celzero
Allow disabling WireGuard configs *WITHOUT* disabling "Lockdown mode"
This issue presents a fix for a security bug where the rethink app leaves a user vulnerable (by exposing their IP address) because they cannot switch to a new WireGuard config without disabling Lockdown mode.
Problem
There was an attempt to enable "lockdown" mode in #976, but it was added under the WireGuard config. As a result:
- Lockdown mode cannot be enabled until the WireGuard config is first enabled (by clicking the "toggle" button next to the WireGuard config under the
Proxyscreen), and - The user cannot switch to a new WireGuard config without first disabling Lockdown mode on another WireGuard config
This introduces a vulnerability where the user's IP address is leaked in the process of switching WireGuard configs.
For reference, I use AFwall+ to make sure that my apps cannot access the internet unless they go through the Android VPN. That means that if I don't have a VPN service running, then the apps have no Internet access. In other "VPN" apps (like Orbot and OpenVPN for Android), this also means that the the apps still don't have internet access when the actual VPN connection is being established.
However, this bug means that as soon as I click the "toggle" to disable a given WireGuard config (so I can change to another WireGuard config) in the rethink app, my apps suddenly are given clearnet internet access, and they are leaking their IP address to the public Internet...until I'm able to enable the next WireGuard config.
Solution
The solution to this security bug is to permit users to enable "Lockdown mode" for a WireGuard config before they click the "toggle" button to enable the given WireGuard config -- so that traffic is already setup to go through the WireGuard tunnel before the WireGuard config is enabled.
One way to implement this is to enable "Lockdown mode" for the entire Wireguard screen (as opposed to just for the individual WireGuard configs). When this setting is enabled, then the user can disable all of the WireGuard configs in the UI (as they're shuffling between configs), and Rethink will just block all internet traffic until they've toggled one of the WireGuard configs to be on (and the connection is established successfully).
For more clear UI, I would recommend moving this "Lockdown mode" setting from the "Proxy" screen to Configure -> Proxy -> Lockdown mode
For more context, see:
- https://github.com/celzero/rethink-app/issues/976#issuecomment-3568230705
Do you at least have "block connections without VPN" turned on in Android settings?
Ah, another question, why would one do a changes like that while having Internet on?
Proxy is totally optional in RethinkDNS throughout the interface, there is no "DNS+firewall+proxy" mode that would imply killswitch if proxy is not present. Would I like such a mode? I guess "yes", but it's not a "lockdown"
don't spam ai generated shit/issues here
I'm not a robot. I am a human, made of flesh and blood. The security bug reported here was discovered using the brain between my ears. The words typed in OP were written by tapping keys on my keyboard.
You're welcome for taking the time to make a thorough report that clearly describes the problem and a suggested solution, to make it easier for the devs to squash this bug.
I don't use generative AI for my writing nor the bug reports that I contribute to open-source projects.
don't spam ai generated shit/issues here
I'm not a robot. I am a human, made of flesh and blood. The security bug reported here was discovered using the brain between my ears. The words typed in OP were written by tapping keys on my keyboard.
You're welcome for taking the time to make a thorough report that clearly describes the problem and a suggested solution, to make it easier for the devs to squash this bug.
I don't use generative AI for my writing nor the bug reports that I contribute to open-source projects.
I'm sorry for mistaken your writing as made by ai
Hi, thanks for reporting this issue and for the detailed explanation.
In the upcoming version v055v, we have introduced a new global Lockdown Mode setting for WireGuard. This setting applies to the entire WireGuard rather than to individual WireGuard configuration.
