• Off Topic
  • Disabling connectivity checks on GrapheneOS

  • [deleted]

Hey Everyone,
Soon I will be getting my new pixel to flash grapheneos! Just a quick question I saw that google is leaking vpn data and also saw that grapehenos is not doing that. Is there any setting I need to change for that or is everything on the default good?

thanks!

    [deleted] Hi there!

    So, a couple of things here. You are probably talking about the blog by Mullvad that's talking about connectivity checks not going through the VPN (source).

    While this blog isn't wrong, it's kind of misleading. This is not a leak because it's intended behavior. Connectivity checks have been designed to bypass the VPN.

    That said, GrapheneOS does and had provided a way to disable connectivity checks for a very long time now.

    That option is documented along with other default connections and what they're for in the project's FAQ, found here:

    https://grapheneos.org/faq#default-connections

    You can change the connectivity check URLs via the Settings ➔ Network & Internet ➔ Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.

    I hope that answers your question!

    • [deleted]

    Thank you for your quick response! Is this something that is recommended or do I need not worry?

      [deleted] Happy to help!

      I don't think that a binary recommended/not recommended way to do things applies here. It's much better to understand what it does and then decide if it's something you're okay with or not.

      That said, let me quote the documentation again to try and explain what happens when disabling these checks:

      GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don't have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.

      If this is not an issue for you, you can disable it. On a personal note, I don't really see the point. It's something that's inherently not a big deal (no user data is sent) and has been blown way out of proportion.

        In my opinion, the right way to do a connectivity check with a VPN is to check if the VPN is accessible. You're going to connect to that server anyway, so it won't actually leak anything besides the fact that you're connecting to that VPN, which leaks anyway.

        matchboxbananasynergy

        Possibly a concern might be at an open hotspot, and connecting to the laptop of the 15-yr-old guy next to you who is running an impersonation of the hotspot captive portal - with the intention of "testing" your box with malware-laden responses!? In the old laptop days, one could run a quick passive scan of the hotspot before connecting to assure that there were no mischievous Friday-night cowboys.

        7 months later

        What are the exact consequences of disabling internet connectivity checks? 

          Forget about the connectivity checks, WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network. There is currently no way to prevent this, though the issue has been brought up: https://github.com/GrapheneOS/os-issue-tracker/issues/887

          Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

            • [deleted]

            nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

            Source? As far as I know that's not true.

              [deleted] If you are connected to WiFi but there is no upstream connection, you're supposed to get a notification. With connectivity checks disabled, you won't get any notification if the connection breaks.

              nodsocket WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network.

              If you have airplane mode on and don't have a SIM in your device, would WiFi calling network requests still happen?

                I leave mine disabled all of the time. I have noticed however where some public WiFi hotspots have a some kind of log-in screen/ terms and conditions to agree to this page won't open open so the WiFi stays connected but says no internet access.

                  nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

                  That is not true for Tensor Pixels.

                    nodsocket Thank you, that's good to know. So if a SIM was never inserted, DNS requests won't be sent?