Wifi "connected, but no internet" on Android N 7.1

[T-vK]

As a follow-up to #618 I did some digging and it looks like captive_portal_detection_enabled is deprecated: https://github.com/aosp-mirror/platform_frameworks_base/blob/master/core/java/android/provider/Settings.java

I would like to share some things that I changed in order to stay connected to WiFi networks,getting rid of the exclamation mark on the WiFi icon and the "no Internet" message, without allowing specific (system) apps to access the Internet. I also changed some settings to get rid of potential google home-phoning.

For the following steps you need root access:
Install a terminal emulator such as Termux and enter su to get into a root shell.
Alternatively you can do this using adb. (If you have adb set up you can run adb shell and then su to get into a root shell. To get adb to work you'll need to enable usb debugging and potentially install drivers and other things on your computer. Search the Internet for a tutorial.)

• Run settings put global captive_portal_mode 0
• Run settings put global captive_portal_detection_enabled 0 (deprecated, but can't hurt)
• Run settings put global wifi_watchdog_on 0
• Run settings put global wifi_watchdog_background_check_enabled 0 (deprecated, but can't hurt)
• I also uninstalled WiFi Privacy Police (it caused massive WiFi drop problems on my Android 7.1 device)

For me this is also a privacy concern and as a second layer of security I replaced the google servers with my own server.

• Run settings put global captive_portal_server example.com
• Run settings put global captive_portal_https_server "https://example.com"
• Run settings put global captive_portal_http_server "http://example.com"

(Technically the server that you enter would have to respond with a 204 status code to HTTP requests. But since we have disabled captive portal detection it doesn't really matter.)

You can now confirm your changes by checking if the output of the following commands matches:

• Run settings get global captive_portal_mode (should show 0)
• Run settings get global captive_portal_detection_enabled (should show 0)
• Run settings get global wifi_watchdog_on (should show 0)
• Run settings get global wifi_watchdog_background_check_enabled (should show 0)
• Run settings get global captive_portal_server (should show example.com)
• Run settings get global captive_portal_https_server (should show https://example.com)
• Run settings get global captive_portal_http_server (should show http://example.com)

More information:

wifi_watchdog_background_check_enabled

Whether the Wi-Fi watchdog is enabled for background checking even
after it thinks the user has connected to a good access point.
(deprecated)

wifi_watchdog_on

This is the replacement for the deprecated wifi_watchdog_background_check_enabled

captive_portal_detection_enabled

This setting can be used to turn off captive portal detection.
(deprecated)

captive_portal_mode

The replacement for the deprecated captive_portal_detection_enabled.
0 = CAPTIVE_PORTAL_MODE_IGNORE
(Don't attempt to detect captive portals.)
1 = CAPTIVE_PORTAL_MODE_PROMPT
(When detecting a captive portal, display a notification that prompts the user to sign in.)
2 = CAPTIVE_PORTAL_MODE_AVOID
(When detecting a captive portal, immediately disconnect from the network and do not reconnect to that network in the future.)

captive_portal_server

The server used for captive portal detection upon a new conection. A 204 response code from the server is used for validation.

captive_portal_https_server

The URL used for HTTPS captive portal detection upon a new connection. A 204 response code from the server is used for validation.

captive_portal_http_server

The URL used for HTTP captive portal detection upon a new connection. A 204 response code from the server is used for validation.

Some info about my device and software:

Device: Nvidia Shield Table (2014 LTE version)
ROM: Lineage 14.1 (Android 7.1.2)
AFWall+ 2.9.6.1 with license
Xposed v88.1-sdk25 with AFWall+ fix enabled
No system apps/components besides my browser are are allowed to connect to the Internet in AFWall+.

I hope this information is useful to some people. It would be nice if someone would take the time to add this information to a wiki page, readme or so where people would actually be more likely to find it.

[ukanth]

Thanks for details. You can find it under FAQ (https://github.com/ukanth/afwall/wiki/FAQ#61-what-is-androids-captive-portal-check) .

[paulrobben]

Hey, could you please tell me witch specific system app i have to whitelist to make the Captive Portal test work again? I'm planning to use it over httpstat.us/204

[T-vK]

I can't remember. I think I recall (kernel) - Linux kernel was the one, but I could be wrong. Maybe CaptivePortalLogin. And if you want it to talk to httpstat.us/204 instead of the google server, you obviously have to change the settings accordingly...

[paulrobben]

Thanks a lot for your help. On my Device (OnePlus 3 with Lineage OS 16 (= Android Pie)) it turned out to be an app with UID 1000, which has some names bundled: "OneplusPocketMode, Android System,[...] Call Management, Settings [...]". I turned on the log feature and tried connecting to a WiFi. Several services tried connecting, one called Android System in the log screen with UID 1000 turned out to be it. I did neither have to whitelist the Linux Kernel nor the CaptivePortalLogin. My conclusion is that the CaptivePortalLogin is an app that lets you handle with a Captive Portal once detected and doesn't have to do anything with the test itself. It works perfectly now even with httpstat.us/204.

[zoj613]

Thanks a lot for your help. On my Device (OnePlus 3 with Lineage OS 16 (= Android Pie)) it turned out to be an app with UID 1000, which has some names bundled: "OneplusPocketMode, Android System,[...] Call Management, Settings [...]". I turned on the log feature and tried connecting to a WiFi. Several services tried connecting, one called Android System in the log screen with UID 1000 turned out to be it. I did neither have to whitelist the Linux Kernel nor the CaptivePortalLogin. My conclusion is that the CaptivePortalLogin is an app that lets you handle with a Captive Portal once detected and doesn't have to do anything with the test itself. It works perfectly now even with httpstat.us/204.

This helped solve the issue for me on Stock Android Pie. Thanks

[doodhout]

No one of the setting keys (e.g. captive_portal_mode, wifi_watchdog_on) mentioned by OP are present in MIUI 10 based on Android 9 (Pie).

What do in such a case? I figure I can just add the keys, but as MIUI would be using other ways to get the same functionality, it would be useless.

[paulrobben]

Maybe try and turn the log feature of afwall on. Then try to connect to a WiFi Network and look at wich apps tried to connect to the internet.

[doodhout]

I already whitelisted the process with UID=1000 to give synchronising apps access to the internet, but I want to switch to this method instead where the synchronisation is dependent on there being access to the internet (or not if this functionality is disabled thus bypassed).

So synchronisation is working, but I want to be have it working without the process with UID=1000 having access to the internet, using this settings trickery instead. I don't know how to though, since those settings keys aren't available on my phone.

[zoj613]

@doodhout you could use the SyncOnWifi app found in F-droid for that.

[doodhout]

@zoj613 thanks, but I want synchronisation to always work without giving process(UID=1000) access to the internet. Currently it only works if I give that process access to the internet, but by disabling the mechanism that checks for internet connectivity, it shouldn't be necessary anyway. To disable, I need access to those settings keys but they aren't there on my phone, unfortunately.

[Bamfax]

To chime in with @doodhout and others above, as my android (oreo custom rom on galaxy s8) is also still doing the wlan internet quality check despite all the above settings being persisted. Allowing full access for uid 1000 allows successful completion of the check.
Looking into it, this issue seems to be with my specific android rom: Despite the above settings being active it continues to run the captive portal checks:

• A http port 80 connection to 172.217.16.163 (1e100.net, google), "GET /generate_204"
• and a similar https connection to a different 1e100.net server

So the above is correct as is, some roms just seem to ignore these settings.

Doublechecking on a different device and a different rom (OnePlus 7, /e/ e-0.7-p-2020030644075-dev), the settings work fine as described,

[doodhout]

I worked around the need to enable access for UID=1000 by following this fix: #867

Essentially you just put this in a custom script (inside AFWall): $IPTABLES -A "afwall" -p udp --dport 53 -j ACCEPT

Now I have proper access to the internet and UID=1000 is still blacklisted. I am happy. Running LOS (Android 9/Pie) btw.

[TheGlitchedMan]

Thanks, fixed my problem.