search

AdguardTeam / AdGuardVPNForAndroid

AdGuard VPN Android app open bug tracker
https://adguard-vpn.com/
125 stars 11 forks source link

Network Isolation #65

Open ameshkov opened 3 years ago

ameshkov commented 3 years ago

@EntropySmoke commented on Wed Jan 06 2021

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

Problem Description

A lot information is exposed on public WiFi networks without isolation. Many Android VPN apps can prevent at least some local nework discovery, but AdGuard doesn't. A Layer 3 isolation should be included. I think OpenVPN protocol provides even a better Layer 2 isolation, but I don't know what protocol AdGuard uses for its Local VPN. Currently private IP addresses are added to exclusion lists by default, but removing those addresses does not result in AdGuard blocking Chromecast packets. Android devices with AdGuard Local VPN (and all local IP's removed from exclusion list) continue to discover each other on my WiFi. AdGuard log does show 239.255.255.250 and that can be blocked, but it doesn't prevent other DLNA discovery.

Proposed Solution

An option to drop connections to and from all known private IP addresses, except for the one assigned to the device and the gateway. It should include blocking Multicast (mDNS, Bonjour, Avahi, etc.) IP's (224.0.0.0-255.255.255.255) or just drop all IGMP (Protocol 2) packets.

Alternatives Considered

Custom IP Tables, but that requires rooting and can't be easily adjusted for each public WiFi connection due to differences in assigned IP addresses.

Additional Information

AdGuard also doesn't prevent IPv6 Link Local discovery connections, even when IPv6 is disabled in AdGuard settings and local network does not IPv6. There is no easy way to disable IPv6 interface on Android devices without custom scripts and even then, IPv6 Link Local IP's are re-assigned on connection change. IPv6 Link Local isn't route-able, but it does leak information onto local network without proper VLAN isolation that very few public WiFi networks have.

@ameshkov commented on Wed Jan 06 2021

Hm, it sounds as if this should've been reported to Android VPN repo.

EntropySmoke commented 3 years ago

I actually would like this feature for AdGuard AdBlocker just as much as I'd like it for AdGuard VPN. AdGuard AdBlocker does use a Local VPN and it does enhance both security and privacy. Adding Local Network Isolation to AdGuard AdBlocker by dropping packets from private IP's would further enhance AdGuard AdBlocker's security and privacy.

infinitewaveparticle commented 2 years ago

I also second this for both apps. It seems like something that should absolutely be included.