In particular, I’m curious whether it would avoid the need to use “Exclude” on Syncthing. If yes, would it work for both local discovery and relaying, or just the first?
Though I’m also curious on how it interacts with other apps. It seems to be a way to allow proper functioning of certain apps while still stopping privacy risks and dangerous connections to the internet, but the description is too technical for me to decide when I’ll need it or not. So I would really appreciate if you could give some examples of apps that require this feature and the corresponding tradeoffs on using this feature.
P2P (peer-to-peer) apps that function over LAN (local network) like KDE Connect, Syncthing, Chromecast, Android Nearby Share, VLC Cast, Screen mirroring, Phone Cloners etc; benefit from Do not route Private IPs the most.
In reality, Rethink should better support this use-case (tough to test for all scenarios) AND the apps themselves should better handle being inside of a VPN tunnel (this is a losing battle).
As for privacy, the only downside is Rethink will not monitor ANY LAN (local) connections from installed apps… but then, if Rethink is indeed setup to monitor them, those connections don’t even work… (as explained above, this is a limitation in both Rethink and the said apps. As for Rethink, we’ll continue to fix things as we come across bugs. May be with v055a / v055b, we fully fix the local / LAN connections from Rethink’s PoV; then it is left upto the apps themselves to navigate the Rethink’s VPN tunnel like they should).
Anw, I tested Syncthing (changed it from Exclude to Allowed then switched on Do Not Route Private IPs) and it worked.
Though about the risks, I still have no idea as I’m not that familiar with how Private IPs work. Or was it only because this feature is still experimental, u/celzero?
Oh, good points there. Thanks for the explanation!
When Do not route Private IPs is enabled, ALL apps can communicate to services on your LAN without supervision from Rethink, which isn’t a good thing or a bad thing or anything, really.
The other side of it is, you can turn ON both Do not route Private IPs and the VPN Lockdown mode (Block connections without VPN) and now ALL apps wouldn’t be able to communicate with anything on your LAN.
The thing is labeled experimental because we haven’t tested if it works for both v4 and v6 networks.
Is there any way to block connections without VPN while maintaining LAN access? Maybe work profile with a socks5 proxy?
Not really no. LAN access is something we haven’t concentrated much at all on, and aren’t aware of all the ways it can fail due to Rethink.
We must do so, but given other issues with the app, LAN access hasn’t been at a higher priority.
That said, LAN access can work with a couple workarounds (turning ON Do not route Private IPs and/or Exclude an app from Rethink). Though, not with the Rethink VPN in Lockdown mode (that is, with Block connections without VPN turned ON).