Block non-VPN incoming traffic in lockdown mode #235
Conversation
Work around AOSP issue that allows incoming traffic from non-VPN interfaces such as Wi-Fi when VPN is configured to "Block connections without VPN" (lockdown mode).
| @@ -576,10 +577,38 @@ private String getTunConfigString() { | |||
| return cfg; | |||
| } | |||
|
|
|||
| public void determineLockdownState() { | |||
There was a problem hiding this comment.
This was added to work around the fact that isLockdownEnabled() always returns false unless the VPN is established.
|
Thanks @t-m-w for your research (https://gitlab.com/CalyxOS/calyxos/-/issues/1255), summary and your proposal! Our main repo to report issues is normally this one https://www.0xacab.org/leap/bitmask_android/ while github acts as a mirror. It will take a bit until we come to the best solution in the current situation. In any case all your helpful work really helps to wrap our heads around this problem. |
|
No worries, and that sounds reasonable to me! If there's any way I can help, let me know. |
|
for further consideration, Android's connectivity checks can be disabled: https://issuetracker.google.com/issues/250529027#comment6 |
[This request needs further examination/work! See remaining issues/concerns at the bottom.]
Work around AOSP issue that allows incoming traffic from non-VPN interfaces such as Wi-Fi when VPN is configured to "Block connections without VPN" (lockdown mode).
Mullvad has pointed out that Android does not block incoming traffic on non-VPN interfaces, such as Wi-Fi, when running a VPN in lockdown mode ("Block connections without VPN"). However, it's only partially true: Android does block such traffic when the VPN is fully-routed.
Although it would be nice if Google fixed this issue upstream, they have yet to acknowledge it as a problem. Still, it can be worked around in particular VPN apps, such as this one.
You can find more detailed information about this problem here: https://gitlab.com/CalyxOS/calyxos/-/issues/1255
Remaining issues/concerns: