• Off Topic
  • Disabling connectivity checks on GrapheneOS

  • [deleted]

Thank you for your quick response! Is this something that is recommended or do I need not worry?

    [deleted] Happy to help!

    I don't think that a binary recommended/not recommended way to do things applies here. It's much better to understand what it does and then decide if it's something you're okay with or not.

    That said, let me quote the documentation again to try and explain what happens when disabling these checks:

    GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don't have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.

    If this is not an issue for you, you can disable it. On a personal note, I don't really see the point. It's something that's inherently not a big deal (no user data is sent) and has been blown way out of proportion.

      In my opinion, the right way to do a connectivity check with a VPN is to check if the VPN is accessible. You're going to connect to that server anyway, so it won't actually leak anything besides the fact that you're connecting to that VPN, which leaks anyway.

      matchboxbananasynergy

      Possibly a concern might be at an open hotspot, and connecting to the laptop of the 15-yr-old guy next to you who is running an impersonation of the hotspot captive portal - with the intention of "testing" your box with malware-laden responses!? In the old laptop days, one could run a quick passive scan of the hotspot before connecting to assure that there were no mischievous Friday-night cowboys.

      7 months later

      What are the exact consequences of disabling internet connectivity checks? 

        Forget about the connectivity checks, WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network. There is currently no way to prevent this, though the issue has been brought up: https://github.com/GrapheneOS/os-issue-tracker/issues/887

        Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

          • [deleted]

          nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

          Source? As far as I know that's not true.

            [deleted] If you are connected to WiFi but there is no upstream connection, you're supposed to get a notification. With connectivity checks disabled, you won't get any notification if the connection breaks.

            nodsocket WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network.

            If you have airplane mode on and don't have a SIM in your device, would WiFi calling network requests still happen?

              I leave mine disabled all of the time. I have noticed however where some public WiFi hotspots have a some kind of log-in screen/ terms and conditions to agree to this page won't open open so the WiFi stays connected but says no internet access.

                nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

                That is not true for Tensor Pixels.

                  nodsocket Thank you, that's good to know. So if a SIM was never inserted, DNS requests won't be sent?

                    evalda I think so. The phone needs to know which domains to resolve first, which would require a sim.