VPN + Firewall on Android

Is there some application beside RethinkDNS with a functionality of VPN + Firewall for non-rooted Android?

Reason I’m asking is I tried RethinkDNS, Mullvad’s wireguard config works fine, but a bunch of apps now acting strange. One has to be refreshed twice in order to load content, it shows an error on the first try. Another one taking ages to load, and one chat app randomly doesn’t show an online presence of contact, but sends messages normally.

I’m aware all of these issues are network related, yet Rethink’s firewall doesn’t have any rules active, logs showing network connections were established.

So before deep diving into debugging and trying to solve all of these issues, I would like to know is there any other solution which offers VPN connection and firewall in the same application?

1 Like

To better understand your situation, what do you want to achieve by installing a firewall app on your android phone?

Are you trying to prevent inbound or outbound traffic?

The normal consensus afaik is that Android and iPhone don’t need a firewall to protect against inbound threads as the build-in firewall is already set to block all inbound connections.

For outbound connections GrapheneOS has a per app network toggle preventing all network traffic for that app. I’t only available for Pixel phones though.

To better understand your situation, what do you want to achieve by installing a firewall app on your android phone?

I need to install some proprietary apps that connect to the network, but I tested them without the internet, and they worked fine, so I want to block their access completely.

GrapheneOS and Pixel will be considered, the next time I change the phone, but for now, I’m looking a solution for the current device which is not Pixel.

I’m using Mullvad 24/7, so I asked authors if they ever plan to implement firewall in their app, but got a negative answer.

rdns dev here

There isn’t an in-bound firewall in the “traditional firewall” sense. For the simple reason that NAT traversal (ref) works on Android, you know in-bound firewall can be hole-punched (not a good thing or a bad thing, but it is a thing you have no control over). Using a VPN-based firewall like Rethink does block some hole-punching techniques (again, some consider this a feature, others a bug). And for when the hole-punching goes through, Rethink registers it in the Network Log.

Can’t block IPs and domains, or view outgoing connections. Sadly, this feature, which is actually a better way than using a VPN like Rethink to block outgoing Internet connections, isn’t a substitute for a network monitor / firewall. See this discussion on GrapheneOS forums: RethinkDNS needed on GrapheneOS? - GrapheneOS Discussion Forum

Does STOP / STARTing the app back up again make it work? We’ve fixed a tonne of issues (ex) wrt WireGuard in the upcoming version, v055b, which is almost ready for a release.

The things you want are All in Invizible Pro/Lite see https://invizible.net , hope this helps.

1 Like

I’m not suggesting the GOS network toggle as an alternative for network monitoring. OP is asking for an efficient way to prevent network traffic for an app and the GOS network toggle is the most efficient way at that.

Traditional sense or not, android has a build in firewall Frequently Asked Questions | GrapheneOS

@ignoramous You made a really nice and useful app, looking forward to the new update. Keep up the good work!

I noticed a significant improvement when I switched from “System DNS” to “Other DNS” and added Mullvad’s DoH DNS (suggestion to add it beside those currently offered).

I’m trying to understand what DNS device uses when “System DNS” is selected? The device is connected to Wi-Fi, which has a local DNS in a form of AdGuard Home. Wireguard is connected, but I assume the device still uses a local DNS, considering it started working when DNS was switched?

Also, as I’m trying to replace Mullvad’s app with this one by importing 20+ wireguard configs, is there any “central” place where I could exclude an app from going over a VPN connection, or I would have to go into every config, add all applications and then remove desired?

As importing these configs will take some time, does a backup/restore functionality includes them, so I don’t have to import them again for example if I delete the app temporary?

@LoSee21 thanks! I’m going to check it out.

1 Like

In Rethink, System DNS is Network (wifi/mobile) provided DNS.

Yes, Rethink continues to use user-selected DNS even when proxies are active. In the upcoming version, v055b, Rethink will proxy DNS over WireGuard and other active proxies where possible. There’s also provision in v055b to use WireGuard configured DNS itself.

In Rethink, you cannot add the same app to different WireGuard configurations. You’ll have to re-add them every time. I know this is annoying, and we hope to fix this entire UX around WireGuard someday.

Rethink encrypts all WireGuard configurations with device-specific, unexportable encryption key. This unfortunately also means, they cannot be meaningfully backed up.

I’ve tested the app for a couple of days, and it’s really nice. Main annoyances for me are around VPN/wireguard, so hopefully some of these will be fixed in the upcoming releases.

This is probably the biggest deal breaker currently. Switching VPN locations/profiles is not smooth like the other parts of the app.

I have no technical knowledge on the topic, so I will just write my personal opinion. It would be way better to have an option which a standard VPN app has, once connected, all the apps going through Wireguard connection except those explicitly excluded. So as soon as the profile is changed, there’s no need to add applications again.

The same thing to be applied once a new app is installed while VPN connection is active, because currently it needs to be added manually. In this scenario, I noticed a strange behavior. Proxy was active, I installed a new app, went to add it in wireguard profile, but the app couldn’t be found even after clicking refresh button. It appeared after it was opened for the first time.

Is there any possibility this might change in the future? I understand it might not be used as often, but it would come quite handy once switching device or if app requires to be reinstalled.