From 0ace9889e3e4e4e4ac1e70e653a98bc4e89dc7e7 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sat, 9 Mar 2024 21:08:40 -0500
Subject: [PATCH] stop recommending OpenVPN, Orbot and RethinkDNS

OpenVPN is legacy technology. It's overly complex and has far too much
attack surface. It's a huge pile of sketchy legacy code. WireGuard is
what people should be using now. We were only recommending this due to
lack of WireGuard adoption in the past.

Orbot is a horribly maintained app full of memory corruption bugs and
poorly written code. It's not a trustworthy or safe implementation of
Tor for Android. Tor Project is working on a proper replacement which
does not appear to be available yet. We could make something ourselves
if others are failing to provide what's needed.

RethinkDNS was added as a recommendation in order to have an option for
people who want local filtering and other features while using a VPN. We
cannot recommend it anymore. We overlooked technical and other issues
because we wanted to give people an option to use. The bar was simply
that it was better than NetGuard. It's still temporarily mentioned as
an option supporting that combination of features but will be replaced
in the documentation as soon as possible.
---
 static/faq.html | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/static/faq.html b/static/faq.html
index cada76c8..a46609d0 100644
--- a/static/faq.html
+++ b/static/faq.html
@@ -1321,9 +1321,8 @@
                     then">></span> Network &amp; internet&#160;<span aria-label="and
                     then">></span> VPN</b>. Support for the following protocols is
                     included: IKEv2/IPSec MSCHAPv2, IKEv2/IPSec PSK and IKEv2/IPSec RSA. Apps can
-                    also provide userspace VPN implementations and the following open source apps
-                    are recommended: WireGuard, RethinkDNS (WireGuard with local filtering
-                    options), Orbot (Tor) and OpenVPN for Android.</p>
+                    also provide userspace VPN implementations. The only app we can recommend is
+                    the official WireGuard app.</p>
 
                     <p>VPN configurations created with the built-in support can be set as the
                     always-on VPN in the configuration panel. This will keep the VPN running,