I’m trying to learn more about the “Always on” and “Block connections without VPN” options for a VPN in Android. Currently I’m attempting to ensure all my traffic goes through Rethink. I have NextDNS configured, port 80 blocked, UDP except DNS and NTP blocked, and Prevent DNS Leaks enabled. I haven’t enabled any on-device blocklists yet. I blocked Gboard in the firewall, and I excluded my browser so I can use a secondary NextDNS profile there. (I want to use the browser as testing environment occasionally, so I want to allow all ads and tracker at the DNS level, but control the content blocking in the browser via toggling Brave Shields for a specific site.)
I’ve found that toggling on Always-on VPN seems to be fine. But when I enable blocking connections without VPN, many apps seem to have no connection or or can only load a few resources. I’d like to understand what this means, for instance, are the apps that are broken by this setting trying to circumvent Rethink? Is there a good way to prevent traffic from bypassing Rethink?
Block connections without VPN does something that actually prevents all the VPN based firewalls I’ve used from working correctly – IIRC RethinkDNS whines about it when it is turned on.
But when I enable blocking connections without VPN, many apps seem to have no connection or or can only load a few resources.
What does the Network Log show? It should list a reason if any connection was blocked (if that was the reason why those apps didn’t work).
Can you give example of a few apps that didn’t work with Block connections without VPN (aka VPN Lockdown) turned on?
Are you on OEM / Stock ROM? LineageOS was known to have bugs in its VPN impl in the past.
Rethink absolutely supports VPN Lockdown, and there shouldn’t be things that break when it is turned on (iow: it could be that buggy apps exist that don’t work with well when a VPN is in Lockdown but Rethink itself should continue to work just fine for other non-buggy apps, if that makes sense).
I’d like to understand what this means, for instance, are the apps that are broken by this setting trying to circumvent Rethink?
It could be that these apps are trying to bind to an particular network interface (like WiFi / LTE) and these apps will fail when VPN is in Lockdown. They can only bind to the default network interface which in this case would be the VPN tunnel created by Rethink.
Is there a good way to prevent traffic from bypassing Rethink?
Always-on VPN + Block connections without VPN is a pretty watertight way to close down the walls on Installed Apps, most definitely.
I’m also trying to understand the difference between having the lockdown mode, “Block connections without VPN,” turned on and turned off.
When I turn it on, Rethink says, “VPN is in lockdown mode. Firewall will not honour metered/unmetered rules.”
Does that mean that the per-app firewall rules, specific IP and domain trust/block rules are not being applied? If so, what’s the better option? Should I use VPN lockdown and sacrifice granular control over apps (making the firewall practically non-existent), or should I not use VPN lockdown and have granular control over each app, essentially having a functional firewall?
I’m running Android 13 on a Pixel 6. I have wifi disabled, and I am only connected to 5G. Enabled ^(Always on) doesn’t cause any issues, but I do encounter issues when I also enable Block connections without VPN . All apps are not affected, but some that can’t load any data are Canary Mail, Snapchat, Cash App, Spotify, and more. Whatsapp is one of the few that does work. The strange thing here is that the network log does not reflect this. It looks like the Rethink log doesn’t even know blocked requests were attempted. It is logging some allowed requests from these apps. Another thing I’ve noticed is that when I enable VPN Lockdown, the issues usually start to occur after a network change or reboot. I’m not set on VPN Lockdown if it’s not practical, but I’d like to keep it on if I can find a way to do so.