So I bought a Lenovo Smart Clock, and I did the experiment as described here.
Everything is working as expected, except one little big detail.
I managed to install custom apps.
As described in the video, as this is an hack, I want to block the internet access on this device.
I have managed to this by blocking it in my router.
But as it is well known, when android devices cannot reach internet (when they can’t reach http://connectivitycheck.gstatic.com ), they present some weird behaviour.
In this device’s case, it displays the “no internet connection” despite being connected to my wifi and it also creates an open, unencrypted hotspot.
Both anoying and unsdesirable behaviour.
You can see this well described in the same video, from 38:06.
Cameron also presents a solution: keep it blocked off the internet AND use HAProxy to redirect this ping/keepalive test.
I have an homelab PC that I can use for this.
Through my research, and as I already had Proxmox and Pi-Hole installed, I started by redirecting the DNS in my Pi-Hole (it is my local DNS Server) to a simple HTTP server, to try to answer the 204.
But I got some weird behavior, captive portal like, whenever every device tried to connect to wifi.
And it didn’t solved my problem.
I installed a CentOS VM in Proxmox, so I installed HAProxy and created the configuration file as you can see in the video, at 44:36.
You can clearly see the text file.
I copied and pasted and it still doesn’t work.
in /etc/haproxy/haproxy.cfg this is what I inserted:
global
daemon
maxconn 1024
defaults
log global
mode tcp
timeout connect 5s
timeout client 10s
timeout server 10s
I am sorry, it lost the indentation but I don’t know how to put it.
To sum it up:
-I have some intermediate network knowledge.
-I am completely conformatable of installing VMs, LXCs, docker containers, installing software, etc, you name it. As a resource point of view, I would prefer the solution in LXC or docker, and the VM being the latest.
-I am a completely newbiew in HAProxy and the concept of proxies in general, but I am willing to read, learn and test things out. I acknowledge there are some basic concepts of HAProxy I don’t know, but I don’t know where to start.
-I want the device to have LAN access, NO internet access and to be fooled into thinking it has internet access.
What I would really need was some kind of guide or tutorial so I can follow, test and troubleshoot.
And in the way, learn by doing things.
TLDR: How can I pass the http://connectivitycheck.gstatic.com to a device in my LAN without internet access, so it is fooled into thinkking it has internet access?
Thank you very much everyone for your help in advance.
Can please SOMEONE HELP ME?
Hello and thank you for your answer!
I will try this tomorrow as right now I don’t have access to the systems.
In the meantime, do you think it is feasible HAProxy to pass the request and the response from connectivitycheck.gstatic.com?
because I read it might not be possible in the SSL version because it is an encrypted comunication.
Is it possible to just pass back and forth the information?
Well, my server is down at the moment (…)
One more problem to solve…
But what I recall from my setup is this:
192.168.10.200 CentOS instance running HAProxy - fixed IP
192.168.10.91 Pi-Hole, Local DNS server - fixed IP
192.168.10.235 Lenovo Smart Clock - fixed IP
192.168.10.249 Internet router and DHCP provider (when applicable)
Th HAProxy service is running, I think the command I issued was systemctl status haproxy or something.
It was green and running.
When I change the config, I stop and start the service, or whenever I am frustrated, I reboot the CentOS to make sure the new config is applied.
In my pi-hole instance, in DNS server, I assigned the connectivitycheck.gstatic.com
to
192.168.10.200
So when I ping connectivitycheck.gstatic.com from a node in the network (for example another PC), I get ping to 192.168.10.200 so I guess it is OK.
I installed WebMin in my CentOS, and when I open the browser in the clock, and open https://connectivitycheck.gstatic.com:10000
I get the WebMin landing page, so the DNS resolution is working for the clock.
Question 1:
From what I understood the video, this is the way I should do it: “fool” the clock with DNS to think the google server is in facty my CentOS HAProxy machine, right?
It should work this way?
Or have I missunderstood and it is meant to be done other way I didn’t understand?
I edited the HAproxy config file (in /etc/haproxy/haproxy.cfg) as you told, right now is:
Right, howver the centos haproxy needs to be able to lookup the actual IP address of the Google server, otherwise it will point itself and it will never work.
So make a ping from the haproxy centos machine to connectivitycheck.gstatic.com and make sure it goes to Google, not itself.
Yes.
No.
Use haproxy logs:
Use curl -vv both on haproxy centos box (not redirected) and other machines (redirected), check what happens in both situations and also check haproxy logs.
Can I ask if you could make this working? I got a very similar setup (lenovo smart clock, proxmox server, new to haproxy) and would like to block the clock partly.
With my current setup I let pass the pings to google’s servers, but this is not ideal.
Moreover, it does not work properly cause from time to time (or maybe only after reboot) i need to grant unlimited access to the internet once to make the clock work.
If you have a solution for this I am very grateful if you could share it!
First of all, I am sorry for just returning to this now, unfortunately I have bigger problems related to the server itself to solve, before this.
But thanks to @dierochade post, I came back.
OMG I had to google to find out how to quote
I am getting old for this s…
This error of mine is stupid… how didn’t I remembered this?
Before changing anything because of your suggestion
Now it is working, thank you for highlighting this obvious mistake…
After this step, when I have local access to the clock (right now I don’t) I will try to continue the process.
Thank you once again!
Can you please give an example? I am not understanding the idea/usage.
Hello and thank you for your post, it revived the thread and the action needed.
But as I just posted above, @lukastribus as just helped me passing this step where I was stuck, so ATM it is not working.
I will update the thread when I revive the subject locally.
[root@localhost haproxy]# ping connectivitycheck.gstatic.com
PING connectivitycheck.gstatic.com (216.58.209.67) 56(84) bytes of data.
64 bytes from waw02s06-in-f67.1e100.net (216.58.209.67): icmp_seq=1 ttl=59 time=29.1 ms
If I ping from a DHCP VM (in this case a windows machine)
C:\Users\windows>ping connectivitycheck.gstatic.com
Pinging connectivitycheck.gstatic.com [192.168.10.244] with 32 bytes of data:
Reply from 192.168.10.244: bytes=32 time<1ms TTL=64
As the clock will be served via DHCP, it will see the same.
So here, regarding DNS, everything is OK!
Right now I don’t have physical acess to the clock, later I will.
Is it supposed now to work?
I also read on a youtube comment, that the user only got it to work by installing a ntp server.
Should I install ntp server on rocky linux or pihole or something?
Does it makes sense?
Let’s get mback to what you @lukastribus suggested:
a) rocky linux (haproxy)
[root@localhost haproxy]# curl -vv "http://connectivitycheck.gstatic.com/generate_204"
* Trying 142.250.200.67:80...
* Connected to connectivitycheck.gstatic.com (142.250.200.67) port 80 (#0)
> GET /generate_204 HTTP/1.1
> Host: connectivitycheck.gstatic.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Content-Length: 0
< Cross-Origin-Resource-Policy: cross-origin
< Date: Fri, 28 Mar 2025 16:30:42 GMT
<
* Connection #0 to host connectivitycheck.gstatic.com left intact
a) windows vm
C:\Users\windows>curl -vv connectivitycheck.gstatic.com
* Host connectivitycheck.gstatic.com:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.10.244
* Trying 192.168.10.244:80...
* connect to 192.168.10.244 port 80 from 0.0.0.0 port 56942 failed: Timed out
* Failed to connect to connectivitycheck.gstatic.com port 80 after 21084 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to connectivitycheck.gstatic.com port 80 after 21084 ms: Could not connect to server
Now we are getting to something.
Clearly something is wrong.
Maybe some firewall config?
I forgot to start the service… DUH
Well of course I need to enable and start this…
restarted Rocky Linux, now the output from windows VM is different.
C:\Users\windows>curl -vv connectivitycheck.gstatic.com
* Host connectivitycheck.gstatic.com:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.10.244
* Trying 192.168.10.244:80...
* connect to 192.168.10.244 port 80 from 0.0.0.0 port 56972 failed: Timed out
* Failed to connect to connectivitycheck.gstatic.com port 80 after 21057 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to connectivitycheck.gstatic.com port 80 after 21057 ms: Could not connect to server
C:\Users\windows>curl -vv connectivitycheck.gstatic.com
* Host connectivitycheck.gstatic.com:80 was resolved.
* IPv6: (none)
* IPv4: 216.58.209.67
* Trying 216.58.209.67:80...
* Connected to connectivitycheck.gstatic.com (216.58.209.67) port 80
> GET / HTTP/1.1
> Host: connectivitycheck.gstatic.com
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 404 Not Found
< Cross-Origin-Resource-Policy: cross-origin
< Content-Type: text/html; charset=UTF-8
< X-Content-Type-Options: nosniff
< Date: Fri, 28 Mar 2025 16:42:04 GMT
< Server: sffe
< Content-Length: 1561
< X-XSS-Protection: 0
<
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 404 (Not Found)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>404.</b> <ins>That’s an error.</ins>
<p>The requested URL <code>/</code> was not found on this server. <ins>That’s all we know.</ins>
* Connection #0 to host connectivitycheck.gstatic.com left intact
C:\Users\windows>
Well I see a 404, weird.
Well now I see, the URL I used on windows VM is not the same you mentioned, to trigger the 204…
Let’s user the right one…
C:\Users\windows>curl -vv "http://connectivitycheck.gstatic.com/generate_204"
* Host connectivitycheck.gstatic.com:80 was resolved.
* IPv6: (none)
* IPv4: 216.58.209.67
* Trying 216.58.209.67:80...
* Connected to connectivitycheck.gstatic.com (216.58.209.67) port 80
> GET /generate_204 HTTP/1.1
> Host: connectivitycheck.gstatic.com
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 204 No Content
< Content-Length: 0
< Cross-Origin-Resource-Policy: cross-origin
< Date: Fri, 28 Mar 2025 16:48:02 GMT
<
* Connection #0 to host connectivitycheck.gstatic.com left intact
It answers a 204!!!
It seems now it will work!
Now I am with hope, let’s try later when I have the clock.
You can clearly see by the IP address that actually haproxy is bypassed and the curl call goes directly to google, so it’s not a surprise that it would generate the 204.
You need to configure DNS in a way that makes connectivitycheck.gstatic.com point to 192.168.10.244 always.
Perhaps you set 2 different servers one private one public. That will not work. All the DNS servers configured on your clients need to make connectivitycheck.gstatic.com local.
There is still a chanve the router propagate the external DNS, but I will block internet access for the clock, so it will never manage to connect to an external IP external DNS server.
But for testing purposes, I continue the test.
After changing, it gives this error
C:\Users\windows>curl -vv "http://connectivitycheck.gstatic.com/generate_204"
* Host connectivitycheck.gstatic.com:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.10.244
* Trying 192.168.10.244:80...
* connect to 192.168.10.244 port 80 from 0.0.0.0 port 57187 failed: Timed out
* Failed to connect to connectivitycheck.gstatic.com port 80 after 21078 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to connectivitycheck.gstatic.com port 80 after 21078 ms: Could not connect to server
So it is in fact not working.
Ideas?
Firewall something?
Can you help please?
<BLA BLA BLA>
Enable port 80 through the firewall:
sudo firewall-cmd --add-port=80/tcp --permanent
sudo firewall-cmd --reload
<BLA BLA BLA>
Hmm, they are suggesting to o pen the 80 port, the one this solution also uses.
It is a good candidate for a copy and paste command.
I ran both on Rocky Linux.
Now on windows VM:
C:\Users\windows>curl -vv "http://connectivitycheck.gstatic.com/generate_204"
* Host connectivitycheck.gstatic.com:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.10.244
* Trying 192.168.10.244:80...
* Connected to connectivitycheck.gstatic.com (192.168.10.244) port 80
> GET /generate_204 HTTP/1.1
> Host: connectivitycheck.gstatic.com
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 204 No Content
< Content-Length: 0
< Cross-Origin-Resource-Policy: cross-origin
< Date: Fri, 28 Mar 2025 17:41:43 GMT
<
* Connection #0 to host connectivitycheck.gstatic.com left intact
Now it seems it is forwarding the request right?
Because before it said
* Connected to connectivitycheck.gstatic.com (**216.58.209.67**) port 80
and now it says
* Connected to connectivitycheck.gstatic.com (**192.168.10.244**) port 80
Well I tried in the clock now, and despite opening just one page, the connectivitycheck.gstatic.com on the browser, it still detects no internet.
As I said before, one user mentioned it needed “a local ntp server”.
If I go to the options of the clock, I can only choose either network time or not.
I assume using the network option, as it can’t find a NTP server, continues to detect no internet.
I already have running a NTP server on my NAS, any idea how to tell it to the clock?
Or any other idea to solve this?
Another step?
Well, now that you confirm it is working as it should (HAProxy related), I have to thank you very much for all your assistance through this almost 2 years.
I will try to debug the problem in other place, possibly the XDA thread.
Using Google search, the first domain seems a tracking user service.
The second, I assume is Google play related.
I don’t have a certain explanation for the plex domains. Maybe I tried to open them in the browser.
The statsig, I am not sure.
But it appears a NTP domain, this might be the way.
Do you think than just pointing this domain to my local NTP server might do the trick?
Or do you think I should do something through HA Proxy, similar to the other domain, of letting the traffic pass by? If so, can you help on the changes on the config file?
Thank you!
EDIT: Alternatively, it might be interesting into configuring HAProxy as a full proxy, for every traffic for this node. And I would allow only the traffic to the allowed domains, what do you think? Can you assist me on that? Thank you once agian.