• Off Topic
  • Disabling connectivity checks on GrapheneOS

  • [deleted]

Hey Everyone,
Soon I will be getting my new pixel to flash grapheneos! Just a quick question I saw that google is leaking vpn data and also saw that grapehenos is not doing that. Is there any setting I need to change for that or is everything on the default good?

thanks!

    [deleted] Hi there!

    So, a couple of things here. You are probably talking about the blog by Mullvad that's talking about connectivity checks not going through the VPN (source).

    While this blog isn't wrong, it's kind of misleading. This is not a leak because it's intended behavior. Connectivity checks have been designed to bypass the VPN.

    That said, GrapheneOS does and had provided a way to disable connectivity checks for a very long time now.

    That option is documented along with other default connections and what they're for in the project's FAQ, found here:

    https://grapheneos.org/faq#default-connections

    You can change the connectivity check URLs via the Settings ➔ Network & Internet ➔ Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled.

    I hope that answers your question!

    • [deleted]

    Thank you for your quick response! Is this something that is recommended or do I need not worry?

      [deleted] Happy to help!

      I don't think that a binary recommended/not recommended way to do things applies here. It's much better to understand what it does and then decide if it's something you're okay with or not.

      That said, let me quote the documentation again to try and explain what happens when disabling these checks:

      GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don't have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.

      If this is not an issue for you, you can disable it. On a personal note, I don't really see the point. It's something that's inherently not a big deal (no user data is sent) and has been blown way out of proportion.

        In my opinion, the right way to do a connectivity check with a VPN is to check if the VPN is accessible. You're going to connect to that server anyway, so it won't actually leak anything besides the fact that you're connecting to that VPN, which leaks anyway.

        matchboxbananasynergy

        Possibly a concern might be at an open hotspot, and connecting to the laptop of the 15-yr-old guy next to you who is running an impersonation of the hotspot captive portal - with the intention of "testing" your box with malware-laden responses!? In the old laptop days, one could run a quick passive scan of the hotspot before connecting to assure that there were no mischievous Friday-night cowboys.

        7 months later

        What are the exact consequences of disabling internet connectivity checks? 

          Forget about the connectivity checks, WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network. There is currently no way to prevent this, though the issue has been brought up: https://github.com/GrapheneOS/os-issue-tracker/issues/887

          Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

            • [deleted]

            nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

            Source? As far as I know that's not true.

              [deleted] If you are connected to WiFi but there is no upstream connection, you're supposed to get a notification. With connectivity checks disabled, you won't get any notification if the connection breaks.

              nodsocket WiFi Calling also completely bypasses the VPN. Even if you turn it off, it still resolves the domains which could be used to fingerprint devices on a WiFi network.

              If you have airplane mode on and don't have a SIM in your device, would WiFi calling network requests still happen?

                I leave mine disabled all of the time. I have noticed however where some public WiFi hotspots have a some kind of log-in screen/ terms and conditions to agree to this page won't open open so the WiFi stays connected but says no internet access.

                  nodsocket Also, the network assisted location (SUPL) bypasses the vpn, though there is now a toggle for that service.

                  That is not true for Tensor Pixels.

                    nodsocket Thank you, that's good to know. So if a SIM was never inserted, DNS requests won't be sent?

                      evalda I think so. The phone needs to know which domains to resolve first, which would require a sim.

                        • [deleted]

                        The only downside of disabling internet connectivity checks is that captive portals will not work? 

                          [deleted] How I am understanding it, if the connectivity checks are disabled, it won't bring up the sign in page automatically for a captive portal. You can still open your browser and go to a website and it should redirect you to the sign in page. After you sign in, the network should work like normal.
                          If you try to go to a https page it should give you a certificate warning as the portal is redirecting you to the sign in website. If you try going to an http page it should redirect properly.

                          The only other drawback I am aware of is say you are connected to WiFi and the internet connection goes down, you won't get prompted that the network went out. So you can be joined to WiFi and not be aware that it is not working.

                          • [deleted]

                          matchboxbananasynergy It's something that's inherently not a big deal (no user data is sent) and has been blown way out of proportion.

                          I think that it's quite a big deal because every time you will identify yourself as a GrapheneOS user to every public Wi-Fi and your ISP.

                          So if you're the only one using GrapheneOS in your city or place, then you can be traced and identified.

                            • [deleted]

                            matchboxbananasynergy GrapheneOS also adds the ability to fully disable the connectivity checks. This results in the OS no longer handling captive portals itself, not falling back to other networks when some don't have internet access and not being able to delay scheduled jobs depending on internet access until it becomes available.

                            1. The OS will no longer handle captive portals itself

                            2. It will not fall back for example to cellular when your Wi-Fi has lost connection and vice versa.

                            The part that I don't understand is "not being able to delay scheduled jobs depending on internet access until it becomes available".

                              [deleted] To blend in with other users while using a VPN, use the Standard mode. Disabled stands out from other users nearly as much as GrapheneOS.

                                [deleted] [deleted] If the OS isn't performing connectivity checks, it doesn't know which networks are working and doesn't know when internet access is available. This breaks falling back to a working network, such as if you have both Wi-Fi and cellular where Wi-Fi loses an internet connection. You'll need to manually toggle off Wi-Fi. Apps schedule jobs which are marked as requiring internet access. If the OS doesn't know when it's available, the jobs will run when any network is available even if there's no internet access through it at the moment. You will get errors from multiple app background jobs instead of a single notice that no network access is available.

                                • [deleted]

                                @GrapheneOS thanks, that was informative. I decided to keep it enabled.

                                12 days later

                                If there is no VPN, in a secondary user, do the default connections, including the connectivity check go through the VPN profile in the admin user?
                                Or
                                Do default connections now go through the user with no VPN?

                                The main purpose of understanding this is if you wanted to have a secondary user just for TOR browser use and wanted to look like a regular AOSP user to the ISP, you would then need to change the default connections to use standard google servers?

                                However, in the admin user it wouldn't matter to change the default connections to google servers besides the internet connectivity checks because the other default connections go through the VPN tunnel.

                                Does this make sense?

                                GrapheneOS

                                a year later

                                With all the different grapheneOS servers that are periodically connected to by default, and avoid vpn connections, in theory, couldn't these connections be used to track a GrapheneOS user across different networks considering that there are not many of us compared to android and ios users? If so, what is the best course of action to avoid this? I was reading for example, that some of the servers connected to can be changed from grapheneOS to Google to blend in. Is there a specific guide that would help with this? Also, for those that need NOT be tracked across networks and are willing to accept the consequence of that if any, would the project consider an incognito mode toggle switch, that automatically switches from grapheneOS servers to Google servers on the ones possible, and just not connect to GOS servers at all on the ones that cannot be replaced?

                                  locked The only one going outside of the VPN is the connectivity check, which makes sense cause otherwise it wouldn't work for its intended purpose. If you want to fit in, do the following:

                                  1. Use a VPN
                                  2. Switch the connectivity check connecting to Google, rather than GrapheneOS.