sfdhsgjjdkdh Blocking leaks is enabled before the user unlocks, even if the VPN doesn't support Direct Boot. If you have a VPN without Direct Boot support, which is normally the case, then you simply don't have working internet access before first unlock. The initial post is wrong about this. It's a configuration issue, and the default has the leak blocking toggle enabled.
VPN leaks without default-enabled toggle for blocking leaks enabled
GrapheneOS where can i find this "block leaking" toggle in the settings? thanks!
prompter It's in the OS settings for the VPN right underneath the always-on VPN toggle, which are both enabled by default on GrapheneOS. It's not something you need to manually enable on GrapheneOS but rather avoid turning it off when you enable the VPN.
- Edited
Some android system components bypass the VPN, like Captive Portal check, connectivity check and SUPL request.
If you would live in such a country switching all those back to Google may be best.
Btw it could be an idea to allow the download of the required OS components over another channel than the Website. Torbrowser uses many, where email, Telegram and others are allowed I think. It is a smaller file, so mirroring things on a Google Server for example may help? Or possibly over Tor?
GrapheneOS thank you! so the "always-on" toggle also makes sure the vpn stays enabled when the device is locked, and the "block connections" toggle also makes sure there is no traffic before first unlock after rebooting for example?
GrapheneOS all you need is to switch to standard connectivity checks
What's the diference between standard and graphene?
Resurr
From https://grapheneos.org/faq
See the difference below in bold.
Connectivity checks are performed for each network connection and for VPN connections on top of those. This allows the OS to choose the right underlying network for a VPN and to handle many types of captive portals without the user turning off their VPN.
You can change the connectivity check URLs via the Settings ➔ Network & Internet ➔ Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.
Some android system components bypass the VPN, like Captive Portal check, connectivity check and SUPL request.
Connectivity / captive portal checks are the same thing. SUPL doesn't bypass the VPN on Tensor Pixels, only Snapdragon where it's implemented by the radio. NTP on AOSP / stock OS does, but this isn't AOSP / stock OS and GrapheneOS doesn't use NTP.
Connectivity checks are the only default connection on GrapheneOS which don't go through the VPN.
SUPL is only used after adding a carrier. Carrier IMS uses a dedicated VPN for Wi-Fi calling/texting which is another non-default connection which doesn't go through the Owner VPN but rather another VPN.
If you would live in such a country switching all those back to Google may be best.
Only connectivity checks are relevant to this on current devices. SUPL is only relevant for Pixel 5a and earlier.
Btw it could be an idea to allow the download of the required OS components over another channel than the Website. Torbrowser uses many, where email, Telegram and others are allowed I think. It is a smaller file, so mirroring things on a Google Server for example may help? Or possibly over Tor?
Updates aren't hosted on our website and we don't want or need any third party hosting for them. Updates are done via the VPN like all other default connections which aren't connectivity checks.
Resurr The default servers used across Android vs. our equivalent servers. There's no VPN by default so using our servers makes the most sense as the default. If users want to blend in with Android users with the same VPN provider rather than being visibly a GrapheneOS user to the network, they can change connectivity checks to Standard. It's covered in our FAQ.
GrapheneOS If users want to blend in with Android users with the same VPN provider rather than being visibly a GrapheneOS user to the network
Is this the only reason, or is there any security advantage or disadvantage using google or graphene?