Private phone location?

9s21tpfl

treequell voice over WiFi doesn’t use the vpn but a separate VoIP app does? Am I understanding you right?

treequell

9s21tpfl voice over WiFi doesn’t use the vpn but a separate VoIP app does? Am I understanding you right?

Correct

23Sha-ger

treequell

I run the VPN client on the hotspot device itself (GL-iNet Mudi), forgot to mention it.
There is no way the phone can bypass the tunnel. This wouldn't work otherwise, since most carriers
have some sort of country based filtering at the IMS level, to prevent this little trick.

9s21tpfl

23Sha-ger this sounds like a great plan. Thanks! Yeah there’s no way to circumvent a hotspot vpn.

23Sha-ger

9s21tpfl

If you are in US/CA you can port your existing phone number to a VOIP service like jmp.chat:
https://jmp.chat/faq#existing

Then you can have your old phone number and access it using a VOIP app, with SMS/MMS support.

I'm pretty sure other countries have similar services, but with jmp.chat you can pay with crypto which
is a plus. I don't use my above setup for privacy, but more for the convenience of travel while keeping
my existing phone number without any roaming fees. Privacy is just a nice side-effect of this.
This adds the little complexity of having an extra device 24/7 (the hotspot) but I don't really see it
as a big issue, especially when you have to ability to connect multiple devices to it and never have to
configure VPN clients on all of them, for stuff like smart-watches and other gadgets.

9s21tpfl

Solved. Transferring my current number to a graphene phone. Buying a burner WiFi hotspot with a vpn to do calls and sms over WiFi when I don’t want my location tracked.

sonicbackdrop

23Sha-ger What anonymous data plan providers do you recommend?

9s21tpfl In your original plan, why have a new number at all? Seems like porting a number to VoIP and a data-only hotspot would cover everything without requiring a SIM for the phone itself.

23Sha-ger

sonicbackdrop 23Sha-ger What anonymous data plan providers do you recommend?

You do realize it's a very country specific thing? There is no "1 size fits all" solution.
If you don't care about the roaming prices, you could probably get one of those "Worldwide" sim cards,
which charge you per MB.
There are many providers who offer E-sims, but since we need a physical SIM for the hotspot, you are limited
to either companies like KnowRoaming, or your local options which will be way cheaper.
Most countries sell pre-activated SIM cards without documentation in mobile phone repair shops, you can then top-up the balance with cash or with a prepaid debit card.
Imagine you are a tourist arriving to your country, what would you get? Same logic applies.

sonicbackdrop

23Sha-ger I guess my question was more meant to be what strategy or approach you use for data plans, which you provided. Thank you

23Sha-ger

sonicbackdrop

I don't have any specific approach, I just get the cheapest data-plan option available.
Since I add a VPN on top of it anyway - at the hotspot side, I don't even care if the data-plan SIM would be associated with my identity, but if you plan using it without a VPN - consider an anonymous prepaid plan when possible.
Some countries only sell SIM cards at airports, and you need to provide a passport, which might be a deal breaker
for some, but again, with a VPN, and using the plan just as a "pipe to the internet" - I don't see how it could
compromise my threat model, which is pretty simple and not involving governments targeting me, nor doing
anything illegal or shady.

Kerfluffle

treequell

Useful information. As far as I know, the only things on Android that bypass the VPN tunnel are:

-VoWiFi traffic.
-hotspot tethered devices.

If you download an eSIM onto a GrapheneOS w/ a VPN installed, does the phone connect to Google's servers to download the eSIM through the VPN, or does it bypass the VPN, like VoWiFi?

In general, what features on Android bypass VPN's?

Thank you.

de0u

Kerfluffle I think connectivity checks also detour around the VPN?

233328

Kerfluffle As far as I know, the only things on Android that bypass the VPN tunnel are:

-VoWiFi traffic.
-hotspot tethered devices.

As de0u said, connectivity checks bypass the VPN. According to the following issue comment, NTP traffic also bypasses the VPN in some circumstances, but there's not much info on this. https://issuetracker.google.com/issues/249990229#comment4

GrapheneOS

Kerfluffle Please read https://grapheneos.org/faq#default-connections which covers all the default connections made by the OS. Out of those default connections, only connectivity checks bypass it since by design they need to do that to detect which networks are working and to detect and handle captive portals. When a captive portal is detected, the OS notifies about it and provides a WebView-based interface for handling it which bypasses the VPN. This allows handling a captive portal without disabling your VPN which is an important privacy feature.

The section below covers some of the non-default connections including the carrier-related connections including for Wi-Fi calls/texts. Those Wi-Fi carrier connections use their own carrier VPN rather than the Owner user VPN.

There's also of course the low-level network functionality including ARP, DHCP, etc. on the local network and DNS resolution for the VPN and connectivity checks.

GrapheneOS

Kerfluffle

If you download an eSIM onto a GrapheneOS w/ a VPN installed, does the phone connect to Google's servers to download the eSIM

eSIMs don't have any inherent reliance on Google servers. eSIM activation also doesn't bypass the VPN.

GrapheneOS

233328 That's not correct for GrapheneOS which doesn't use the standard network time implementation. Please read https://grapheneos.org/faq#default-connections. We don't enable VPN bypass for our own secure network time implementation. NTP is UDP, which often won't work through a VPN service such as with one based on Tor which doesn't support UDP. Relatively accurate time is also needed for certificate verification including to connect to a VPN. Those 2 reasons are likely why they implement the bypass, but the UDP issue isn't applicable to the GrapheneOS HTTPS-based implementation of network time and inaccurate network time causing certificate validation failure is a common issue which should produce an understandable error already.