thestinger
commented
1 month ago Likely an upstream issue.
Open GretaThunder opened 1 month ago
thestinger
commented
1 month ago Likely an upstream issue.
GretaThunder
commented
1 month ago Is there no remedy?
Or GrapheneOS fixes it on their end, like they took initiative with the DNS/MULTICAST leak issues for OpenVPN/WireGuard. IPsec/IKEv2 was not affected by any leaks to my knowledge which is why we've been using it, but this effectively breaks everything and it doesn't seem Google will tend to this any time soon.
thestinger
commented
1 month ago We don't think our changes caused it. It's probably an Android 15 regression. We have to look into it. There isn't going to be a quick solution and we'll need to be very careful with any change to fix it in order to avoid introducing leaks.
u-fred
commented
1 month ago It's unlikely that this is an Android issue and more likely it is an app or configuration issue. If it was an issue with the OS, this would be occurring for many VPNs and not just this one app.
u-fred
commented
1 month ago I suggest you try reinstalling the app in all profiles and seeing if the issue persists. If it does, you can pull logs from the app in a secondary profile and report them to the app developer. If you also link the logs here I'll take a quick look.
u-fred
commented
1 month ago IPsec/IKEv2 was not affected by any leaks to my knowledge which is why we've been using it
I think you've misunderstood something here. There's two types of VPNs, app-based and legacy. When using an app-based VPN, there is no advantage to using IPsec/IKEv2. Each app has a separate implementation of IPsec/IKEv2, they don't reuse Android's implementation. Any leaks that exist for OpenVPN/WireGuard also exist for IPsec/IKEv2 when using an app-based VPN. These leaks have now been resolved and you can go back to using OpenVPN/WireGuard with a more modern app.
GretaThunder
commented
1 month ago It's definitely an Android issue because I tested another Pixel 6 that's working perfectly in all user profiles simply because it hasn't been updated to Build: 02024102100
Your information is not accurate as during my testing with Strongswan IPsec/IKEv2 this year, it did not produce any leaks unlike many OpenVPN/Wireguard apps. Try it yourself.
iVPN leaks: https://www.ivpn.net/blog/dns-traffic-leak-outside-vpn-tunnel-on-android/
Mullvad leaks https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android
ProtonVPN leaks: https://www.reddit.com/r/ProtonVPN/comments/1c9r782/android_dns_leak/__
The GrapheneOS team has also stated that the VPN leaks with Wireguard/OpenVPN on Android are still not fully resolved, not sure where you got that information that they were. And they have confirmed that native IPSEC on Android was not affected from the beginning.
https://x.com/GrapheneOS/status/1846874665576280078
https://x.com/GrapheneOS/status/1786732497666982273
The "advantage" of sticking with IPSec/IKEV2 is no leaks. There may be another bug across OpenVPN/Wireguard implementations in apps that we haven't found yet, so the track record for now is using the built-in IPSEC and/or Strongswan IPSEC/IKEV2 to avoid leaks.
Strongswan is a long running, well-respected project used by many. The solution isn't to tell people to ditch it for OpenVPN/Wireguard implementations. And... if you want to have a VPN that doesn't leak on iOS for example, OpenVPN/Wireguard are not options, only IKEV2. The iPhone is the only other device GrapheneOS recommends behind Pixels.
GretaThunder
commented
1 month ago I did some more testing. Uninstalled and reinstalled. Everything works perfectly in Owner profile with Strongswan and this issue only affects User Profiles. I have done no changes, only updated GrapheneOS to Build: 02024102100
When trying to connect to the hostname (which is my default, standard configuration), the error is a server address lookup failure, no address associated with hostname which is not true. It works perfectly in Owner and on other device prior to OS update.
When trying to connect directly to the IP instead, the error is "error writing to socket: Operation not permitted". It works perfectly in Owner and on other device prior to OS update.
Any other suggestions, please share.
GretaThunder
commented
4 weeks ago UPDATE:
Something is wrong on the OS level. I removed the VPN entirely in my User Profile, connected to regular WiFi and absolutely no internet connections with any app can be made. This could also explain why Strongswan wasn't working. I tried with a direct ethernet connection and still the User Profiles cannot connect to anything.
I also deleted and reinstalled Strongswan in the Owner profile, and now it refuses to connect with the same Strongswan IPSEC/IKEV2 settings. Owner profile Wireguard, regular WIFI, and Ethernet work fine though.
One thing to note is that after I updated to Build: 02024102100, I enabled Private Space but did not add any apps.
Other reports of Pixel 6 devices having issues after updating to Android 15:
https://www.reddit.com/r/GooglePixel/comments/1g9np6z/my_pixel_6_is_dead_after_android_15_update/
https://www.reddit.com/r/GooglePixel/comments/1g8cucs/pixel_6_bricked_after_enabling_private_space/
https://www.reddit.com/r/GooglePixel/comments/1g8nocn/pixel_6_bricked_after_android_15_update/
https://www.androidpolice.com/android-15-killing-pixel-6-devices/
Now I need a way to enable internet, nevermind VPN, in the User Profiles so I can at least back-up the data. Any help is appreciated.
Build: 02024102100
Device: Pixel 6
Everything was working fine prior updating, but now I cannot connect to IPsec/IKEv2 using the official Strongswan app in any User Profiles except the Owner. All VPN settings are the same between Owner (which works fine) and User Profiles (fails to connect).