policy update. When used this way, the privacy issues aren't there--though there is the potential misunderstanding of end users who might think they are using a full VPN when in reality they aren't.
That's good if VPN apps aren't always actually implementing a VPN, and it likely eliminates the battery life issue, but the confusion is a problem as users can't tell the difference between an actual VPN and one that is only doing DNS stuff.
In fact an app could say "don't worry we're only doing DNS" but actually be a VPN. That sounds dangerous to me?
> All of this can operate on device at the OS/IP stack layer.
I think, on Android, with root you could do a lot more and not have to use VPNs at all.
> That gives too much trust to the VPN operator.
Local VPN apps like NetGuard are open-source, btw. And server VPNs like ProtonVPN have no-logs policy. I'm curious, what other guarantees are you looking for?
> It would get more complicated to support accessing it while away from home, admittedly. I don't know if that's an important feature for this application.
This is a huge feature which I've solved using an IPSec VPN. This is not something that's easy for regular people to do though, so it's not a universal solution.
If someone made a router that could easily provision VPN access for a device (e.g., generate a sensible OpenVPN config or something) it would make this setup a LOT easier.
This is an unforunate limitation imposed by Android (for good reasons I must add). We're fixing up our network stack to shoulder in WireGuard; should land in a month or two. With that, one would be able to upstream connections to any WireGuard endpoint: https://github.com/celzero/rethink-app/issues/52
> rdns is an awesome app, I am unsure why it’s not more widespread
Thanks for your kind words. There may be other reasons, but the surprising one is (going from what we see on other forums and emails that we get), folks are reluctant to trust a security / privacy product that's made by Indians.
reply