Brave appears to install VPN Services without user consent
A fix for this has been merged as of January 18th, 2024! See comment at Windows should not install VPN services until VPN is purchased/enabled · Issue #33726 · brave/brave-browser · GitHub
Hi folks - as a developer who worked on VPN, I wanted to respond to this. Hopefully I can provide a good update and address concerns raised so far. Also, I’d love to help answer questions.
My response
I characterized the problem in a GitHub issue we have tracking this, which can be found here: https://github.com/brave/brave-browser/issues/33726
There are two services on Windows which are installed which are only used if you purchase VPN and connect inside Brave. I’d like to acknowledge the complaints for this being “bloatware” and/or being installed without user consent. These are fair assessments in my opinion and I created the GitHub issue above so that folks can subscribe and track as we remove this.
With acknowledgement made and commitment shared that we’ll fix this, I wanted to mention why they were installed at install time and then explain what these services do, for folks that had questions or uncertainties.
Why were these services installed?
The two services were registered at install time due to it being convenient that the elevation (to administrator) has already happened (ex: UAC prompt shown) when running the installer. The services are not installed if you deny this prompt or if you install Brave as a non-administrative user.
While this makes the VPN easier to use for folks that ARE customers (ex: product is ready to go), I acknowledge this is installing dependencies that are not used by most folks. With the above GitHub issue (https://github.com/brave/brave-browser/issues/33726), we will change this behavior to download/install the dependency and then install it at time of use, similar to what we do with Tor or IPFS.
What do these services do?
The VPN helper service is used when doing IKEv2 using the Windows built-in VPN support with Brave VPN- the intention of this service is to force routing through one adapter to avoid a hostname leak. By default, Smart Multi-Homed Name Resolution is enabled and can leak the hostnames being resolved. This happens because names sent to the system resolvers will then send the hostname in question to all the adapters on the machine - and then it’ll use the first response received. This means when you are a paid Brave VPN customer, it may be resolving DNS on your ISP and we find that unacceptable.
The WireGuard VPN service is used exclusively when you have VPN switched to WireGuard which was set as the default in 1.59. Folks may see a binary in the Brave directory on Windows going back to product version 1.57. The WireGuard service (which uses an accompanying tray icon) and this will run in the background while you’re not in Brave. The system VPN doesn’t need a service for the basic functionality as it’s built-in to the OS; but WireGuard is not.
Both of these services are set to Manual which means they will never start. They will only turn on when a person using Brave purchases Brave VPN and connects to a server. Someone could pull up services.msc on Windows and manually start the service - but that won’t do anything. It’s important to capture that no identifying information is sent when a Brave VPN customer is using the VPN product (by the service or to the VPN provider).
Both of these services are written by Brave and their source code can be found in the brave-core GitHub repository:
- Brave Vpn Wireguard Service https://github.com/brave/brave-core/tree/master/browser/brave_vpn/win/brave_vpn_wireguard_service
- Brave Vpn Helper https://github.com/brave/brave-core/tree/master/components/brave_vpn/browser/connection/ikev2/win/brave_vpn_helper
Conclusion
I hope this shares some insight into why the change was made. We’re committed to fixing this behavior so that Brave is not installing dependencies until they’re needed. Thanks for your patience while we solve this.
Progress can be tracked on GitHub
What bugged me most is that there’s an icon in the taskbar tray, and that made me want to double check everything to make sure it wasn’t using it (i use my own VPN).
Recently noticed it in my autostart and disabled it
stupid way to put “brave” to “grave”. bravo devs!
Not very nice that a browser that prides itself on being a champion of privacy installs a potentially unwanted program on startup without the user’s consent and knowledge. Time to find another browser. Second mishap in a week after several users including myself reported brave crashing if a theme was previously installed from the chrome store. Pity as not a lot of browsers left with decent privacy and open source unless you move to the Firefox world.
Wanna uninstall brave? If you do it, i do it next!
Curious if that’s only on certain versions or has some prerequisite beyond the default settings.
I checked the VPN button, it isn’t using it, it requires paying for it to use it:
https://i.imgur.com/KB7fTLA.png
Maybe I’m thinking of something else.
Update-
Checked settings, found this:
https://i.imgur.com/8sWBf8B.png
It appears to be the same thing, enabled, but not actually on. It’s a bit confusing.
Uff, that was very sneaky. This ‘VPN’ is also not being shown in “Add / Remove programs” - I just have noticed it in autostart, then in services.
Please don’t do such a things in future - this is so lame and really damaging Brave reputation.
It’s part of the browser. You can either leave it turned off (IE don’t use it) or turn it on. Many browsers have this included also.
soooo… microshit edge is our only saviour?
So?? complete switch to librewolf now?
Using SysInternals’ AutoRuns, I searched for “brave_vpn” and disabled what was relevant.
Does uninstalling the browser remove the VPN? I have uninstalled Brave, but the VPN it’s still being detected through my Killer Wifi Intelligence center and it has disabled the Smart Access Point feature of Killer wifi. Do you have any guidance on how this can be fixed or what I can look for in the Windows Services Manager to delete? Thanks in advance!
If you don’t pay for the Brave VPN, does any of this installed VPN stuff do anything at all, maybe in some sort of limited capacity version? Or are they not used at all, in any way shape or form?
I can see in the github they are planning to have the startup & services remove themselves from non-active subscriptions, but as of TWO days ago I had the already disabled startup task & services along with the tray icon all re-enable themselves.
I’ve never had a brave VPN subscription & disabled the startup & services in 1.59, now after the recent 1.6.114 update(Nov 8), the services were ‘reset’ from disabled to manual & the startup task also re-enabled itself showing a HIGH startup impact meaning there is some process activity going on.
Disabled/unused startup processes show NO startup impact just FYI so what’s the explanation for this? https://postimg.cc/GHL3qFCp
This is the current behavior on v1.60.114 (Nov 8, 2023)
Just as a side note… I was unaware that Brave was installing the vpn bits into a service, even though it was disabled. At work we can install browsers (Chrome, ffox, etc), but we’re not allowed to install VPN. I could have gotten fired; just for the fact that VPN bits were installed. I uninstalled Brave as soon as I found out.
So how do i remove it? I know how to disable it, but i’d like to remove it from my system altogether please. Thanks
what committment? you lied about it, you hid it by not telling users and 4 months later nothing has changed
“Both of these services are set to Manual which means they will never start. They will only turn on when a person using Brave purchases Brave VPN and connects to a server.”
I N C O R R E C T
I already have a VPN.
I installed the Brave browser over a week ago. Didn’t like it. Haven’t launched it since Day 1. (My system has been rebooted a number of times since installation.)
I never purchased Brave VPN service.
It’s a running process on my PC at this moment.
It’s an enabled program in my Startup menu.
I just launched Brave to double check settings. Brave VPN Wireguard is disabled.
Glad I stumbled into this discussion. Excellent reminder to uninstall Brave.