unwat Only one connection should be made outside of the VPN,

The GrapheneOS endpoint to detect a captive portal?

    ve3jlg

    Yes, that's what I meant, but I was incorrect and forgot about the other stuff, like hotspot traffic, necessary pre-VPN connection traffic, and probably others I can't think of right now.

    Until OpenSource-Ghost shared what they know, I figured wifi calling would be tunneled through the user's VPN, but I was wrong. So, I did a search on Matrix and one of the devs said that wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.

      OpenSource-Ghost thanks for the helpful info. So if I now turn off WiFi calling, will my WiFi provider being able to see my mobile phone network?
      Or will my mobile network now be able to see my WiFi network?

        spiral

        Each carrier has its own and viewing Pi Hole log should make it obvious. Usually, domain either includes carrier name, like T-Mobile...Store...something-something, or it includes ePDG...MNC...MCC. It should be easy to find and it would show up every 15 or 30 or 60 seconds. Even if blocked in Pi-Hole, an attacker would know that your phone is trying to resolve a WiFi calling domain every 15 or 30 or 60 seconds and use that for WiFi password cracking or interception (if WiFi password is known). If attacker knows your IMSI + carrier WiFi calling domains + manages to crack WiFi password, then attacker can impersonate you.

        L8437

        If WiFi calling is disabloed, WiFi network provider would know that someone with a phone that uses whichever carrier WiFi calling domains (+ your carrier's MNC and MCC numbers) is using the network, but your carrier wouldn't receive any information.

        roddyd

        I prefer to disable WiFi calling and use WiFi only when in AIrplane mode IF router for that WiFi network does not use VPN. If router has VPN (OpenVPN or WireGuard) installed, then WiFi calling is more secure. Otherwise I reduce attack surface by using carrier cellular connection for unencrypted phone calls and SMS.

        unwat

        That's not entirely true... If router itself uses OpenVPN or WireGuard VPN to connect all clients, then WiFi calling does go through those OpenVPN or WireGuard tunnels. Because that is the case, the issue is that Android simply isn't designed to tunnel WiFi calling through installed VPN apps, it can very much be tunneled.

        I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled. Domain name itself reveals MNC and MCC numbers for your carrier.

          OpenSource-Ghost

          Right. I was talking about VPNs on Android. If a router is set up to tunnel all traffic through a VPN, then it would be impossible for any device on that network to skip the VPN and connect directly.

          Maybe saying "user" and "telecom" traffic was what made what I said confusing. App traffic within a user profile goes through a VPN set up on the profile. Clearly wifi calling is a system thing, not a user thing.

            OpenSource-Ghost I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope".

            Why would they call this out of scope? It seems like this would be important to the goals of the project since it's leaking sensitive info.

            @OpenSource-Ghost Not clear why you're making unsubstantiated claims about what we consider in the scope of the project or not especially when we have already filed planned features about adding more toggles and potentially disabling the feature by default which has been worked on already.

              roddyd It's not a bug but rather is how Wi-Fi calling works, which is one reason why we're working on adding more toggles and potentially disabling it by default. If people want it to progress faster they should contribute.

              GrapheneOS

              The "out-of-scope" reference was in regard to forcing WiFi calling through user-installed VPN app tunnels like WireGuard or OpenVPN and/or forcing all cellular calls to use data plan to also have them be tunneled through VPN. Maybe I was wrong.., but I thought either of the 2 features mentioned above would require major Android code re-write and would be out-of-scope for GrapeneOS...

              unwat Clearly wifi calling is a system thing, not a user thing.

              As stated, this makes the surprising behaviour quite clear. Thanks.

              There's a ton of recommendations here about disabling network access to apps to gain privacy.

              GrapheneOS is already modifying system level components. It would be ideal if they optionally allowed routing to be configured so ALL traffic had to go via the user VPN component (or firewall/adblocker). This would ensure there are no unforeseen leaks for those who care.

                ve3jlg

                I found it helpful to think of it like traditional networking.

                There is no Layer 3/4 firewall. You cannot block/allow by IP or TCP/UDP port.
                But there is Layer 2 port security. Users can entirely disable/enable networking for individual apps. Like controlling physical ports on a 48 port switch, where every app gets a port.
                The user has control over the "user switch", but there is also a core switch upstream that users cannot control. Telecom services such as tethered devices and wifi calling use this backend network equipment.

                  Graphite This is an interesting analogy.

                  But if I were to extend, I'd say the current situation is sort of like a managed ethernet switch requiring access to someone elses computer to configure traffic management i.e. VLANs, or not even going that far, pinging home.

                  Hmm. Actually it is worse than that I think. If an ethernet switch on my LAN is snitchy I can easily block its outbound traffic at L2 or L3. Because my phone is on someone else's cellular network some of the time I cannot block that traffic except in the phone's network stack or at the other end of a VPN I control.

                  Gee, are you saying that tethered devices also do not get routed via an on-phone VPN?

                    ve3jlg are you saying that tethered devices also do not get routed via an on-phone VPN?

                    Yes. It's a feature I really want. But carriers fought that fight and won a long time ago. They wanted people to pay extra for every Mbyte of tethered data, as if tethering was a feature offered by the carrier.

                      Graphite I've always wondered why tethering didn't go through a VPN. So it was a feature purposely made separate due to the billing?
                      See I used to try turn on hotspot and the network would see it as tethering. So I used to put the SIM card in a WiFi router and then it thought it was a phone.

                      It would be so good to have all traffic go through a VPN