How does ziti mobile edge for android integrate with privacy VPNs?

Let's assume that I turned on mullvad VPN on android. I also enabled ziti mobile edge for android.

Mullvad makes android use its own DNS servers. ziti mobile edge for android wants to make android use its DNS server as the first DNS server.

How can I make sure both DNS servers are used seamlessly? ziti mobile edge's DNS server should be used first before mullvad's DNS servers are used.

If I use any other VPN providers, their DNS servers should also work well with ziti mobile edge.

I didn't think you can do this? I haven't installed/tested/tried it myself, but I thought Android only allows one VPN to be active at a time?

the only answer - if even possible is "very carefully".

If both apps can run at the same time, my initial inkling is to state that this is an unsupported configuration. It feels like there are just too many pitfalls and nuances in this deployment mechanism, that makes me think we just couldn't really support it.

I'll ask the rest of the team and if anyone else disagrees with me, I'll have them follow up here

Perhaps, split tunneling on mac os, windows, android, and iOS will help?

Linux is flexible enough that privacy VPN can co-exist with tunneler or router tunnel.

OpenZiti, by its nature, already operates in a split-tunnel model even with Android as is. It does not operate in a full-tunnel model, like other VPNs may. You can implement a full tunnel with OpenZiti but you need to go out of your way to do it.

VpnService  |  Android Developers states:

  • There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created.

So while other OS's support having more than one, it seems like Android definitely won't.

  • On Mac OS and iOS, anything that's not IPSec or IKEv2 has to use NETunnelProviderManager which is enterprise VPN. NETunnelProviderManager | Apple Developer Documentation says only one enterprise VPN configuration can be enabled on the system at a time. It seems android doesn't support multiple simultaneously active VPN servers without work profiles which I can't expect to use without a corporation setting it up for me. However, one can expose privacy VPN servers as proxy servers on openziti services. Some web browsers will support internal proxy setting.
  • On windows, wireguard and openvpn can set up system-wide DNS servers along with the gateway, and ziti desktop edge can insert its own specific network routes for its TUN interface and add its intercept DNS domains to Name Resolution Policy Table?
  • On linux, tunneler uses systemd-resolved or my own DNS configuration to make sure tunneler DNS server is consulted before other name servers are. It will insert its own specific network routes that take precedence over privacy VPN's gateway.

I'm starting to hate apple and google for crippling mac OS, iOS, and android.

If a VPN provider doesn't work well with ziti desktop edge on windows, I may tinker a bit, and if it still doesn't work, I may set up proxy servers on openziti network.