Can any app with Network permission trivially bypass VPN "Lockdown" ?

[Saroumane]

Device : Pixel 6a Version : 13 (TQ3A.230805.001)

Steps to reproduce :

"Control group tests"

• Wifi and 4G carrier up
• Mullvad app up.
• In GrapheneOS VPN Settings, regarding Mullvad VPN : * Always-on : ON * Block connections without VPN : OFF

open Termux, type : curl --interface wlan0 https://ipinfo.io/ ⇒ I get the real IP of my Wifi router, the connection did not get through the VPN curl --interface rmnet1 https://ipinfo.io/ ⇒ I get the real IP given by my “4G” provider, the connection did not get through the VPN

So far, so good I guess. (because "Block connections without VPN" is OFF)

Now the real tests :

• Wifi and 4G carrier up
• Mullvad app up
• In GrapheneOS VPN Settings, regarding Mullvad VPN : * Always-on : ON * Block connections without VPN : ON (a.ka. the "VPN Lockdown")

open Termux, type : curl --interface wlan0 https://ipinfo.io/ ⇒ As expected I get “failed to connect, no route to host” curl --interface rmnet1 https://ipinfo.io/ ⇒ I still get the real IP given by my “4G” carrier : the connection was not blocked as expected and did not get through the VPN

Note : I reproduce this result with a Wireguard VPN config.

Questions

Did I miss something ? If Termux / curl can bypass the VPN Lockdown like this, I understand that any app with Network permission can also do it ? Is there a workaround to prevent that, apart from completely shutting down mobile data ?

[flawedworld]

Cannot replicate.

[thestinger]

@Saroumane If you're modified the OS in some way and are no longer using official GrapheneOS, we need to know that.

[Saroumane]

@flawedworld Wow, that was a quick close ! Could you please explain what part you don't reproduce ? Did you use a VPN ? Do you see the interface 'rmnet1' ? Do you reproduce the 3 first 'curl' results ?

@thestinger I did not modified GrapheneOS in any way. I'm not skilled enough for that (and I don't want to, I don't trust myself to keep it secured !)... Termux has standard permissions (Sensors/Notifications/Network) and I only used it to type these curl commands. By the way, I'm glad to see that you are still involved in this project, I thought you retired from it.

Just an idea : a week ago I used this device as a wifi hotspot, and I know that hotspots connections evade VPN, by design. Could it be linked to this behaviour ?

What else could I do to help ? (Please don't ask me to hard reset my device, I spent days to migrate data, app by app, from my old, unsupported Pixel 3a)

[afeedhshaji]

@Saroumane I cannot reproduce this as well.

I use GrapheneOS in my Pixel 4A. Version: TQ3A.230805.001.2023080800

I tried the following with PIA VPN

• Turned on VPN.
• Turned on "Always On" VPN option. (This enabled the "Block connections without VPN" option)
• Turned on "Block connections without VPN".
• Tried curl-ing from non VPN interfaces (wlan0, rmnet_data1, rmnet_data3 and my connections were blocked as expected)
• Tried curl-ing from the tun0 interface and it works as expected.

[Saroumane]

Very interesting : https://x.com/GrapheneOS/status/1841236289263116381 Maybe I was not crazy after all, even if I could not describe all the trigerring conditions of the leak I found !

For the record I still reproduce the problem as of today :

From termux : curl --interface rmnet1 https://ipinfo.io/ ⇒ I still get the real IP given by my “4G” carrier : the connection was not blocked as expected and did not get through the VPN (Despite Block connections without VPN : On)

[thestinger]

What you're describing is unrelated to our thread and cannot be reproduced. Appears to be because of how you've configured your device via ADB.

[u-fred]

@Saroumane I will investigate this further.

Can you please confirm if your device is rooted or not?

[Saroumane]

@thestinger : I don't remember doing anything via ADB, apart of trying to backup some apps. Do you have a specific action in mind ?

@u-fred : Thanks for the investigation. I never rooted any device. I'm fully convinced (by GoS team) that it is a bad idea, security-wise. In the meantime, I will also set up a brand new profile on my Pixel with only the VPN app and termux installed, to see if I can reproduce what I see on my owner profile.

[matchboxbananasynergy]

In the meantime, I will also set up a brand new profile on my Pixel with only the VPN app and termux installed, to see if I can reproduce what I see on my owner profile.

This won't be possible. Termux can only run in the owner profile unless they changed that recently.

[u-fred]

@Saroumane would you be able to contact me on Matrix/Discord/Telegram to resolve this? https://grapheneos.org/contact#community-chat

We can't reproduce it internally and that makes it difficult to fix.

[u-fred]

@Saroumane

[Saroumane]

Thanks @u-fred for believing in my report and managing to reproduce the problem !

[Saroumane]

Does the latest GoS update already include the fix ?

[thestinger]

No, we're scared to ship it due to compatibility risk so it needs a dedicated release when we don't have other urgent changes.

[mattcheau]

@thestinger:

No, we're scared to ship it due to compatibility risk so it needs a dedicated release when we don't have other urgent changes.

While outrageous (what could possibly be more urgent/higher priority than network traffic leaving a device in an impermissible way?), I respect the candidness of this comment.

[thestinger]

The main reason it hasn't been shipped yet is that the person working on it needed to deal with other things and hasn't been able to work on GrapheneOS for a while. We can get it done soon when they're back.

[thestinger]

See https://github.com/GrapheneOS/platform_packages_modules_Connectivity/pull/33.