Hi all, I have RethinkDNS setup as “Always-On VPN” and “Block Connections without VPN”, however LAN apps such as Syncthing, and LocalSend do not work unless the “Block Without VPN” is deactivated. I have tried messing with the Network Settings, but it’s greyed out.
How are you configuring your LAN apps to work while “Block Connections with VPN” activated? It’s cumbersome to go to settings > VPN > click the gear icon > disable block.
That’s expected. LAN apps can’t bind to any local interface (just the VPN interface) when the VPN is in lockdown mode (as Android will rightly, just as asked, block ALL connections from installed apps NOT going out of the VPN interface; the VPN interface is not LAN aka underlying network).
From within the VPN tunnel, LAN (p2p) apps may or may not work depending on their ability to traverse through the tunnel VPN sets up (Rethink implements something very similar to symmetric NAT).
I see. I re-tested LocalSend, and it works when Block Connections without VPN is enabled while, Syncthing does not. I mean, the firewall is already doing its job blocking apps that don’t need an internet connection.
Do I really need to enable Block Connections without VPN? Wouldn’t I benefit more with this function If I’m using a VPN app such as Mullvad/Proton? What are the consequences if this function is disabled while Always-On VPN is active? Will this cause IP leak if not on?
Do I really need to enable Block Connections without VPN?
If you do not use on-device proxy (like Orbot), or not block/allow apps based on metered / unmetered network, or haven’t a use for Enable network visibility setting (in Configure → Network), or not need to Exclude any app; then lockdown the VPN.
Wouldn’t I benefit more with this function If I’m using a VPN app such as Mullvad/Proton?
Not really. Also useful for Rethink.
What are the consequences if this function is disabled while Always-On VPN is active?
In lockdown mode, Installed apps cannot see which underlying network (wifi / mobile) you’re connected to, and hence can’t make any assumptions whatsoever.
Will this cause IP leak if not on?
On Android, if VPN is lockdown, then installed apps cannot bypass the tunnel (“leak IPs”). Otherwise, they could. System apps can bypass the tunnel regardless of whether the VPN is in lockdown or not.