Android has a built-in VPN client; has anyone tried it? I’m really curious why almost nobody is using it or talking about it.
The protocols supported are too old. Wireguard and OpenVPN are what most providers give, and stuff like PPTP is used only in very old enterprise VPNs. I don’t think anyone uses built in VPN nowadays, or ever did post introduction of external APIs .
Dunno about IPSec though, so maybe someone uses it, probably on some legacy enterprise login?
4 Likes
Any downsides to using it? Proton VPN supports it, and having one less app on my phone would be beneficial.
IIRC Vowifi uses ipsec.
IKEv2 seems still being used in corporate environments, but I do agree it is so old and should not be used unless necessary.
I wonder why google does not bake ovpn and wireguard into aosp.
Wireguard is less insecure (smaller codebase, modern encryption), less dependent on implementation, and much more efficient compared to IPSec.
Unless you are using some corporate VPN for work, IPSec is mostly inferior compared to wireguard.
Plus Proton app offers some nice benefits like easy double hop and stealth protocol, along with easier switching between countries.
Tailscale wrote a nice piece I read on their site before: IPsec vs. WireGuard · Tailscale
I think it’s because their focus is often more on making modular, exposable APIs rather than hardcoding stuff, especially since they want to push movement towards GKIs.
On built-in IPSec support:
https://xcancel.com/GrapheneOS/status/1636041905451462656#m
https://xcancel.com/GrapheneOS/status/1655953875755585542#m
On future, built-in WireGuard support:
https://xcancel.com/GrapheneOS/status/1786531088652705911#m
https://xcancel.com/GrapheneOS/status/1730428907793362960#m
On built-in IPSec/WireGuard resistance to existing Android VPN leaks:
https://xcancel.com/GrapheneOS/status/1798751369626624035#m
TL;DR:
-
Using the built-in IPSec support is recommended by the GrapheneOS developers and is more secure (if using modern ciphers) than OpenVPN but WireGuard is more secure than IPSec. Other recommendation by the team is the official WireGuard app.
-
Built-in WireGuard has an implementation in the kernel but cannot be used by users yet. Likely to be implemented at some point in the future by Google themselves or the GrapheneOS developers if Google takes a long time.
-
Built-in VPN support (IPSec and WireGuard in the future) are resistant to all the VPN leaks that currently exist on Android.
3 Likes
Makes sense, and lines up with what I knew.
I guess they are referring to the kernel implementation of wireguard already shipped in Linux. Doesn’t seem too robust at this moment, can see leaks in desktop, even with IPSec. Maybe android does something custom while using the kernel?
I also do remember Linux apps being told to switch to kernel wireguard but some custom wireguard VPNs used for remote enterprise access faced some issues. So overall it doesn’t seem too polished too.
Couldn’t find this exact quote in the links you shared, must have missed it. Could you please link to it directly? Thanks!
The link should be correct.
Here is the quote:
“We developed a fix for the main issue with those apps, it didn’t work out due to causing app compatibility issues and we don’t know how to proceed. We’ve determined those leaks don’t impact the built-in IPSec VPN support and wouldn’t impact future built-in WireGuard VPN support.”
1 Like
Thanks, must have missed it like I said. I blame my tiredness 
The comic timing of this news update after this thread is not lost on me.