GrapheneOS greatly improves Android's protection against VPN leaks for both + the built-in VPN support and VPN apps with the standard "Block connections + without VPN" toggle enabled.
+ +Android allows DNS queries from the system resolver to leak to the network + provided DNS servers when a VPN app goes down due to a race condition. This is + fully prevented by GrapheneOS through extending the leak blocking to this part + of the system resolver.
+ +Android allows processes including apps to bypass the VPN entirely whether + it's up or down by sending multicast packets either directly or by causing the + kernel to send the packets on their behalf through the standard multicast group + management system calls. GrapheneOS extends Android's standard eBPF filtering + with full support for blocking all forms of multicast packet bypasses.
+ +Android VPN configuration is split up for each profile which means work + profiles, Private Spaces and secondary users have their own VPN configuration + which is a fantastic privacy feature. Android has a standard restriction + preventing processes from using a network which the current profile isn't + allowed to access. However, this doesn't take multicast packets into account and + it's possible to send multicast packets via VPN tunnels belonging to a different + profile. GrapheneOS addresses this by extending the standard netfilter + configuration with a multicast firewall preventing sending packets through a VPN + tunnel which a process isn't supposed to be able to access.
+ +Finding and resolving all forms of VPN leaks is one of our top priorities at + the moment and we don't currently consider this to be a complete feature due to + less severe additional issues we've discovered.
+