Permissive_terminus 1 Posted ... (edited) I was wondering if you could explain, why Eddie for Android (or VPN apps for Android in general) cannot securely (leak-free) rebuild their tunnel after it was lost. This is under the assumption that the device in question is running the latest Android version and has both "Always on" and VPN lock activated in the Android settings. With these system settings, Android will make sure that all the traffic is routed through the selected VPN app under any circumstance. It's then the responsibility of this VPN app to make sure it does not leak. If, for example, the VPN app randomly gets shut down or gets kicked out of memory, Android will show the VPN lock icon in the status bar and block any traffic until the app is running again. Now, Eddie for Android often does not automatically reconnect after a temporary connection loss, because apparently, these reconnects sometimes cannot be done leak-free. I'm not questioning this statement, but I'm genuinely curious what could be causing leaks in this setup. In what scenario is a VPN app incapable of rebuilding a tunnel without leaking connections, if the system makes sure that all traffic must go through said VPN app? Edited ... by Permissive_terminus Quote Share this post Link to post
Staff 10050 Posted ... Hello! If you are 100% sure that the Android 9 options you mention will prevent any traffic leak, you can disable "VPN lock" from "Settings" > "VPN" > "VPN Lock" . When VPN lock is disabled, Eddie will simply try to re-connect as soon as possible when a VPN connection is lost (of course other functions like VPN pause during device lock will remain available for your comfort: they are handled by different settings). The main problem in Android to prevent leaks is that Linux packet filtering table is unreachable from the upper layer on un-rooted devices, so effective firewall rules can not be enforced. When the tunnel is destroyed, traffic is totally free to flow until the tunnel is rebuilt. In the time between disconnection and reconnection traffic will flow outside the tunnel. Even worse, if a VPN server becomes unreachable, OpenVPN will try indefinitely to connect to it with no success, and you will then suffer permanent traffic leaks up to Android 8 6. We will leave to developers a comment about whether mentioned, new Android 7, 8 and 9 settings will protect you effectively when the tunnel is destroyed because the matter deserves a deeper investigation. They might even help you prevent those traffic leaks which were previously impossible to block even for Eddie (and any other app running with no root privileges), i.e. leaks of those Google or manufacturer apps (if any) running with high privileges, binding to the physical network interface (it happens in iOS with some Apple services as it was clarified in Apple policy) and bypassing therefore any VPN tunnel. Kind regards Quote Share this post Link to post
Permissive_terminus 1 Posted ... (edited) On 8/15/2019 at 9:26 AM, Staff said: OpenVPN will try indefinitely to connect to it with no success, and you will then suffer permanent traffic leaks up to Android 8. We will leave to developers a comment about whether mentioned, new Android 9 settings will protect you effectively when the tunnel is destroyed because the matter deserves a deeper investigation. They might even help you prevent those traffic leaks which were previously impossible to block even for Eddie (and any other app running with no root privileges), i.e. leaks of those Google or manufacturer apps (if any) running with high privileges, binding to the physical network interface (it happens in iOS with some Apple services as it was clarified in Apple policy) and bypassing therefore any VPN tunnel. Kind regards Thanks for the answer. Yes, I'm only talking about the latest Android version. I don't consider past versions secure for usage anymore, not just in terms of VPN leaks. I do think that Android 9 reliably pushes its entire traffic through the designated VPN app under any circumstance, when Android's VPN lock is enabled on Android 9. Leaks can obviously occur, when the VPN app then does not handle things properly and allows connections before the tunnel has been fully built, but that would not be the fault of Android. Will gladly await a comment from the developers on this. Edited ... by Permissive_terminus 1 alswell reacted to this Quote Share this post Link to post