Recently I’ve discovered ShizuWall and its essentially an app firewall that doesnt use VPN slot or root but Shizuku on android still might get leaky but this could mean using it alongside a standard vpn. Is this a viable option for those stuck on stock android?
2 Likes
I read somewhere that some apps can still send data back over shared services, even if you use a firewall on Android. Someone who is actually knowledgeable should confirm whether I’m right or wrong tho.
why not use Rethink if you want a firewall alongside a VPN?
2 Likes
I find RethinkDNS more reliable. On my phone, sometimes Android kills Shizuku so you know what would happen in this scenario.
With a system VPN solution, like RDNS you can enable “Always-on VPN” (something like that), so it works as some sort of “kill switch”, but I don’t know how reliable is it.
And on the other side, if the app gets compromised it may result with some serious consequences, since Shizuku can give access to very sensitive stuff; compared to RDNS where you only have to grant VPN permissions and that’s it.
1 Like
AFAIK GrapheneOS is the only ROM that has fixed every DNS, ipv6 leaks discovered by the GOS user ryrona, and it doesn’t support Shizuku, so the answer is no as this firewall solution is flawed.
1 Like
I was thinking more of a use case is where someone may way want to use censorship-resistant tech for their VPN like DAITA or Stealth Mode which from i believe is not possible through a simple wireguard config
1 Like
DAITA isn’t censorship resistant. Wireguard is easily detectable and DAITA works in tunnel. It doesn’t contribute to censorship evasion. If anything, it makes it easier to detect VPN usage as was discussed by me in another threads 
True. Despite what GrapheneOS devs like to claim, Android’s VPN configuration is flawed and just isn’t as flexible as desktop firewalls.
In censored countries, sing-box-xray cored, Mullvad and ivpn clients are the only option, and they don’t provide advanced yet graphically configurable filtering and monitoring of RethinkDNS. While it’s possible to achieve the same results with sing-box, it isn’t user friendly. On desktop, with the flexibility of nftables i can do all sorts of stuff without sacrificing anything just because i need to use a “zero trust“ VPN solution from time to time or route a specific app through hy2 and the list goes on and on… As you already know, on Android you’d have to give up a VPN slot and give up any LAN routing due to how flawed kill switch is.
With that rambling in mind, i still think people should stick to GrapheneOS as it’s the only mobile option in that has strong guarantees against traffic leakage.
2 Likes
What do you want to archive with the firewall?
tbh honest im just trying to make the best out of stock device. As much as I know GrapheneOS is best but being able to daily drive it in the way that is expected here is kinda hella privileged. Im frustrated with the lack of a proper user facing app firewall on phones in general. This isnt just about security but usability too. Apps should not be consuming bandwith if they dont need to in the first place. and from a digital minimalism perspective instead of opening yourself to entire internet prones you to compulsive internet use rather than intentional