Observing Android VPN Leaks with the pcWRT Router

• Posted by pcwrt
• in Security, Technology, VPN
• on January 24, 2025
• No Comments.

It is known that Android leaks connectivity checks and DNS traffic outside a VPN tunnel under certain circumstances, even when the “Block connections without VPN” switch is turned on. These problems remain unfixed today basically because Google thinks these are not problems. I quote part of the response from Google below:

The connectivity checks are far from the only thing exempted from the VPN ; privileged apps can also bypass the VPN and this is necessary for their operation in many cases. An example is IWLAN, or tethering traffic.

So Google has reasons to exempt privileged apps from being bound within the VPN. Whatever those reasons are, “Block connections without VPN” is a broken promise and users should be aware of that.

A little while ago, while testing a VPN app on an Android phone, we noticed a connection to a Google domain leaked outside the VPN tunnel. That’s when we decided that we should take another look at what else is leaking.

The Test Setup

The setup is pretty simple. We simply connect the Android phone to a WiFi signal from a pcWRT router, and use the pcWRT router’s Access Control and monitoring function to monitor the traffic.

We’ve tested three Android devices: a Samsung S10 running Android 12, a Samsung S22 running Android 14, and a Pixel 8A running Android 15.

We used the WireGuard app from the Play store for the VPN connection.

Connectivity Checks Outside of VPN

We observed some connectivity checks outside of the VPN, long after the VPN is connected. And this is not because the phone switched connection to a new WiFi. All the time the phone stayed connected to the same WiFi and the VPN connection was not interrupted.

There’s no pattern to when the leak occurs. Sometimes you have to wait for a long time to see it happen.

However, there are always two Google bound connections outside of the VPN immediately after the VPN connection is established: one connectivity check, the other to www.google.com over encrypted HTTPS.

DNS Leaks

If the VPN on the Android phone is working properly, the router should not see any DNS lookup at all. In other words, any DNS lookup the router sees is a DNS leak.

There’s a periodic (every one minute) DNS lookup outside the VPN tunnel for the domain www.google.com for the S10 and the S22, as long as the phone is in active use. During the test, we played a long YouTube video to keep the phone active.

For the Pixel 8A this leak does not follow a one-minute interval, but occurs every time you wake it up from a dark screen.

Wi-Fi Calling

Somewhat unexpected but apparently by design, Wi-Fi Calling is always outside the VPN tunnel. Once WiFi Calling is turned on, there’s a persistent IPsec connection to the carrier, in parallel to the VPN connection.

Always-on VPN and Block connections without VPN

Android provides you the options to make a VPN “always on” and “Block connections without VPN”. Contrary to the name, the options do not block all connections without VPN. Obviously, Wi-Fi Calling is never blocked when there’s no VPN.

Turning on these options stopped the 1-minute periodic DNS leak on the S22, but not on the S10.

With these options turned on but the VPN connection closed, Android leaked more DNS lookups.

Conclusion

All we can say is Android VPN leaks. The leak patterns vary across different Android versions, with some patterns more repeatable than others. We tested the WireGuard app here. If you use a different VPN client, you might see different behavior.