android: VPN check incompatible with Netguard firewall

ooni / probe

OONI Probe network measurement tool for detecting internet censorship

https://ooni.org/install

BSD 3-Clause "New" or "Revised" License

749 stars 142 forks source link

android: VPN check incompatible with Netguard firewall #2039

Open bassosimone opened 2 years ago

bassosimone commented 2 years ago

A user wrote us to let us know that they were using Netguard firewall and OONI Probe refused to run even though the user had specifically put OONI Probe in the allow list. We should investigate and improve our understanding of how our checks for VPNs integrate and interplay with firewalls registering themselves as VPNs like Netguard. We can close this issue once we have figured out the correct way to interplay with Netguard or we have figured out a way to allow users to completely opt-out of the firewall check. (IIRC, it's already possible and, if that's the case, then it seems we have an UX issue.)

aanorbel commented 2 years ago

@bassosimone , I have used Netguard firewall before. Also after making some additional tests, my understanding of how Netguard firewall works is that the app creates a local VPN which the rules are passed to to determine which apps go through or not.

Here are a few screenshots to show how `Netguard firewall` is handled on android.	.	.

My proposal is that we come up with some sort of exclusion list If possible that allows the app to function as if there is not VPN in use when the user has Netguard firewall enabled.

I will proceed to look into this.

bassosimone commented 2 years ago

My proposal is that we come up with some sort of exclusion list If possible that allows the app to function as if there is not VPN in use when the user has Netguard firewall enabled.

Sounds reasonable. (Another option is to allow the user to bypass the VPN check of they're sure about this: I am wondering whether other apps work like Netguard and hence how effective an allow-list approach could be?)

aanorbel commented 2 years ago

Looking into it that way, the allow-list is not maintainable as we don't have all the possible app working in that way.

We can add an option to bypass vpn checks which would be in a settings screen. The VPN prompt will provide the user with the option to navigate to this option and disable it if they are sure thats what they want to do.

bassosimone commented 2 years ago

We can add an option to bypass vpn checks which would be in a settings screen.

If this is easier to do than figuring out Netguard and all alike cases in a unified way, than perhaps this is indeed the right solution to address the original users' concern quickly.

bassosimone commented 2 years ago

We just had a chat with @aanorbel and confirmed we want to pursue this solution:

We can add an option to bypass vpn checks which would be in a settings screen. The VPN prompt will provide the user with the option to navigate to this option and disable it if they are sure thats what they want to do.

This should solve the problem for users in a Wireguard like situation.

j-lakeman commented 2 months ago

Please also take https://github.com/celzero/rethink-app/ into account. What's the current status of this issue? Does the warn when VPN is in use setting turned off also enable automated tests?

Edit: never mind, it seems to work as expected!