• Off Topic
  • Disabling connectivity checks on GrapheneOS

In my opinion, the right way to do a connectivity check with a VPN is to check if the VPN is accessible. You're going to connect to that server anyway, so it won't actually leak anything besides the fact that you're connecting to that VPN, which leaks anyway.

matchboxbananasynergy

Possibly a concern might be at an open hotspot, and connecting to the laptop of the 15-yr-old guy next to you who is running an impersonation of the hotspot captive portal - with the intention of "testing" your box with malware-laden responses!? In the old laptop days, one could run a quick passive scan of the hotspot before connecting to assure that there were no mischievous Friday-night cowboys.

7 months later

What are the exact consequences of disabling internet connectivity checks? 

    Forget about the connectivity checks, WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network. There is currently no way to prevent this, though the issue has been brought up: https://github.com/GrapheneOS/os-issue-tracker/issues/887

    Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

      • [deleted]

      nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

      Source? As far as I know that's not true.

        [deleted] If you are connected to WiFi but there is no upstream connection, you're supposed to get a notification. With connectivity checks disabled, you won't get any notification if the connection breaks.

        nodsocket WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network.

        If you have airplane mode on and don't have a SIM in your device, would WiFi calling network requests still happen?

          I leave mine disabled all of the time. I have noticed however where some public WiFi hotspots have a some kind of log-in screen/ terms and conditions to agree to this page won't open open so the WiFi stays connected but says no internet access.

            nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

            That is not true for Tensor Pixels.

              nodsocket Thank you, that's good to know. So if a SIM was never inserted, DNS requests won't be sent?

                evalda I think so. The phone needs to know which domains to resolve first, which would require a sim.

                  • [deleted]

                  The only downside of disabling internet connectivity checks is that captive portals will not work? 

                    [deleted] How I am understanding it, if the connectivity checks are disabled, it won't bring up the sign in page automatically for a captive portal. You can still open your browser and go to a website and it should redirect you to the sign in page. After you sign in, the network should work like normal.
                    If you try to go to a https page it should give you a certificate warning as the portal is redirecting you to the sign in website. If you try going to an http page it should redirect properly.

                    The only other drawback I am aware of is say you are connected to WiFi and the internet connection goes down, you won't get prompted that the network went out. So you can be joined to WiFi and not be aware that it is not working.