add section on improved VPN leak blocking

2024-10-07 16:22:10 -04:00 · 2024-10-07 16:22:10 -04:00 · 10dda9d8f0
commit 10dda9d8f0
parent ae85537dcf
1 changed files with 34 additions and 0 deletions
--- a/static/features.html
+++ b/static/features.html
@ -135,6 +135,7 @@
                            indicator</a></li>
                            <li><a href="#user-installed-apps-can-be-disabled">User installed apps
                            can be disabled</a></li>
+                            <li><a href="#improved-vpn-leaking-blocking">Improved VPN leak blocking</a></li>
                            <li><a href="#other-features">Other features</a></li>
                        </ul>
                    </li>
@ -1141,6 +1142,39 @@
                    service it provides.</p>
                </section>

+                <section id="improved-vpn-leak-blocking">
+                    <h3><a href="#improved-vpn-leaking-blocking">Improved VPN leak blocking</a></h3>
+
+                    <p>GrapheneOS greatly improves Android's protection against VPN leaks for both
+                    the built-in VPN support and VPN apps with the standard "Block connections
+                    without VPN" toggle enabled.</p>
+
+                    <p>Android allows DNS queries from the system resolver to leak to the network
+                    provided DNS servers when a VPN app goes down due to a race condition. This is
+                    fully prevented by GrapheneOS through extending the leak blocking to this part
+                    of the system resolver.</p>
+
+                    <p>Android allows processes including apps to bypass the VPN entirely whether
+                    it's up or down by sending multicast packets either directly or by causing the
+                    kernel to send the packets on their behalf through the standard multicast group
+                    management system calls. GrapheneOS extends Android's standard eBPF filtering
+                    with full support for blocking all forms of multicast packet bypasses.</p>
+
+                    <p>Android VPN configuration is split up for each profile which means work
+                    profiles, Private Spaces and secondary users have their own VPN configuration
+                    which is a fantastic privacy feature. Android has a standard restriction
+                    preventing processes from using a network which the current profile isn't
+                    allowed to access. However, this doesn't take multicast packets into account and
+                    it's possible to send multicast packets via VPN tunnels belonging to a different
+                    profile. GrapheneOS addresses this by extending the standard netfilter
+                    configuration with a multicast firewall preventing sending packets through a VPN
+                    tunnel which a process isn't supposed to be able to access.</p>
+
+                    <p>Finding and resolving all forms of VPN leaks is one of our top priorities at
+                    the moment and we don't currently consider this to be a complete feature due to
+                    less severe additional issues we've discovered.</p>
+                </section>
+
                <section id="other-features">
                    <h3><a href="#other-features">Other features</a></h3>