23Sha-ger this sounds like a great plan. Thanks! Yeah there’s no way to circumvent a hotspot vpn.

    9s21tpfl voice over WiFi doesn’t use the vpn but a separate VoIP app does? Am I understanding you right?

    Correct

    Solved. Transferring my current number to a graphene phone. Buying a burner WiFi hotspot with a vpn to do calls and sms over WiFi when I don’t want my location tracked.

    9s21tpfl

    If you are in US/CA you can port your existing phone number to a VOIP service like jmp.chat:
    https://jmp.chat/faq#existing

    Then you can have your old phone number and access it using a VOIP app, with SMS/MMS support.

    I'm pretty sure other countries have similar services, but with jmp.chat you can pay with crypto which
    is a plus. I don't use my above setup for privacy, but more for the convenience of travel while keeping
    my existing phone number without any roaming fees. Privacy is just a nice side-effect of this.
    This adds the little complexity of having an extra device 24/7 (the hotspot) but I don't really see it
    as a big issue, especially when you have to ability to connect multiple devices to it and never have to
    configure VPN clients on all of them, for stuff like smart-watches and other gadgets.

    23Sha-ger What anonymous data plan providers do you recommend?

    9s21tpfl In your original plan, why have a new number at all? Seems like porting a number to VoIP and a data-only hotspot would cover everything without requiring a SIM for the phone itself.

      sonicbackdrop 23Sha-ger What anonymous data plan providers do you recommend?

      You do realize it's a very country specific thing? There is no "1 size fits all" solution.
      If you don't care about the roaming prices, you could probably get one of those "Worldwide" sim cards,
      which charge you per MB.
      There are many providers who offer E-sims, but since we need a physical SIM for the hotspot, you are limited
      to either companies like KnowRoaming, or your local options which will be way cheaper.
      Most countries sell pre-activated SIM cards without documentation in mobile phone repair shops, you can then top-up the balance with cash or with a prepaid debit card.
      Imagine you are a tourist arriving to your country, what would you get? Same logic applies.

        23Sha-ger I guess my question was more meant to be what strategy or approach you use for data plans, which you provided. Thank you

          sonicbackdrop

          I don't have any specific approach, I just get the cheapest data-plan option available.
          Since I add a VPN on top of it anyway - at the hotspot side, I don't even care if the data-plan SIM would be associated with my identity, but if you plan using it without a VPN - consider an anonymous prepaid plan when possible.
          Some countries only sell SIM cards at airports, and you need to provide a passport, which might be a deal breaker
          for some, but again, with a VPN, and using the plan just as a "pipe to the internet" - I don't see how it could
          compromise my threat model, which is pretty simple and not involving governments targeting me, nor doing
          anything illegal or shady.

          treequell

          Useful information. As far as I know, the only things on Android that bypass the VPN tunnel are:

          -VoWiFi traffic.
          -hotspot tethered devices.

          If you download an eSIM onto a GrapheneOS w/ a VPN installed, does the phone connect to Google's servers to download the eSIM through the VPN, or does it bypass the VPN, like VoWiFi?

          In general, what features on Android bypass VPN's?

          Thank you.

            233328 That's not correct for GrapheneOS which doesn't use the standard network time implementation. Please read https://grapheneos.org/faq#default-connections. We don't enable VPN bypass for our own secure network time implementation. NTP is UDP, which often won't work through a VPN service such as with one based on Tor which doesn't support UDP. Relatively accurate time is also needed for certificate verification including to connect to a VPN. Those 2 reasons are likely why they implement the bypass, but the UDP issue isn't applicable to the GrapheneOS HTTPS-based implementation of network time and inaccurate network time causing certificate validation failure is a common issue which should produce an understandable error already.

            Kerfluffle Please read https://grapheneos.org/faq#default-connections which covers all the default connections made by the OS. Out of those default connections, only connectivity checks bypass it since by design they need to do that to detect which networks are working and to detect and handle captive portals. When a captive portal is detected, the OS notifies about it and provides a WebView-based interface for handling it which bypasses the VPN. This allows handling a captive portal without disabling your VPN which is an important privacy feature.

            The section below covers some of the non-default connections including the carrier-related connections including for Wi-Fi calls/texts. Those Wi-Fi carrier connections use their own carrier VPN rather than the Owner user VPN.

            There's also of course the low-level network functionality including ARP, DHCP, etc. on the local network and DNS resolution for the VPN and connectivity checks.

            Kerfluffle

            If you download an eSIM onto a GrapheneOS w/ a VPN installed, does the phone connect to Google's servers to download the eSIM

            eSIMs don't have any inherent reliance on Google servers. eSIM activation also doesn't bypass the VPN.