Orbot in proxy mode vs. Orbot in VPN mode

I can either use Orbot in proxy mode and enable “Use SOCKS proxy (port 9050)" and "Use .onion hosts” in SimpleX settings or use Orbot in VPN mode and enable the same settings in SimpleX.

Both ways do work, but which one is better?

1 Like

vpn connection should be more stable imo , but you will lose out a vpn slot due to it. Proxy mode should also work fine , you might have to just test it, if you are facing any issues with it. I don’t think there is much differences in the 2 methods than just the connection stability.

1 Like

VPN mode is more reliable if you want to prevent leak.

The downside is IPv6 is currently broken, but you can still route apps over the proxy to workaround while in this mode although it isn’t necessary.

But note some apps will make adjustments when set to Tor:

  • Conversations works fine over Orbot VPN, but choosing the Tor mode in C will disable A/V (wrongly imo) and also disable timezone sharing.
  • F-Droid will choose onion mirrors instead of clearnet ones only if the Tor mode is set

you can run orbot in whitelist mode. and only select those apps which you want to route through tor.
Proxy mode shouldn’t make leaks either as if you select proxy mode in simplex it should connect to internet only through the proxy and would throw connection error if for some reason proxy is unavailable.

1 Like

would throw connection error

that requires the app correctly handling it

1 Like

You need to disable “Block connections without VPN” for Orbot to work in whitelist mode. But InviZible Pro works with “Block connections without VPN” enabled, so I will probably use InviZible Pro.

in whitelist mode. But InviZible Pro works with “Block connections without VPN” enabled

As I’ve already stated in the other thread, this is a MASSIVE foot gun.

Why though?

If you enable “block connections without vpn” you won’t be able to use whitelist mode in any vpn app. Its an android os level restriction and won’t matter which app you try it from.

InviZible Pro is a commendable project, and it has a lot of features, but such projects may make very different choices to focused projects like Orbot. For example, take NetGuard which validates a given network by connecting to a third-party service (I won’t comment on InviZible as I am not super familiar with the codebase, but I do spot such “default choices” made for users already). Rethink DNS + Firewall, which I co-develop, also needs to do similar checks, btw; but it never does so without explicit user consent.

So, really, if the user has use for just Tor-as-proxy, they’re better off using just the specialized app for it in Orbot (in VPN mode, if possible).

If you want to use a phone that running via Tor, I would recommend to run Orbot as proxy + Rethink DNS as VPN. Configure Rethink DNS to use Orbot DNS and Orbot proxy. The bloatware apps, unecessary IP’s and domains can be blocked via Rethink DNS Firewall so you don’t need to worry about it.

I’m not affiliated with those projects, but its been tested and works without issue on my xiao and samy.

But if you are going todo silly things within the Tor networks, don’t use phones, its a bad opsec.

This combination are too good to be true.
@ignoramous you are doing a great work, keep it up !!!

1 Like

So I enabled “Advanced user mode” in Orbot’s settings, which basically switches from VPN mode to proxy mode.

I then enabled the “Use Tor” option in F-Droid’s settings and set the “Use .onion hosts” option to “required” in SimpleX’s settings.

Now F-Droid doesn’t work without Orbot, but when Orbot is present, it automatically starts Orbot and works as expected, which is great.

Meanwhile, with SimpleX, it doesn’t work without Orbot too, but it even doesn’t work when Orbot is present because it doesn’t automatically start Orbot like F-Droid, which is fine because I can make Orbot start on boot.
Note: Only message and file relays are connected via SOCKS proxy on SimpleX. Calls and sending link previews use direct connection.

Now correct me if I’m wrong, but that means that proxy mode is better for me because it doesn’t leak anyway, doesn’t take up my VPN slot, and IPv6 isn’t broken like with VPN mode (though I don’t know how important IPv6 is).

1 Like

Answering because I’ve heard this time and time again:


Mobile security is generally much better than desktop security. With certain setups, you can quite easily achieve a level of security/privacy/anonymity that are only rivaled by Tails, Whonix and Qubes, if that. That doesn’t mean everyone needs to always use phones, but acting as if they should for some reason be dismissed outright is unfounded. In the end it depends on what you need and whether that can be better delivered by mobile or desktop options, or both. Thinking about this with an open but critical mindset is the only path to good opsec that can be relied upon.

If you still disagree, I’d unironically really be interested in hearing your reasons. Why shouldn’t people use Tor, for example, on a new user profile on their Pixel with GrapheneOS? Wouldn’t that in some cases be better than any option available for desktop?

good for you if you didn’t understand what’s that mean, and I don’t want to explain.

Idk how many people would agree with this statement, but I totally disagree, you should understand how phone works before compare it with desktop, specially with one that runs QubesOS.

it depends on your threat model.

no one here said you shouldn’t, it’s fine to use Tor browser on phone or routes everything to Tor via Orbot, and again: