Will we ever get WiFi calling over VPN or at least tunneled domains?

lah23

Once SIM card is inserted into phone, it starts making queries to WiFi calling domains, even if WiFi calling is disabled on device. These queries ignore DNS over TLS private DNS server settings and ignore VPN tunnels. When is this going to change? WiFi calling uses its own IPSec tunnel, but it does not hide your info from ISP and mobile provider. Why can't GOS introduce IPSec WiFi calling tunneling over VPN apps? It can be done with routers supporting VPN's. VPN routers simply tunnel client IPSec data through VPN tunnels (OpenVPN, WireGuard) configured in router.

alfred

lah23 it starts making queries to WiFi calling domains, even if WiFi calling is disabled on device

I did a quick test and have not seen any WiFi calling traffic while it is disabled. Maybe it varies by carrier?

lah23 Why can't GOS introduce IPSec WiFi calling tunneling over VPN apps?

I believe the main issue is it working reliably as there can be issues with IPSec running over another VPN. At least that is my understanding. So could you use a VPN router to route the WiFi calling data? Yes, but you would potentially run into issues.

lah23

There would not be any actual WiFi calling traffic, but there would absolutely be queries to WiFi calling domains. Why that is - I do not know, but such queries escape VPN tunnels the same way connectivity checks do. Connectivity checks can be disabled, but WiFi calling domain queries cannot.

The worst part is that even removal of SIM card does not stop such queries until device is wiped. Airplane mode enablement or disablement does not resolve these leaks either.

DeletedUser237

lah23 how did you log this? Can you tell which carrier or at least country ? There were some other complaints about this yet DNS logging did not confirm this when people tested for said DNS queries if wifi calling was disabled.

alfred

lah23 there would absolutely be queries to WiFi calling domains.

Maybe I should have clarified, when I enable WiFi calling, I see the request go outside of the VPN. If I turn WiFi calling off, those request are not made. I wonder if it is carrier dependent. I seem to remember reading something to that effect, but I can't find it now.

There have been a few different issues created, the second one looks to have only happened on a Pixel 4a though.
https://github.com/GrapheneOS/os-issue-tracker/issues/887
https://github.com/GrapheneOS/os-issue-tracker/issues/1550

I'm curious, does WiFi calling stop working when it is disabled, even though it is still resolving DNS? Don't some carriers have a way to enable/disable WiFi calling from their website? I wonder if that does anything different than the system setting toggle.

void0

I've done research into this topic specifically because I believe it would massively decrease the feasibility of carrier tracking however I only have one Pixel and because of the nature of a patch like this I will likely have to test on a live device so I likely won't attempt building the project with my proposed changes until my current device goes EOL.

I was wondering if anyone on the dev team could give some insight into why a small patch into IwlanDataService.java to allow ePDG and IKE data pass through a userspace vpn would not be possible? It seems EpdgTunnelManager.java (where tunnel building happens) relies on network selection from IwlanDataService.java (used for preparing network info) for determining the correct interface, dns, and the like and then builds the tunnel with whatever the former returns.

Now obviously this would have some holes, like emergency calling and potentially managing a double nat for instance, and I would have to dig through AOSP more to find all of the loose ends but could I get some clarity as to why the community/team often refer to wifi calling as something that was decided long ago that we cannot hack around?

please bump for visibility

Johnnyloans

void0

Wifi calling works for me. T-Mobile & Verizon . outgoing and incoming.

I have a 0.0.0.0/0 wireguard tunnel that goes to my remote server.

Block any non vpn connections on
Airplane mode on
Wifi on
Private dns off

void0

Johnnyloans
Wifi calling is not tunneled over vpn, it actively bypasses the vpn. The purpose of this thread is to ask the devs (who obviously know more about AOSP than me) if tunneling wifi calling into a userspace vpn would be technically feasible as described above.

Onlyfun

Concerning issue.

Data only sims are not impacted right? Is there a way to effectively monitor this locally on device without root access? If not locally, what's next best approach? Does it even make sense to check?

Johnnyloans

Onlyfun Data only sims are not impacted right?

On a data only sim, you don't have any voice to text to be affected by this.

VoIP is entirely different and should go over the vpn.

wizoatk

Johnnyloans On a data only sim, you don't have any voice to text to be affected by this.

FWIW, Cross Sim Calling does work with a data only SIM.

bajiaqsa

Honestly, this is one of those areas where the gap between “technically possible” and “practically doable in a sustainable, secure way” is a lot wider than it seems on the surface.

You’re absolutely right that the WiFi calling stack—especially the ePDG and IKE components—does some end-running around userspace VPNs and Private DNS. That’s by design on Google’s part, since WiFi calling is meant to be a carrier-grade service that needs to establish a tunnel before the OS has even fully decided which network is “primary.” From AOSP’s perspective, it’s treated almost like a separate radio interface.

The challenge with trying to force that traffic through a userspace VPN isn’t just about finding the right hooks in IwlanDataService or EpdgTunnelManager. It’s that the WiFi calling daemons and related components run with elevated privileges and expect to bind to specific physical interfaces. Once you start redirecting that traffic, you risk breaking things like:

Emergency calling — which is rightly treated as a critical path that the OS will fight to keep working, even if it means bypassing your VPN.

Race conditions at boot — the ePDG tunnel often tries to establish before VPN apps are even running, especially if the SIM is locked or the device is freshly booted.

Double NAT and MTU issues — IPSec over WireGuard over mobile data can get fragile fast, and when it fails, users blame GrapheneOS for “broken calling,” not the underlying complexity.

The other piece is maintenance. Even if someone patches this today, every Android release (especially QPRs) touches connectivity stacks in ways that aren’t always well-documented. A patch that works in one version can silently break in the next, and because this touches low-level networking, the failure modes can be subtle—like calls silently failing to ring, or the phone falling back to unencrypted signaling without the user knowing.

That’s not to say it shouldn’t be done. I think a lot of us in the privacy community would love to see WiFi calling traffic forced through the VPN. But from the GrapheneOS team’s perspective, they tend to avoid changes that add significant long-term maintenance burden unless there’s a clear path to keeping it stable across updates. They’ve also historically been cautious about anything that could impact call reliability, since for many users, that’s a non-negotiable part of daily phone use.

If you’re serious about experimenting with this, one approach might be to prototype it as a separate mod or even a userspace daemon that runs alongside the OS, rather than trying to merge it into GrapheneOS directly. That way you could prove out the stability and edge-case handling without asking the team to commit to maintaining it long-term.

It’s a frustrating limitation, no doubt, but I think the hesitation isn’t because it’s impossible—it’s because doing it right in a way that doesn’t cause regressions is genuinely hard.

void0

bajiaqsa The em dashes in this, as well as how it reads, leave me quite suspicious. However, on the off chance you are a human, a userspace daemon sounds really interesting and was not the direction I was intending on taking. Doing so would make the stack far more maintainable in the long run but would still not solve a double nat.

...users blame GrapheneOS for “broken calling,” not the underlying complexity.

I believe a feature like this, whether hardcoded into the stack through a patchset or with a userspace network picker, should be hidden in developer options and certainly not user-facing unless extensive testing has been done.

Thanks for answering my question regardless.

When I get around to experimenting with aosp I my first attempt will be writing a patch for wifi calling over ethernet, I just noticed today that surprisingly it also does not work. A more maintainable iteration would be a second modular file which simply probes which interface is currently active and a small function call inside iwlandataservice to grab that info to entirely rebasing a couple hundred line changes every couple months.

If anyone makes any progress on this before I get the chance, please let me know