I have discovered a new “unexpected feature” of the Advanced Privacy VPN function: even when you are connecting to a wifi, this system does not make distinction between internet destinations and destination IPs on the same subnet (layer 2 domain) as the phone IP. This means any private IP destination (even on the same VLAN/subnet as the phone) are inaccessible, unless you disable the VPN completely, or remove the app generating this traffic, from the VPN function.
It would be good if the VPN function could auto-detect non-routable (private) IP destinations (or at least destinations in the same layer 2 domain as the phone’s IP), and send this traffic straight through, rather than sending it through the ORBOT network.
Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services
After additional research and testing, I have found the answer to my question: the /e/OS itself correctly detects when the destination is on the local network (same broadcast domain as the phone’s IP) and tries to route the traffic directly, bypassing the Advanced privacy VPN.
So as long as you have in the “network and internet” menu, “VPN” submenu, "Advanced Privacy Options"submenu, the “Block connections without VPN” option DISABLED, local traffic will flow correctly, even when you have the “hide my IP” enabled for all apps on the phone (including the app who is doing the local traffic).
My only worry is that now I have no guarrantee there will be no “leaks”. I"M assuming this option was inserted in there for a good reason (which I am no privy to) and now I’m wondering how has my risk profile changed, by allowing VPN-bypass connections (i.e. is there any possibility a “naughty” app will be able to bypass the VPN and access the internet directly?)
Assuming it’s been correctly coded, every flow to non-local address may go through VPN.
As this will be done at network stack level, I’d say you’re 99% safe (risk zero doesn’t exist ).
You may check your DNS settings, avoiding leaks through your ISP-provided unless necessary.
Or is Advanced Privacy smart enough to send DNS requests to VPN, then fallback to local network’s?