From 10dda9d8f05793737d6c7ca57a11d86fdd0090b6 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Mon, 7 Oct 2024 16:22:10 -0400
Subject: [PATCH] add section on improved VPN leak blocking

---
 static/features.html | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/static/features.html b/static/features.html
index 50aa1ffe..36725244 100644
--- a/static/features.html
+++ b/static/features.html
@@ -135,6 +135,7 @@
                             indicator</a></li>
                             <li><a href="#user-installed-apps-can-be-disabled">User installed apps
                             can be disabled</a></li>
+                            <li><a href="#improved-vpn-leaking-blocking">Improved VPN leak blocking</a></li>
                             <li><a href="#other-features">Other features</a></li>
                         </ul>
                     </li>
@@ -1141,6 +1142,39 @@
                     service it provides.</p>
                 </section>
 
+                <section id="improved-vpn-leak-blocking">
+                    <h3><a href="#improved-vpn-leaking-blocking">Improved VPN leak blocking</a></h3>
+
+                    <p>GrapheneOS greatly improves Android's protection against VPN leaks for both
+                    the built-in VPN support and VPN apps with the standard "Block connections
+                    without VPN" toggle enabled.</p>
+
+                    <p>Android allows DNS queries from the system resolver to leak to the network
+                    provided DNS servers when a VPN app goes down due to a race condition. This is
+                    fully prevented by GrapheneOS through extending the leak blocking to this part
+                    of the system resolver.</p>
+
+                    <p>Android allows processes including apps to bypass the VPN entirely whether
+                    it's up or down by sending multicast packets either directly or by causing the
+                    kernel to send the packets on their behalf through the standard multicast group
+                    management system calls. GrapheneOS extends Android's standard eBPF filtering
+                    with full support for blocking all forms of multicast packet bypasses.</p>
+
+                    <p>Android VPN configuration is split up for each profile which means work
+                    profiles, Private Spaces and secondary users have their own VPN configuration
+                    which is a fantastic privacy feature. Android has a standard restriction
+                    preventing processes from using a network which the current profile isn't
+                    allowed to access. However, this doesn't take multicast packets into account and
+                    it's possible to send multicast packets via VPN tunnels belonging to a different
+                    profile. GrapheneOS addresses this by extending the standard netfilter
+                    configuration with a multicast firewall preventing sending packets through a VPN
+                    tunnel which a process isn't supposed to be able to access.</p>
+
+                    <p>Finding and resolving all forms of VPN leaks is one of our top priorities at
+                    the moment and we don't currently consider this to be a complete feature due to
+                    less severe additional issues we've discovered.</p>
+                </section>
+
                 <section id="other-features">
                     <h3><a href="#other-features">Other features</a></h3>