Is there any means by which to use a general-purpose Tor Proxy over VPN on Android, GrapheneOS, & other AOSP-based mobile OSs?

Background:

As per the PG Tor Network blog post, PG recommends using Tor over a VPN:

If you have the ability to access a trusted VPN provider… you almost certainly should connect to Tor through a VPN… Because we already generally recommend that the vast majority of people use a trusted VPN provider for a variety of reasons, the following recommendation about connecting to Tor via a VPN likely applies to you

For more information on why this may be desirable, see Jonah’s video on Tor over VPN

Web Browsing: Not a Problem

The Tor Browser app is built with its own Tor proxy. Simply connect to your trusted VPN through the Android VPN slot, and Tor Browser will establish a Tor over VPN connection for that singular app

Other Web Services: Impossible?

Tools like Orbot or TorVPN (currently in beta) can establish a more general Tor proxy connection, and let you use Tor for non-browser web connections. However, they use AOSP’s singular VPN slot & dont support a direct proxy from Wireguard, OpenVPN, or other VPN configurations

My research has turned up nothing. Is there any way to accomplish this?

Is there any way to accomplish this? Yes, probably. Is there any good way I know of that I can suggest to you? Not really?

I’ve read about people achieving similar feats through a complicated setup on GrapheneOS using work profiles to run more than one “VPN” at a time, but this isn’t really the kind of thing you want to be creative with and I’d seriously advise against it.

Another possibility I can think of is to set up the VPN at the router level, but this has obvious limitations (and I’m still going to advise against it on the basis of my general “do not get creative with Tor” rule).

For me, I’d just use Orbot. You can use Orbot without taking up a VPN slot, though I don’t remember exactly how you enable it (since it is not enabled by default, if I remember correctly). As long as the app you want to use supports a SOCKS5 proxy (and ideally an option to strictly require using said proxy) this option should be fine. I’m still not going to outright suggest you do so, though, because I’m not 100% absolutely positively sure that the ordering works as expected.

This isn’t risky, nor is it exclusive to GOS. User profiles (& private spaces) are inherited from AOSP. They share a network access point, but by default do not share the VPN slot. You can force all traffic through Tor in one profile, and a VPN in another. Though this doesnt advance the goal of chaining a VPN and Tor proxy together, as each profile is independent & still supports a singular VPN slot at the OS level

You are correct, this is a viable solution, but only for apps that allow user-defined SOCKS5 or HTTP(S) proxy (such as Signal/Molly & OSMAnd):

1. Configure your preferred VPN in the Android VPN slot
2. Enable Orbot ‘Power User Mode’; connect to Tor
3. Configure the app to proxy network traffic to Orbot over SOCKS5/HTTP(S)

Now traffic from this app will route App → Orbot → system VPN => LAN/ISP → VPN Server → Tor → webserver. Unfortunately, most apps & OS system processes do not support a user-defined proxy in this manner

Ummm nope, havent considered that, probably won’t, the VPN provider is posing no issue, PG’s recommendations are pretty solid.

Replacing the VPN with an alternative proxy wont make any impact here, we still need a networking mechanism to route Android traffic through Tor over VPN (or Tor over whatever random VPN-esque proxy you choose)

Update: I have found a workable solution!

Though each android profile supports an independent, singular VPN, they share common access to the local loopback interface, aka localhost/127.0.0.1. We can use this to share network data between profiles over localhost - the same mechanism used by the Inter Profile Sharing App we’ve discussed here before

Requirements

• A secondary user profile: will operate as a proxy server. Must be configured to run in the background. I use a Private Space, but a full user profile should also suffice
• RethinkDNS: This tool will (1) use the android VPN slot to force all network traffic through it, and (2) proxy network traffic to localhost over SOCKS5. Other viable proxy apps may exist, but I can only recommend RethinkDNS
• Orbot: the only app Ive found that can (1) establish a Tor tunnel, & (2) receive data through a user-defined proxy, not depending on the android VPN slot. Unfortunately, the upcoming TorVPN app does not presently meet this second requirement
• VPN App of your choice: No special requirements, refer to PG recommendations

Setup

1. Install Orbot & your VPN app into the secondary profile. You can remove them from your other profile, they will not be needed

2. Configure your VPN app as the systemVPN in your secondary profile. Ensure it’s set to always on, and to block connections without VPN

3. Within Orbot, navigate to ‘More (…)’ → ‘Orbot Settings’ → ‘General’. Enable ‘Power User Mode’, ‘Start Orbot on Boot’, ‘Allow Background Starts’, and ‘Open Proxy on All Interfaces’.

4. Start Orbot. Under ‘More (…)', you’ll see a SOCKS5 port number, likely 9050 unless you’re already running a conflicting service. Take note of this port #

5. Configure RethinkDNS as the systemVPN in your main profile(s). Ensure it’s set to always on, and to block connections without VPN

6. Configure RethinkDNS DNS & firewall settings to your satisfaction. There’s admittedly a lot here. This is a pretty good guide; maybe @ignoramous has a better one

7. Within RethinkDNS, navigate to ‘Settings’ → ‘Proxy’ & enable SOCKS5. Use 127.0.0.1 for host, and your port number from step 4. Leave username & password blank

8. Within RethinkDNS, under ‘Configure’ → ‘Settings, enable ‘Auto Start on Power Up’. This setting does not always work, you may occasionally still need to manually ‘Start’ RethinkDNS on

And, done! Your network pathway is now configured:

MainProfile(App Data ↔ RethinkDNS) ↔ [SOCKS5 over localhost] ↔ ProxyProfile(Orbot ↔ Tor Tunnel[ VPN App) ↔ VPN Tunnel{LAN ↔ ISP ↔ VPN Server} ↔ Tor Nodes] ↔ Webserver

Risk

Data sent over localhost is NOT exposed to the network. However, it IS exposed to all on-device services. This introduces a hypothetical privacy leak, where any spyware installed on the phone may be able to snoop - this has been observed before

The Inter Profile Sharing app mitigates this by establishing an AES-GCM encrypted tunnel between its instances. I have not found a means to implement any such secure tunnel RethinkDNS & Orbot. You can add some protection by enforcing encrypted DNS & blocking comms over port 80 (HTTP) in RethinkDNS, though Id like to see a more robust solution - RethinkDNS’s support for wireguard proxies may be an interesting path forward

Very interesting setup, although I expect Tor to be too slow for most services besides browsing.

One thing I did not get, once the data goes to the secondary profile, is it going first through the VPN or Tor?

For sure, this is a four-relay proxy, not ideal for low-latency applications. Use case is more aligned with background processes: system updates, remote provisioning, network timing, PSDS/SUPL location services, etc

Data will enter Tor first, when Orbot retrieves the SOCKS5 from localhost. Encrypted Tor data then passes through the VPN tunnel when leaving the device: Tor over VPN