zaneschepke / wgtunnel

An alternative Android client app for WireGuard VPN
https://zaneschepke.com/wgtunnel-docs
MIT License
941 stars 47 forks source link

Incompatible with Block Connections Without VPN Setting #52

Open bettyvschmartz opened 1 year ago

bettyvschmartz commented 1 year ago

Hi,

Firstly, thank you for a great app. The auto-tunneling features are great.

I have been looking for an alternative Wireguard app for Android to fix a few issues with the official Wireguard app. One of these was being able to have VPN disabled on trusted networks. The second, being able to bypass the VPN for select apps to communicate on a local LAN whilst also having the Android setting 'Block connections without a VPN' enabled. It's important to have this option enabled so one can be sure nothing is able to communicate outside of the VPN.

It seems as though it should work as per this GrapheneOS issue here but the issue seems to be that the exclude app from VPN options in many VPN apps work by allowing the app to bypass the VPN app altogether. It's apparent that how they should work is still to own the connection, so the OS believes traffic is going over VPN but then for the selected apps to direct it to the LAN.

As per the official Wireguard app it seems this also doesn't work in WG Tunnel upon testing. If I exclude an app it can communicate on a local network but as soon as 'Block connections without a VPN' is enabled the connection gets blocked. I was hopeful this was one of the features.

Is it possible to look at how this is implemented and apply a fix?

-- bvs

zaneschepke commented 1 year ago

Thank you for the feedback and for using the app! This issue goes along with a kill switch feature I have been thinking about implementing. I think that is what might be necessary in order to block internet traffic but still allow traffic on the local network. I have noticed other apps like Surfshark have this feature.

I am pretty sure, regardless of what is implemented at an app level, the Android native Block connections without VPN will always block anything and everything that isn't over the VPN. This is why I think an app kill switch is needed.

Question: Have you tried using the exclude private IP addresses feature of the official wireguard app along with the native block connections without VPN?

bettyvschmartz commented 1 year ago

Thanks for the reply.

Yes, the exclude private IPs feature doesn't work with the Block connections without VPN enabled and it's less than ideal. As and when you are not on a trusted network, which is likely with a mobile device, you are allowing the device or apps to be able to communicate with that local network. It's both a security and privacy issue. In reality it's better only to allow specific traffic.

I am pretty sure, regardless of what is implemented at an app level, the Android native Block connections without VPN will always block anything and everything that isn't over the VPN. This is why I think an app kill switch is needed.

This option is the kill switch in Android. The reason I think lots of VPN apps don't work with it is because their handling of excluding apps from the VPN is poorly implemented. The discussion I linked to explains the same. As I understand it most of the VPN apps simply allow the traffic outside of the app, which is then caught by the block because the block feature only allows traffic via the VPN app. This doesn't mean traffic has to actually traverse the VPN. What we need is for the app to continue to own the connection, but rather than route the traffic over VPN, route it back locally. It seems possible.

As a workaround, if you own your VPN server, one can simply direct traffic between peers over the VPN tunnels. But if you are communicating between two devices on the same LAN this is unnecessary latency. Directing traffic from one peer to a remote WG server and back to a LAN peer is inefficient to say the least. If you're trying to cast video, for example, this is a real performance hit. Moreover it's not generally possible with many commercial VPN providers because they tend not to route traffic between peers.

-- bvs

zaneschepke commented 1 year ago

Thank you for the detailed response. I agree with everything you said. I will have to investigate further what would be needed to implement these changes.

WG Tunnel uses the same core implementation of WG as the official app via their library. I suspect I might need to make these changes to the library itself. This makes things a bit more complicated, but it should be doable.

mvevitsis commented 3 months ago

+1, this is absolutely the most annoying thing about using a VPN on Android.

There should be a toggle to allow LAN connections (or not) in lockdown mode, but I guess Google doesn't care.