Update: I have found a workable solution!
Though each android profile supports an independent, singular VPN, they share common access to the local loopback interface, aka localhost/127.0.0.1. We can use this to share network data between profiles over localhost - the same mechanism used by the Inter Profile Sharing App we’ve discussed here before
Requirements
- A secondary user profile: will operate as a proxy server. Must be configured to run in the background. I use a Private Space, but a full user profile should also suffice
- RethinkDNS: This tool will (1) use the android VPN slot to force all network traffic through it, and (2) proxy network traffic to localhost over SOCKS5. Other viable proxy apps may exist, but I can only recommend RethinkDNS
- Orbot: the only app Ive found that can (1) establish a Tor tunnel, & (2) receive data through a user-defined proxy, not depending on the android VPN slot. Unfortunately, the upcoming TorVPN app does not presently meet this second requirement
- VPN App of your choice: No special requirements, refer to PG recommendations
Setup
-
Install Orbot & your VPN app into the secondary profile. You can remove them from your other profile, they will not be needed
-
Configure your VPN app as the systemVPN in your secondary profile. Ensure it’s set to always on, and to block connections without VPN
-
Within Orbot, navigate to ‘More (…)’ → ‘Orbot Settings’ → ‘General’. Enable ‘Power User Mode’, ‘Start Orbot on Boot’, ‘Allow Background Starts’, and ‘Open Proxy on All Interfaces’.
-
Start Orbot. Under ‘More (…)', you’ll see a SOCKS5 port number, likely 9050 unless you’re already running a conflicting service. Take note of this port #
-
Configure RethinkDNS as the systemVPN in your main profile(s). Ensure it’s set to always on, and to block connections without VPN
-
Configure RethinkDNS DNS & firewall settings to your satisfaction. There’s admittedly a lot here. This is a pretty good guide; maybe @ignoramous has a better one
-
Within RethinkDNS, navigate to ‘Settings’ → ‘Proxy’ & enable SOCKS5. Use 127.0.0.1 for host, and your port number from step 4. Leave username & password blank
-
Within RethinkDNS, under ‘Configure’ → ‘Settings, enable ‘Auto Start on Power Up’. This setting does not always work, you may occasionally still need to manually ‘Start’ RethinkDNS on
And, done! Your network pathway is now configured:
MainProfile(App Data ↔ RethinkDNS) ↔ [SOCKS5 over localhost] ↔ ProxyProfile(Orbot ↔ Tor Tunnel[ VPN App) ↔ VPN Tunnel{LAN ↔ ISP ↔ VPN Server} ↔ Tor Nodes] ↔ Webserver
Risk
Data sent over localhost is NOT exposed to the network. However, it IS exposed to all on-device services. This introduces a hypothetical privacy leak, where any spyware installed on the phone may be able to snoop - this has been observed before
The Inter Profile Sharing app mitigates this by establishing an AES-GCM encrypted tunnel between its instances. I have not found a means to implement any such secure tunnel RethinkDNS & Orbot. You can add some protection by enforcing encrypted DNS & blocking comms over port 80 (HTTP) in RethinkDNS, though Id like to see a more robust solution - RethinkDNS’s support for wireguard proxies may be an interesting path forward