DNS traffic can leak outside the VPN tunnel on Android

Stock android.

You just have to grant the wireguard app root access and enable the kernel module backend in the settings.

This is the problem. GrapheneOS doesn’t have that issue Notifications (FCM) bypass misconfigured VPN? (not reproducible on GrapheneOS) - GrapheneOS Discussion Forum.

1 Like

Actually, the issue happens when using the wireguard kernel module backend instead of the userspace implementation

The WireGuard kernel module has been enabled in AOSP (Android Open Source Project) since 2020, with the potential to improve battery life and performance.

However, Google never included any APIs to directly work with the kernel module. So, as of today, the only way to make use of it is by having root access.

1 Like