Windows should not install VPN services until VPN is purchased/enabled

[bsclifton]

Background

Starting with product version 1.59.117 on Windows, WireGuard is used as the default for Brave VPN.

With product version 1.57.47, Brave will install a service Brave Vpn Wireguard Service if a user has admin privileges. This service is marked as Manual start and is not started. The binary is also installed on disk in the directory the the browser binaries are installed.

This change was introduced here: https://github.com/brave/brave-core/pull/18565

The pull request links to the devops issue where we compile the binary and also to the privacy/security review where this was vetted. Originally, this work was all behind a feature flag exposed via brave://flags.

There is also a Brave Vpn Service that is installed (also set to Manual start, not started) which has been there for a longer time. This service was added here: https://github.com/brave/brave-core/pull/15915

That change went live with Brave product version 1.50.114 on Windows. This service was added to provide an OS level way to stop leaking of DNS due to a Windows feature called Smart Multi-Homed Name Resolution and is only used when a customer has purchased VPN and the VPN is connected. More information about Smart Multi-Homed Name Resolution and why this service was created can be found here: https://github.com/brave/brave-browser/issues/25489

Here is a picture from services.msc courtesy of ghacks.net

These services will only be used when the person buys Brave VPN (via account.brave.com) and engages with the UI in the product.

Description

On Windows only, there are two VPN related services (Brave Vpn Service and Brave Vpn Wireguard Service) registered with Windows when Brave is freshly installed. They can be viewed in services.msc. They are both set to Manual start and are not used until a person 1) uses Brave and 2) purchases Brave VPN and then 3) connects to Brave VPN.

At that point, a config (with the VPN details) is written to disk and the service is started.

These services are installed at install time - since the installer is already doing a UAC prompt (admin escalation). The ideal situation would be to move these services to be installed when VPN is first USED (post purchase) and not at install time.

What does the fix look like

As we solve this issue, here's what we plan to do

• Remove the service registrations during install (for Brave Vpn Service and Brave Vpn Wireguard Service). This will prevent new users from having the service installed.
• "Componentize" the binaries for these services, similar to Tor and IPFS. Those can be viewed in brave://components. There would be a new entry here like Brave Vpn Services (Windows).
• Update the VPN code to download/install the component at time of use
• Remove the service registrations during upgrade - so folks who have this service installed will have the service removed.

[bsclifton]

Still working through review feedback here! Thanks for your patience everybody. I have done a lot of testing at this point and it's working great. Just need to address the comments for code cleanup

[bsclifton]

Hi folks - wanted to give an update as it's been a while.

Work is nearing completion. I addressed a LOT of feedback from reviewers. There are a few new comments on https://github.com/brave/brave-core/pull/20754 and then I've also been asked to simplify the code a bit. The original code being reworked had some extra complexities and the size of this change is challenging to review.

Hoping I can get these items addressed and we can get this merged this week

[bsclifton]

Happy to share that this is FINALLY merged. Thanks for all of you that have been patient! This change touched a lot of places in the code. We had to find a good solution, refine it, and then go through testing with it.

The fix will be in the next Nightly we have publicly. From there, I'll be working with the QA team to uplift this into Beta first and then Release next. If you're on Nightly and you don't have Brave VPN purchased, you'll see the services disappear tomorrow morning after updating 🎉

Some of our next upcoming release dates - the fix should be in one of these. It may also be in a hotfix in between them.

• 1.62 - January 23rd, 2024
• 1.63 - February 20th, 2024

[bsclifton]

Going to do some clean up here as discussion here got a bit off topic. If there are some specific grievances, let's please create a new issue 😄 Thanks!

[bsclifton]

OK one last follow up - after the code fixing this issue has been merged to 1.64 (Nightly), there have been two more follow ups:

• Updated Wireguard enabled state timing
• Removed install_static deps from vpn component

Those are merged into 1.64 (Nightly) also. There is one outstanding change which is under review now.

• Switch vpn protocols during the runtime

This last change is necessary to prevent a regression. We have the 1.63 release coming up soon (next week) and I don't think we'll be able to uplift the changes there due to time limitation. But tomorrow, we're planning on moving 1.64 (where the change is) to Beta. If you're a Beta user, you should see the services get removed tomorrow when 1.64 ships and you receive the update.

This means we can expect the change on RELEASE channel (stable) on March 19th with the 1.64 release 🙂

[Marko-98]

Will we get ability to remove VPN part on Android as well?

I mean, it just sits there and has no use to users that aren't subscribed to VPN service. Many times mistakenly entered the VPN ad because it's location is on match where other web browsers have desktop site feature.

[hatemicroshit]

The problem is doing a Per-User install is not obvious, but it is easy.

what a disingenuous comment. the install process tries to adhere to the windows standard of Everything Gets Admin. don't turn the blame away from disrespectful behaviour

[stephendonner]

Verification PASSED using

Brave | 1.64.94 Chromium: 122.0.6261.94 (Official Build) beta (64-bit)
-- | --
Revision | 866e3a4bd76c9cc1762928df0cf9a53b8685ab71
OS | Windows 10 Version 22H2 (Build 19045.4123)

Clean install - PASSED

### Steps: 1. downloaded `https://github.com/brave/brave-browser/releases/download/v1.64.94/BraveBrowserStandaloneBetaSetup.exe` 2. double-clicked on `BraveBrowserStandaloneBetaSetup.exe` 3. confirmed UAC prompt 4. waited for install to finish 5. clicked `Close` on "install finished" dialog 6. opened `Add/Remove programs` 7. confirmed `Brave Beta` `122.1.64.94` was installed on `3/4/2024` 8. opened `service.msc` and confirmed only one `BraveBetaElevationService` 9. logged into `account.bravesoftware.com` using `issue33726@mailinator.com` 10. clicked on `Refresh Brave VPN` 11. opened `services.msc` and confirmed `BraveBetaVpnService` and `BraveBetaVpnWireguardService` (both set to `Manual`) 12. connected to `Brave VPN` 13. confirmed via external source `whatismyipaddress.com` that I'm connected to `Brave VPN`; also confirmed via `brave://settings/system` that I'm connected using `WireGuard` 14. loaded `http://browserleaks.com/dns` and confirmed the local DNS resolver wasn't leaked (shows `Cloudflare` instead) 15. confirmed `BraveVpnBetaWireguardTunnelService` was `Running` 16. disconnected from `Brave VPN` and toggled `Use WireGuard....` to disabled/off 17. connected to `Brave VPN` 18. confirmed only `BraveBetaVpnService` was running (no `WireGuard` processes) 19. loaded `http://browserleaks.com/dns` ### Confirmed no DNS leaks over either `WireGuard` or `IKEv2`, and I was able to switch between them dynamically step 7 | step 8 | step 11 | step 12 | step 13a | step 13b | step 14 | step 15 | step 16 | step 17 | step 18 | step 19 --------|-------|----------|---------|----------|------------|---------|---------|---------|-----------|----------|-----------  |  |  |  |  |  |  |  |  |  |  | 

Upgrade - removal of VPN service - PASSED

### Steps: 1. installed `1.64.3` (build WITHOUT fix) 2. launched Brave 3. opened `services.msc` 4. confirmed `BraveNightlyVpnService`, `BraveNightlyVpnWireguardService`, and `BraveNightlyElevationService` processes 5. right-clicked on `BraveNightlyElevationService` and chose `Start` 6. confirmed error message 7. installed `1.64.94` 8. launched Brave 9. opened `services.msc` 10. confirmed all `BraveNightly...` services are gone 11. right-clicked on `BraveBetaElevationService` and chose `Start` ### Confirmed `BraveBetaElevationService` was successfully `Running` steps 3-4 | step 6 | step 11/result ----------|----------|----------  |  | 

Upgrade - pre-existing Brave VPN user - PASSED

### Steps: 1. Have a profile which already has a Brave VPN subscription 2. Run steps from `Upgrade scenario - removal of VPN service` 3. The `VPN` button will still be visible in the browser. Click it to bring up the server connection screen 4. At this point and time, the services should be installed. 5. Verify `Brave VPN` works 6. Open `services.msc` and search for the VPN services. 7. Verify both VPN services are shown. Name will be like: `Brave Beta Vpn Service` (`BraveBetaVpnService`) `Brave Beta Vpn Wireguard Service (BraveBetaVpnWireguardService`) ### Confirmed `BraveBetaVPNService` and `BraveBetaVpnWireguardService` were running example | example | example ----------|-----------|----------  |  | 

Upgrade - user purchases Brave VPN after upgrade - PASSED

### Steps: 1. Have a profile which does NOT have `Brave VPN` 2. Run steps from `Upgrade scenario - removal of VPN service` 3. Logged in to `account.bravesoftware.com` with a new account 4. Clicked `Buy VPN` 5. Completed `Stripe` checkout 6. At this point and time, the services should be installed. 7. Verify `Brave VPN` works 8. Open `services.msc` and search for the VPN services. 9. Verify both VPN services are shown. Name will be like: `Brave Beta Vpn Service` (`BraveBetaVpnService`) `Brave Beta Vpn Wireguard Service` (`BraveBetaVpnWireguardService`) ### Confirmed `BraveBetaVPNService` and `BraveBetaVpnWireguardService` were running example | example | example | example ----------|-----------|-----------|----------  |  |  | 

[bsclifton]

@Marko-98 you should already be able to remove VPN using group policy, which I admit is not very straight-forward at the moment (I've never tried to do it before on Android). There might be something special we need to do for Android

We have the group policy (as it related to Desktop) documented at https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy - when BraveVPNDisabled is set to 1, it should hide the UI elements. Same with BraveRewardsDisabled, BraveWalletDisabled, etc

[Marko-98]

@bsclifton I just disabled the VPN through the brave:flags on Windows and it's not present anywhere in the UI. That solved it for me. I prefer flags anyway because when I manage it through Group Policy, I get that annoying message everywhere that the browser was managed by my organization (as expected). It also doesn't let me open the small menu on internal Downloads page (#35793) then, so that's why I prefer flags instead.

In my comment, I was asking specifically about the Android version of Brave. Because there isn't a flag that would allow me to do the same.

Thanks for your work guys! I really appreciate it. 😉

[MadhaviSeelam]

Verification PASSED using

Brave | 1.64.96 Chromium: 122.0.6261.111 (Official Build) beta (64-bit)
-- | --
Revision | fb9feca2d1f25ea20265752e8ecdf548a6925bd4
OS | Windows 11 Version 23H2 (Build 22631.3155)

Clean install - PASSED

1. downloaded & Installed `BraveBrowserStandaloneBetaSetup.exe` for `1.64.96 via https://github.com/brave/brave-browser/releases/download/v1.64.96/BraveBrowserStandaloneBetaSetup.exeUAC prompt 2. clicked Yes on UAC prompt 3. opened Add/Remove programs 4. confirmed `Brave Beta 122.1.64.96` was installed on 3/6/2024 5. opened `service.msc` and confirmed only one `BraveBetaElevationService` 6. logged into account.bravesoftware.com, purchased & subscribed to VPN for vpn5mar46@mailinator.com 7. verified VPN credentials loaded 8. opened services.msc and confirmed no services - BraveBetaVpnService and BraveBetaVpnWireguardService (both set to Manual) shown yet 9. clicked VPN button 10. opened services.msc and confirmed no services - BraveBetaVpnService and BraveBetaVpnWireguardService (both set to Manual) 11. connected to Brave VPN 12. confirmed via external source whatismyipaddress.com that I'm connected to Brave VPN; 13. confirmed via brave://settings/system that I'm connected using WireGuard loaded 14. http://browserleaks.com/dns and confirmed the local DNS resolver wasn't leaked (shows Cloudflare instead) 15. confirmed BraveVpnBetaWireguardTunnelService was Running in services.msc 16. disconnected from Brave VPN and toggled Use WireGuard.... to disabled/off 17. connected to Brave VPN 18. confirmed only BraveBetaVpnService was running (no WireGuard processes) 19. loaded http://browserleaks.com/dns 20. confirmed no DNS leaks over either WireGuard or IKEv2, and I was able to switch between them dynamically step 3-4 | step 5 | step 6-7 | step 8 | step 9 | step 10 | step 11 ----- | ----- | ------ | ------ | ------ | ------ | ------ |||||| step 12 | step 13 | step 14 | step 15 | step 16 | step 17 | step 18 |step 19 ----- | ----- | ------ | ------ | ------ | ------ | ------ | ---- |||||||

Upgrade - removal of VPN service - PASSED

### Steps: 1. installed `1.63.141` (build WITHOUT fix) 2. launched Brave 3. opened `services.msc` 4. confirmed `BraveBetaVpnService`, `BraveBetaVpnWireguardService`, and `BraveBetaElevationService` processes 5. right-clicked on `BraveNightlyElevationService` and chose `Start` 6. confirmed error message 7. installed `1.64.94` 8. launched Brave 9. opened `services.msc` 10. right-clicked on `BraveBetaElevationService` and chose `Start` ### Confirmed `BraveBetaElevationService` was successfully `Running` step 1|steps 3- 6 | step 7 | step 10/result ----------|----------|----------|-------- |||

Upgrade - pre-existing Brave VPN user - PASSED

### Steps: 1. Have a profile which already has a Brave VPN subscription 2. Run steps from `Upgrade scenario - removal of VPN service` 3. The `VPN` button will still be visible in the browser. Click it to bring up the server connection screen 4. At this point and time, the services should be installed. 5. Verify `Brave VPN` works 6. Open `services.msc` and search for the VPN services. 7. Verify both VPN services are shown. Name will be like: `Brave Beta Vpn Service` (`BraveBetaVpnService`) `Brave Beta Vpn Wireguard Service (BraveBetaVpnWireguardService`) ### Confirmed `BraveBetaVPNService` and `BraveBetaVpnWireguardService` were running example | example | example | example | example | example| example | example ----- | ----- | ----- | ------ | ------ | ------ | ------ | ------ |||||||

Upgrade - user purchases Brave VPN after upgrade - PASSED

### Steps: 1. Have a profile which does NOT have `Brave VPN` 2. Run steps from `Upgrade scenario - removal of VPN service` 3. Logged in to `account.bravesoftware.com` with a new account 4. Clicked `Buy VPN` 5. Completed `Stripe` checkout 6. At this point and time, the services should be installed. 7. Verify `Brave VPN` works 8. Open `services.msc` and search for the VPN services. 9. Verify both VPN services are shown. Name will be like: `Brave Beta Vpn Service` (`BraveBetaVpnService`) `Brave Beta Vpn Wireguard Service` (`BraveBetaVpnWireguardService`) 10. Disconnected VPN and Wireguard toggle off in brave://settings/system - Confirmed `BraveBetaVPNService` and `BraveBetaVpnWireguardService` shown - Confirmed `BraveBetaVPNService` status shown running in IKEv2 mode - Confirmed `BraveVPNBetaWireguardTunnelService` status shown running in Wireguard mode example | example | example | example | example | example | example ----- | -------- | ------- | -------| -------| --------| -------- ||||||