Messaging App and Orbot + VPN

Hi everyone,

I’m using Proton VPN along with Orbot to secure my connections. I’ve configured Orbot to work with Signal and WhatsApp (as recommended by the app), and I’ve excluded Orbot from the VPN to avoid potential interference. My question is: could there be a conflict if both Proton VPN and Orbot are working with Signal and WhatsApp at the same time? Would it be better to exclude Signal and WhatsApp from the VPN too, so that only Orbot routes their data?

Thanks for your advice!

Android only allows one VPN connection at a time. Now if you configured Signal and Whatshapp to use a Proxy (if option is available), then that’s different. I am not sure Signal has a TOR proxy option though.

It is possible to start Orbot without VPN mode while using a VPN, by making an exclusion of Orbot of Proton VPN and by connecting Orbot in Russia, Signal asks me well I want to circumvent the censorship, things which is not required if I am in France.

I want to know if such a configuration is useful or serves a purpose

Signal, Telegram, MySudo, Cheogram, and I’m sure more, routinely attempt to bypass the VPN/DNS configuration on Android per monitoring through RethinkDNS. You have to allow them to bypass the proxy for them to function. Using the app level Orbot routing for Signal, Telegram, and presumably Whatsapp seems to be the best option I’ve found for getting them to function without leaking or bypassing their routing.

1 Like

Yup, signal proxies leak sometimes. Messaging apps in general leak IP if you use it for calls or video calls (webRTC leaks).

Its better to use VPN or orbot with killswitch on something like Graphene which is actively closing android VPN leaks at OS levels. iOS also leaks with messaging apps afaik.

1 Like

@Rasta Okay, I didn’t know there were leaks and that some applications like Signal would try to bypass the VPN.
With this info, it’s better to exclude Signal and Whatsapp from Proton VPNs like Orbot to avoid possible conflicts or not?

@Anon47486929 Thanks for the info, but I can’t use Proton VPN with killswitch, I use LocalSend regularly and I have to exclude it for it to work, same for Orbot.

How does this work?

You simply need to activate the “Power user mode” in Orbot and exclude Orbot from the VPN so that it works without the VPN mode.

I understood that, I just don’t see how it can bypass the Android restrictions. I never saw this before.

I don’t think there is any restriction. OP clarified that they don’t run VPN with killswitch, which means connections are allowed to bypass VPN, and thus they split tunnel. Then they just use Orbot as local proxy.

Understandable. Then you should ideally remove signal and whatsapp from either the VPN or the Orbot path, because afaik VPN routing takes precedence in android, so your traffic would become Signal → VPN → Proxy, plus components like webRTC will typically bypass VPN, so it might lead to some having this path: Signal → Proxy. Some other connections might leak from Proxy implementation, and would follow Signal → VPN or Signal → Internet path (since no kill switch).

Some leaks might happen in the end anyway, since without killswitch ports like 53, etc. are not dropped or even captured. This is all speculation though, until you run an external packet sniffer, I dont think you can be certain.

You can use something like RDNS maybe?

OK, so if I understand correctly, whether I’m using Proton VPN or Orbot, I’m obliged to activate the kill switch to prevent Signal and Whatsapp leaks and bypasses?

I saw that Rethink had an option to prevent DNS leaks. Wouldn’t a Rethink configuration without a kill switch + WireGuard from Proton VPN be the best solution, if the option to prevent DNS leaks works correctly? And do I also need to activate the kill switch with Rethink?

I runultiple wireguard configs through rethink and have the kill switch enabled. Signal and other apps like it break if i dont allow them to bypass the proxies because they attempt to bypass the dns and rethink blocks them internally. I cant speak to their behavior with other vpn apps, but if theyre attempting to bypass the config inside of rethink even with kill switch enabled on GOS, it doesn’t scream to me that they aren’t bypassing the dns with a different setup.

Is this happening with simple mode wireguard? Ideally they shouldn’t break, and they don’t break for me rn (but I am on Molly not Signal though). Although tbf I have only been on RDNS for about a week now.

Overall yes. Killswitch on android is the best way to prevent leaks rn.

Yes otherwise internal routing may bypass the config entirely.

Maybe for your setup, you can activate a work profile or Private space and then setup signal in that along with a killswitch VPN config? That way you can route other apps through orbot on main profile while preserving LocalSend?

I’m using advanced as I’m running three concurrent wireguard configs for different apps/services.

1 Like

I’ve been using Rethink with kill switch and WireGuard with Proton VPN for 2 days and Signal and Whatsapp are working fine, how do you check for DNS leakage, proxy bypass etc?

In the logs section it will show you that signal is being blocked for attempting to bypass the dns config. I have the firewall enabled to prevent dns bypass attempts. The way i figured out the issue was because i was intermittently missing calls, and messages in signal, or the messages would show up hours later with no notifications. I did some digging in logs and spoke to a few people in the SR and Techlore Signal groups (while switched back to just proton vpn) to narrow down the issue. Allowed the app to bypass the proxy and everything started working flawlessly again

I see it worked for me because I hadn’t activated the option to block apps that try to bypass DNS, so for the return, I’ll leave this option unchecked.