From a352f69320e159561ac97b38cd91f23b9fde4280 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Mon, 11 Dec 2023 05:00:17 -0500
Subject: [PATCH] update VPN recommendations

---
 static/faq.html | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/static/faq.html b/static/faq.html
index 14cfdd76..839bf3a9 100644
--- a/static/faq.html
+++ b/static/faq.html
@@ -1289,8 +1289,9 @@
                     <p>VPNs can be configured under Settings ➔ Network &amp; Internet ➔ VPN.
                     Support for the following protocols is included: IKEv2/IPSec MSCHAPv2,
                     IKEv2/IPSec PSK and IKEv2/IPSec RSA. Apps can also provide userspace VPN
-                    implementations and the following open source apps are recommended: Orbot
-                    (Tor), WireGuard and OpenVPN for Android.</p>
+                    implementations and the following open source apps are recommended: WireGuard,
+                    RethinkDNS (WireGuard with local filtering options), Orbot (Tor) and OpenVPN
+                    for Android.</p>
 
                     <p>VPN configurations created with the built-in support can be set as the
                     always-on VPN in the configuration panel. This will keep the VPN running,
@@ -1299,6 +1300,13 @@
                     the Settings page. For app-based VPN implementations, there's also an
                     additional "Block connections without VPN" toggle which is needed to prevent
                     leaks when the app's VPN service isn't running.</p>
+
+                    <p>If you're using a VPN, we recommended against having a Private DNS server
+                    configured. If you want to filter traffic while using a VPN, use a VPN service
+                    app able to do both such as RethinkDNS. Private DNS also interacts strangely
+                    with multiple profiles since each profile has their own VPN configuration but
+                    Private DNS is global. Either leave Private DNS on the default Automatic mode
+                    or set it to disabled when using VPNs.</p>
                 </article>
 
                 <article id="network-monitoring">
@@ -1361,9 +1369,10 @@
                 <article id="ad-blocking-apps">
                     <h3><a href="#ad-blocking-apps">Are ad-blocking apps supported?</a></h3>
 
-                    <p>Content filtering apps are fully compatible with GrapheneOS, but they have serious
-                    drawbacks and are not recommended. These apps use the VPN service feature to route
-                    traffic through themselves to perform filtering.</p>
+                    <p>Content filtering apps are fully compatible with GrapheneOS, but they have
+                    serious drawbacks and using apps doing more than DNS-based filtering are not
+                    recommended. These apps use the VPN service feature to route traffic through
+                    themselves to perform filtering.</p>
 
                     <p>The approach of intercepting traffic is inherently incompatible with encryption
                     from the client to the server. The AdGuard app works around encryption by supporting
@@ -1383,6 +1392,12 @@
                     <p>Using the VPN service to provide something other than a VPN also means that these
                     apps need to provide an actual VPN implementation or a way to forward to apps
                     providing one, and very few have bothered to implement this.</p>
+
+                    <p>RethinkDNS combines local filtering via DNS with the ability to directly
+                    use a WireGuard VPN without another app. It also has other features such as
+                    connection monitoring. This is a much better approach than most of the apps in
+                    this space which force choosing between them and a VPN, recommend problematic
+                    TLS interception (AdGuard), etc.</p>
                 </article>
 
                 <article id="baseband-isolation">