Installing NetGuard was revelation regarding the amount of tracking in most Android apps.
You can configure it to block access by default and notify you every time an app attempts a new connection. And it rings all the time.
Some software call home at 4am every day, other every hour, some send data to a dozen "analytics" services - services that I never opted-in for, which shows how few apps respect the RGPD.
At least most apps still work when those are blocked, and NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
I am using GrapheneOS. GrapheneOS has a compatibility layer providing the option to install and use the official releases of Google Play in the standard app sandbox.
I could see how they are blocked on your system, using GrapheneOS, but that doesn't tell us if Netguard blocks them on Android systems. One reason for GrapheneOS is to close that kind of hole.
Every once in a while I consider making the switch to KeePassXC. I trust KeePassXC but I don't really trust the mobile apps so last time around I looked into NetGuard. It's really nice but it wasn't a good fit for my use case:
> NetGuard will do its best, but it is limited by the fact it must use the Android VPN service. This is the trade-off required to make a firewall which does not require root access. The firewall can only start when Android "allows" it to start, so it will not offer protection during early boot-up (although you can disable your network before rebooting). Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off. It will, however, be much better than nothing.
I believe that also means you can't use it with Tailscale or similar.
> I believe that also means you can't use it with Tailscale or similar.
You sort of can. It can route over a socks5 proxy to the work profile where you can have a second VPN running. Wouldn't be an easy solution, but it can work
Would be curious to hear if anyone actually did (or attempted) this and have results to share.
I know I have experienced VPN leaks on Android (not the one they publically fixed as it was after). A second layer wouldn't fix that properly but it should make it less likely.
At the OS level LineageOS offers per-app network permissions, which I've used and functions as expected.
One quirk from what I understand of this ticket[1] is if there's a proxy set up via a separate internet allowed app it can bypass the restriction via that app. GrapheneOS' implementation is said to prevent this.
There's RethinkDNS [1](not affiliated to them, just like their software). Sometimes it gets killed on my phone, but otherwise it's a great replacement, adds some much-needed features like proxies and wireguard VPNs on top of a DNS and app level control.
I've been using Blockada for many years but that's a firewall against ads and trackers. No ads inside apps.
Ideally I would use NetGuard to block the apps and Blockada to block ads and trackers for the apps that I allowed to perform network traffic in NetGuard. But Android allows only one active VPN and they can't be chained, so it's a hard choice. Actually it's not so hard: I keep blocking ads and trackers.
Blockada is most likely a DNS level blocker, netguard supports that. Alternatively you can configure it to point the DNS servers at NextDNS if you just want a nice UI to configure block lists (though NextDNS might track you).
NextDNS as a manual DNS server on Android is the adblocking solution I've been using for years. Is there any reason to believe they would track you, any more than any other DNS provider?
I have used GlassWire (not affiliated) for a few years without issues.
It's also rootless so I assume it has the same restrictions, but it's been very helpful with apps like Uber, which I use seldomly, but prefer not to have their notifications shoved in my face every 30 minutes.
It's also helpful for disabling access to most of the bloatware that comes with e.g. Samsung phones and such.
Probably not blocking everything, but I feel like it's at least something.
Pcapdroid is a very good alternative that allows to see which connections are made from what app to what server and at what time.
You just leave it in background, check one day later and see what sneaky app you never thought of have been sending tons of data in the background.
For me it helped me remove and search alternative for 4 apps, including a pill reminder (mytherapy). I would never have thought the trade-off to be reminded to take vitamin would be to constantly spy on me and sell all my data. Had i known, I would have put a reminder in my calendar.
anyway, it's not the same as netguard. Pcapdroid helps to identify bad application that you can either remove, or if not possible, use netguard later on to block.
> it can block, i think it's a 'donation' feature.
Oh, interesting, I didn't know.
A pity that you have to purchase it on the Play Store
> anyway, it's not the same as netguard. Pcapdroid helps to identify bad application that you can either remove, or if not possible, use netguard later on to block.
Well, almost all closed-source apps, and especially many system applications, send data out all the time; blocklisting rather than whitelisting is not a great strategy.
NetGuard allows exporting to PCAP as well, anyhow, as a paid feature
I want to be able to open word and excel file on my phone, but i don't want to give microsoft access to everything on my phone including dick pics, sextape, bank sheet and other personal data.
Because android allows such bad practice, blocking internet access can be usefull.
Its' really telling that Google doesn't offer an API to access a firewall which provides a clear list of connections and the apps which create them and a way to prohibit such specific connections, possibly also according to blacklists.
They really don't want users to have control over this.
It's more telling that governments haven't made it a mandatory feature on all devices with networking capabilities.
Google hasn't made a successful product in over a decade (nor have their existing products improved in any meaningful sense) - these people are not capable of anything besides hoarding power (and passing leet code I guess :P).
The linux kernel has a built-in firewall, and provides iptables to configure it. Firewalld is also installed by default at least on Fedora, and UFW for debian-based.
Unless this is just a battle of semantics on the fact iptables/firewalld/ufw are user space apps.
I think the main gripe is Google's lack of API to access a firewall. It would make sense for the kernel to provide that API and leave the UI to user space apps.
Edit: and to clarify, you can have a user space app on Android to configure a firewall but they will either require root or a VPN-based solution like NetGuard.
It drains battery because of VPN service solution, which is only non-rooted solution. Also if you use VPN (like Wireguard), you cannot use both.
Every app has own settings for allowing WiFi, data, VPN, background data connections natively in Android. I use custom ROM that has turned off internet connection for all apps by default and you need manually allow them to connect. Which solve mine problem with constant unwanted connections.
If you want really control over traffic on Android and combine with VPN, try ReThing DNS.
> It drains battery because of VPN service solution, which is only non-rooted solution.
It's not the _only_ solution. If you're on a modern (read: last 6 years or so) version of android, you can specify a DNS over TLS server to use.
If that DNS server also happens to be a PiHole, you have a good filter mechanism that doesn't hit battery life / data quotas quite like an always-on VPN does.
I prefer to connect via Wireguard to home network that has DNS filters (ie Pi-hole or NextDNS), because I can benefit with connection to home network any time.
Not really on topic, but is there any plan on integrating tailscale with it? There's a userspace mode for tailscale that exposes a socks proxy, but you currently have to spawn that with Termux or another terminal, then forward your traffic on Rethink.
I occasionally set up notifications when apps make requests using NetGuard and let it run for a day. The result is always depressing, lots of apps phoning home that I haven't opened in days...
I let it run today, and the worst offenders I have installed are Spotify (various requests to Facebook endpoints, I have no Facebook integration turned on) and Speedtest (constant requests to their logging endpoint and ad partners). This is all happening without me actually using those apps.
AdGuard is also rootless, but in addition if you have root then it can install a system-wide certificate that enables it to decrypt HTTPS requests to do granular filtering (not just at the domain level). Basically just like uBlock does, except that it's system-wide and works in all apps[1].
[1] Except apps that pin their certificates. But you can exclude those or install another module[2] (not from AdGuard) which disables certificate pinning.
I'm using netguard. It's really good, but conflicts with wireguard (another VPN I am using). It's because the firewall is realised using VPN API, when running netguard it uses VPN API to control the traffic
From what I see running the test on my phone, there's an option to tunnel DNS through Rethink here, which you can change to the VPN's DNS. Everything else is tunneled by default through wireguard. Maybe there's a configuration issue on your end?
Was the above post propaganda? Or was it just a user recommendation?
Perhaps the reason it gets mentioned often is simply because it's a good piece of software. Then again, perhaps not!
In any case, I'd be careful about using 3rd party DNS (and other) services, but that's for the user to decide, depending on the situation one is in.
Using one's own resolver is always a good practice, even in countries where ISPs are not selling customer's private data to anyone that comes along and where governments don't monitor and repress their citizens on every step...
We live in strange times where even EU countries misuse resolvers to censor certain web pages, while, for example, independent Balkan countries do not. Go figure...
I didn't intend for this to be propaganda, I don't even use it anymore since I'm on grapheneOS now.
But I have tried all three. I need to use a VPN in split mode for certain apps, and since using Tor with apps wasn't part of my threat model, I ended up using RethinkDNS (the app only). I don't necessarily like their upstream DNS servers, but considering that I can use my own server (and do), I don't consider that to be an issue.
This doesn’t seem to show any site I browse in the DuckDuckGo app, which raises the question, if DDG can hide connections it makes from showing in privacy report, can any (more nefarious) app do the same?
Isn’t AdGuard just dns protection (and Safari extension).
Afaik something like this isn’t easily doable in iOS. Some options are:
* Shadowrocket - you can set complex rules on what hosts/connections should be routed by what, but afaik you are not able to isolate traffic on a per-app basis.
The APIs to implement traffic policies on a per-app basis just don’t exist on iOS. You can create a VPN connection and have an app manage all network traffic that way, but you can’t associate traffic with specific apps since this would run afoul of their sandbox. At least without jailbreaking.
I came here to ask a similar question, looking for alternatives to Lockdown Privacy on iOS/iPadOS. [1] I've been using Lockdown for some years as a local and system firewall to block trackers across all apps, but this company got sold a few years ago and has since been annoyingly and frequently pushing for its paid subscription. It also moved some free blocking lists to the paid subscription.
Any alternatives to Lockdown on iOS/iPadOS would be nice to know about.
Afaik, this requires an active VPN connection. With GrapheneOS, there is a network toggle which disables the INTERNET access to any individual app so it doesn't make sense to use NetGuard
LineageOS doesn't really cut off the INTERNET access properly. Graphene's approach is more robust. I still wonder why such an important feature is not in the AOSP itself
> still wonder why such an important feature is not in the AOSP itself
Really? Remind yourself who works on Android. Google have been removing functionalities that benefit privacy for ever, and then put half backed alternative buried under tons of settings.
It can do other things. It can monitor network traffic and block ads within apps through multiple host files . Also having a single app to toggle is more UX friendly than toggling multiple apps network access.
I am very happy with IodéOS (a privacy-focused OS based on Lineage) as it has a per-app firewall and adblocker built into the OS. A major drawback of "stock android" is that google itself has elevated privileges, which is a strong argument for degoogling android at the OS level. Until recently, it has been pretty difficult to find a degoogled OS for a given device, (less than 1%) but now with GSIs it's getting better: https://blog.iode.tech/what-are-gsis-and-how-to-install-them...
After seeing the post[0] yesterday about how much surveillance can be done using mobile app data that can be bought online by pretty much anyone... I am very happy to learn about NetGuard today.
Software worth paying for. I bought a license for a Google free lineage os phone that I’ve since moved on from, but still use as a media and general purpose computing device.
LineageOS is fine for me, just I wish I could restrict connections to some ip ranges somehow, like allowing only 10.x.x.x in/out connections from given app on os level
The [DNS] resolver is deployed to Fly.io at max.rethinkdns.com
and Deno Deploy at rdns.deno.dev too,
apart from the default deployment on Cloudflare Workers.
There isn't anything sinister going on here with the use of "cloud services" [0][1]. Rethink, which is geared more towards anti-censorship, has its default resolver "ip-fronted" on Cloudflare (whose IPs are seldom blocked) and it works great in countries where the app is popular.
Users can opt to switch to any DoH, DoT, ODoH, DNSCrypt v3 resolver of their choice. In fact, we encourage users on our reddit/telegram groups to use ODoH (we also run a public-facing ODoH proxy) and DNSCrypt upstreams because of their privacy guarantees.
Can you point me the link to one thread or question about Netguard on some major internet forums like HN, Reddit or similar, where you or other RethinkDNS devs did not jump in and hijacked the thread? Only one example, please?
Your spammy marketing tactics of spamming makes your product looks like a scum, and I don't even have a desire to test.
Also, why do you keep comparing one on device firewall like Netguard with a cloud first solution like RethinkDNS?
I had previously set Android's private DNS to dns.adguard-dns.com, which didn't block anything.
Rethink's battery usage is 15 - 20% on my pixel in logging mode.
It definitely works, but I can't seem to associate blocked requests with apps, which renders it far less useful.
Overall I think it's a very busy UI.
You definitely want to exclude Firefox with uBO as elsewise Firefox behaves as though the network is down, whereas with uBO you can interactively choose to proceed.
I see there is an option to download the block lists locally. Does that mean it no longer uses DNS blocking? I see it described as a DNS blocker but it requires a VPN.
> Rethink's battery usage is 15 - 20% on my pixel in logging mode.
This is unusually high. It doesn't cross 3% on my Android, but I'm using a version (v055o( that's yet to launch (but will in a week or so).
If you only need DNS based blocking, tap on the down-arrow next to the STOP/START button and choose DNS-only mode. That should bring down battery use to 1% or so.
> but I can't seem to associate blocked requests with apps, which renders it far less useful.
Rethink most definitely can. Make sure to turn OFF Private DNS (instead of setting it to Opportunistic or Automatic).
> ...download the block lists locally. Does that mean it no longer uses DNS blocking
If you download the blocklists locally, then you can set those on your device, and use any DNS upstream (DoH/DoT/DNS53/DNSCrypt/ODoH) and the rules should be applied, regardless.
NetGuard is amazing. Whats disgusting is that android has so many permissions controls EXCEPT network access! it's insane and its because its just a data vacuuming device.
While I'm normally not someone who pays for apps, and is annoyed at fdroid releases having paid features, I had such a fun time figuring out and bypassing the challenge/response part of the app (without just commenting it out and recompiling) that I decided to send €1.23 his way.
Yeah there's no stats or traffic info, but until Android has a real way of using multiple VPN interfaces or exposes adding routes to users/apps, these VPN-based local tools are a no-go.
But in case the VPN app supports running as a simple proxy, without using the VPN service, you can avoid work profiles and just have NetGuard connect to it.
Installing NetGuard was revelation regarding the amount of tracking in most Android apps.
You can configure it to block access by default and notify you every time an app attempts a new connection. And it rings all the time.
Some software call home at 4am every day, other every hour, some send data to a dozen "analytics" services - services that I never opted-in for, which shows how few apps respect the RGPD.
At least most apps still work when those are blocked, and NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
> NetGuard allows you to block connections to Google servers except for Google Apps, which network firewalls and DNS solutions can't.
How do you know those connections are blocked and not merely bypassing Netguard?
I am using GrapheneOS. GrapheneOS has a compatibility layer providing the option to install and use the official releases of Google Play in the standard app sandbox.
See https://grapheneos.org/features#sandboxed-google-play
NetGuard also shows network requests from GrapheneOS itself, all proxied by the GrapheneOS project, as described here: https://grapheneos.org/faq#default-connections
I could see how they are blocked on your system, using GrapheneOS, but that doesn't tell us if Netguard blocks them on Android systems. One reason for GrapheneOS is to close that kind of hole.
> Some software call home at 4am every day
Which app?
Not sure anymore since I removed them, it may have been BlaBlaCar and/or Tricount.
[flagged]
I'm curious, how would looking at the Microsoft MFA app convince me that android apps aren't spying on me?
[flagged]
You did the same thing above but in the opposite direction.
From the developer of FairEmail.
Every once in a while I consider making the switch to KeePassXC. I trust KeePassXC but I don't really trust the mobile apps so last time around I looked into NetGuard. It's really nice but it wasn't a good fit for my use case:
> NetGuard will do its best, but it is limited by the fact it must use the Android VPN service. This is the trade-off required to make a firewall which does not require root access. The firewall can only start when Android "allows" it to start, so it will not offer protection during early boot-up (although you can disable your network before rebooting). Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off. It will, however, be much better than nothing.
I believe that also means you can't use it with Tailscale or similar.
> I trust KeePassXC but I don't really trust the mobile apps
I'm using Keepass2Android Offline. It doesn't have the network permission, which for me adds a ton of trust already.
Of course there are other ways to infiltrate data too, but you can be only so paranoid if you want to get things done.
https://play.google.com/store/apps/details?id=keepass2androi...
> I believe that also means you can't use it with Tailscale or similar.
You sort of can. It can route over a socks5 proxy to the work profile where you can have a second VPN running. Wouldn't be an easy solution, but it can work
Would be curious to hear if anyone actually did (or attempted) this and have results to share.
I know I have experienced VPN leaks on Android (not the one they publically fixed as it was after). A second layer wouldn't fix that properly but it should make it less likely.
Here you go, a fairly detailed blog post about it: https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-co...
Got this from a thread about Tracker Control, a NetGuard fork, and VPN chaining https://github.com/TrackerControl/tracker-control-android/is...
Amazing, thank you!
> I trust KeePassXC but I don't really trust the mobile apps
Even KeePassDX? That's what I use, and it's been rock solid for me.
> better than nothing
Is "nothing" the only Android per-app outbound firewall alternative to NetGuard?
At the OS level LineageOS offers per-app network permissions, which I've used and functions as expected.
One quirk from what I understand of this ticket[1] is if there's a proxy set up via a separate internet allowed app it can bypass the restriction via that app. GrapheneOS' implementation is said to prevent this.
[1] https://gitlab.com/LineageOS/issues/android/-/issues/3228
There's RethinkDNS [1](not affiliated to them, just like their software). Sometimes it gets killed on my phone, but otherwise it's a great replacement, adds some much-needed features like proxies and wireguard VPNs on top of a DNS and app level control.
[1] - https://f-droid.org/packages/com.celzero.bravedns/
No, if you have a rooted phone you can use AFWall+. And there are other non-root firewalls.
I've been using Blockada for many years but that's a firewall against ads and trackers. No ads inside apps.
Ideally I would use NetGuard to block the apps and Blockada to block ads and trackers for the apps that I allowed to perform network traffic in NetGuard. But Android allows only one active VPN and they can't be chained, so it's a hard choice. Actually it's not so hard: I keep blocking ads and trackers.
Blockada is most likely a DNS level blocker, netguard supports that. Alternatively you can configure it to point the DNS servers at NextDNS if you just want a nice UI to configure block lists (though NextDNS might track you).
NextDNS as a manual DNS server on Android is the adblocking solution I've been using for years. Is there any reason to believe they would track you, any more than any other DNS provider?
Unlike most other dns providers, they often have an account or even payment to identify you, not just your outbound IP....
Do they keep logs though?
That's the whole point, you don't know if they keep logs.
NetGuard does ad-blocking with a DNS blacklist, but it's a Pro feature (which I use and works great).
On NetGuard's F-Droid page it lists "Optionally block ads using a hosts file" under its "features" section and not under its "PRO Features" section
Seems like I can get ad blocking for free.
https://f-droid.org/en/packages/eu.faircode.netguard/
https://github.com/M66B/NetGuard/blob/master/ADBLOCKING.md
Oh you're probably right, it's been a while since I was on the free version :)
My favorite is another FOSS, but this one is special because it doesn't need network permissions. No root, ofc, so that sticks.
Karma Firewall https://f-droid.org/packages/net.stargw.fok/
I have used GlassWire (not affiliated) for a few years without issues.
It's also rootless so I assume it has the same restrictions, but it's been very helpful with apps like Uber, which I use seldomly, but prefer not to have their notifications shoved in my face every 30 minutes.
It's also helpful for disabling access to most of the bloatware that comes with e.g. Samsung phones and such.
Probably not blocking everything, but I feel like it's at least something.
Pcapdroid is a very good alternative that allows to see which connections are made from what app to what server and at what time.
You just leave it in background, check one day later and see what sneaky app you never thought of have been sending tons of data in the background.
For me it helped me remove and search alternative for 4 apps, including a pill reminder (mytherapy). I would never have thought the trade-off to be reminded to take vitamin would be to constantly spy on me and sell all my data. Had i known, I would have put a reminder in my calendar.
Thanks for chiming in; I will probably try this out in the near future and see what insights I can glean.
Kind of wish there was more discussion about solutions for rooted devices and how much unwanted traffic is already blocked by AdAway (in rooted mode).
> including a pill reminder (mytherapy)
This is an app you wanted to replace? Or this is one of the apps that you found to be a good replacement?
(I am also looking for a basic medication reminder/logging app)
no that's the rogue app.
i checked on the play store, all full of trackers. open source is great but always having issue, either it lacks functionalities or it's buggy.
at the end, i decided i could put a reminder on my phone and be done with that.
Netguard does the same. You can see a per-app list of connections. Furthermore, you can many hosts either globally, or on an app level.
Except that... that doesn't block anything??
it can block, i think it's a 'donation' feature.
anyway, it's not the same as netguard. Pcapdroid helps to identify bad application that you can either remove, or if not possible, use netguard later on to block.
> it can block, i think it's a 'donation' feature.
Oh, interesting, I didn't know. A pity that you have to purchase it on the Play Store
> anyway, it's not the same as netguard. Pcapdroid helps to identify bad application that you can either remove, or if not possible, use netguard later on to block.
Well, almost all closed-source apps, and especially many system applications, send data out all the time; blocklisting rather than whitelisting is not a great strategy.
NetGuard allows exporting to PCAP as well, anyhow, as a paid feature
Yeah, but you can just uninstall offenders
What about microsoft office ?
I want to be able to open word and excel file on my phone, but i don't want to give microsoft access to everything on my phone including dick pics, sextape, bank sheet and other personal data.
Because android allows such bad practice, blocking internet access can be usefull.
With a firewall you can keep using them, instead (and maybe only let through some of the traffic)
Its' really telling that Google doesn't offer an API to access a firewall which provides a clear list of connections and the apps which create them and a way to prohibit such specific connections, possibly also according to blacklists.
They really don't want users to have control over this.
It's more telling that governments haven't made it a mandatory feature on all devices with networking capabilities.
Google hasn't made a successful product in over a decade (nor have their existing products improved in any meaningful sense) - these people are not capable of anything besides hoarding power (and passing leet code I guess :P).
Is it? Do Fedora or Ubuntu provide an API like that?
You mean, like unrestricted access to the kernel with full firewalling capabilities? ;)
Yes, GNU/Linux distributions provide exactly that.
No, you have to install additional software for that.
The linux kernel has a built-in firewall, and provides iptables to configure it. Firewalld is also installed by default at least on Fedora, and UFW for debian-based.
Unless this is just a battle of semantics on the fact iptables/firewalld/ufw are user space apps.
There is no clean interface to configure app-based network rules.
I think the main gripe is Google's lack of API to access a firewall. It would make sense for the kernel to provide that API and leave the UI to user space apps.
Edit: and to clarify, you can have a user space app on Android to configure a firewall but they will either require root or a VPN-based solution like NetGuard.
Both SELinux and AppArmor support per app network rules, however they both leave something to be desired in terms of ease of use and features.
https://selinuxproject.org/page/NetworkStatements
https://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor...
Yes.
It drains battery because of VPN service solution, which is only non-rooted solution. Also if you use VPN (like Wireguard), you cannot use both.
Every app has own settings for allowing WiFi, data, VPN, background data connections natively in Android. I use custom ROM that has turned off internet connection for all apps by default and you need manually allow them to connect. Which solve mine problem with constant unwanted connections.
If you want really control over traffic on Android and combine with VPN, try ReThing DNS.
https://www.rethinkdns.com/
> It drains battery because of VPN service solution, which is only non-rooted solution.
It's not the _only_ solution. If you're on a modern (read: last 6 years or so) version of android, you can specify a DNS over TLS server to use.
If that DNS server also happens to be a PiHole, you have a good filter mechanism that doesn't hit battery life / data quotas quite like an always-on VPN does.
It's a bit old, but I put together a basic project for this here: https://github.com/kquinsland/skyhole/
I prefer to connect via Wireguard to home network that has DNS filters (ie Pi-hole or NextDNS), because I can benefit with connection to home network any time.
> It drains battery because of VPN service solution
It doesn't really, just try it (and take actual battery duration measurements, Android misreports VPN apps battery usages)
I did, battery drains 5-10% faster.
If it's so, it's not a lot for privacy and security
---
ReThink DNS uses the VPN service as well, by the way.
And it is possible to use two VPN apps, see https://news.ycombinator.com/item?id=41933464 (yes, the battery usage adds up).
Rethink DNS seems fine, anyhow.
(I work on rdns)
> ReThink DNS uses the VPN service as well, by the way.
Rethink (since a year ago) has had the ability forward connections per-app to multiple WireGuard upstreams at the same time.
https://old.reddit.com/r/rethinkdns/comments/15r1eq9/v055_mu... / https://archive.md/RqUPe (to us, it turned out to be a deceptively difficult thing to integrate with the rest of the firewall).
Not really on topic, but is there any plan on integrating tailscale with it? There's a userspace mode for tailscale that exposes a socks proxy, but you currently have to spawn that with Termux or another terminal, then forward your traffic on Rethink.
Yes (short of anyone sponsoring us to implement it immediately) we do plan to add tsnet support (https://github.com/celzero/rethink-app/issues/1047) once we iron out existing issues with WireGuard.
I'm unsure if we'd be able to support all of Tailscale's features as easily (taildrop, exit nodes etc), we'll see.
I occasionally set up notifications when apps make requests using NetGuard and let it run for a day. The result is always depressing, lots of apps phoning home that I haven't opened in days...
I let it run today, and the worst offenders I have installed are Spotify (various requests to Facebook endpoints, I have no Facebook integration turned on) and Speedtest (constant requests to their logging endpoint and ad partners). This is all happening without me actually using those apps.
If you use a rootless firewall doesn't it act like a VPN? And then you aren't able to use VPNs unless you disable it? Useless IMO for heavy VPN users.
You can split the usage by profiles (e.g. work profile with Shelter[1]) or separate users.
1. https://f-droid.org/en/packages/net.typeblog.shelter/
You can also have NetGuard actually go through the VPN (https://news.ycombinator.com/item?id=41933464)
This is really good. Using it on my Oculus to block connections to Facebook servers.
(On my phones, I use LineageOS which can manage network permissions per app right in app settings.)
AdGuard is also rootless, but in addition if you have root then it can install a system-wide certificate that enables it to decrypt HTTPS requests to do granular filtering (not just at the domain level). Basically just like uBlock does, except that it's system-wide and works in all apps[1].
[1] Except apps that pin their certificates. But you can exclude those or install another module[2] (not from AdGuard) which disables certificate pinning.
[2] For example: https://github.com/cryptoexpertssss/TrustMeAlready
I'm using netguard. It's really good, but conflicts with wireguard (another VPN I am using). It's because the firewall is realised using VPN API, when running netguard it uses VPN API to control the traffic
You could put a firewall at the other end of the wireguard connection.
This doesn't tell you which app is connecting to which IP.
You'd need a local client for the VPN server firewall, to configure it, view logs, etc. Just a web client would work.
I am dreaming of an open-source app that adds Wireguard capabilities to NetGuard or vice-versa.
Having to switch from one to the other is very annoying.
There's no need to dream about it, it already exists: https://f-droid.org/packages/com.celzero.bravedns/
I used to use it when I wasn't on grapheneOS and needed to block internet access.
That only uses wg for DNS queries. Everything else remains untunneled.
From what I see running the test on my phone, there's an option to tunnel DNS through Rethink here, which you can change to the VPN's DNS. Everything else is tunneled by default through wireguard. Maybe there's a configuration issue on your end?
The only place I see where wireguard can be set up is as a proxy for DNS. Perhaps that would still allow changing the default gateway?
It's annoying to see so much RethinkDNS propaganda on every Netguard or Invizible Pro thread on the internet.
That gives me a bad feeling, and it's the reason I started to consider RethinkDNS scummy.
Was the above post propaganda? Or was it just a user recommendation?
Perhaps the reason it gets mentioned often is simply because it's a good piece of software. Then again, perhaps not!
In any case, I'd be careful about using 3rd party DNS (and other) services, but that's for the user to decide, depending on the situation one is in.
Using one's own resolver is always a good practice, even in countries where ISPs are not selling customer's private data to anyone that comes along and where governments don't monitor and repress their citizens on every step...
We live in strange times where even EU countries misuse resolvers to censor certain web pages, while, for example, independent Balkan countries do not. Go figure...
I didn't intend for this to be propaganda, I don't even use it anymore since I'm on grapheneOS now. But I have tried all three. I need to use a VPN in split mode for certain apps, and since using Tor with apps wasn't part of my threat model, I ended up using RethinkDNS (the app only). I don't necessarily like their upstream DNS servers, but considering that I can use my own server (and do), I don't consider that to be an issue.
especially that Wireguard silently disables NetGuard, and then the communication undergoes (at least in my case) silent
Is there something like this for iOS? I know Adguard but it is not open source.
Lockdown claims to be open-source. Their appstore client has paid mode for per-app blocklists. I don't know if they support per-app allow lists.
https://github.com/confirmedcode/Lockdown-iOS
Something already included in iOS is App Privacy Report feature.
https://support.apple.com/en-us/102188
This doesn’t seem to show any site I browse in the DuckDuckGo app, which raises the question, if DDG can hide connections it makes from showing in privacy report, can any (more nefarious) app do the same?
Something similar would be Proxyman: https://apps.apple.com/de/app/proxyman-network-debug-tool/id...
But it’s more designed to be a debug tool than to block traffic from specific apps
https://github.com/AdguardTeam/AdguardForiOS
I am pretty sure it is open source. I’ve been using it for years both for upstream DNS and blocklist filtering.
Huh, didn’t know about the repo. Thanks for posting it here.
Isn’t AdGuard just dns protection (and Safari extension). Afaik something like this isn’t easily doable in iOS. Some options are:
* Shadowrocket - you can set complex rules on what hosts/connections should be routed by what, but afaik you are not able to isolate traffic on a per-app basis.
* I think you can set up per-app VPN on iOS, but you must use MDM, can’t do it on an unmanaged profile. Link: https://support.apple.com/guide/deployment/vpn-overview-depa...
> per-app VPN on iOS, but you must use MDM
Yet iOS allows Safari per-site VPN without enterprise MDM, via Apple Configurator profile.
The APIs to implement traffic policies on a per-app basis just don’t exist on iOS. You can create a VPN connection and have an app manage all network traffic that way, but you can’t associate traffic with specific apps since this would run afoul of their sandbox. At least without jailbreaking.
I came here to ask a similar question, looking for alternatives to Lockdown Privacy on iOS/iPadOS. [1] I've been using Lockdown for some years as a local and system firewall to block trackers across all apps, but this company got sold a few years ago and has since been annoyingly and frequently pushing for its paid subscription. It also moved some free blocking lists to the paid subscription.
Any alternatives to Lockdown on iOS/iPadOS would be nice to know about.
[1]: https://lockdownprivacy.com/
Only in China I believe.
Afaik, this requires an active VPN connection. With GrapheneOS, there is a network toggle which disables the INTERNET access to any individual app so it doesn't make sense to use NetGuard
> it doesn't make sense to use NetGuard
unless you use any other phone that is not a google pixel running GrapheneOS
Which is literally the meaning of "With GrapheneOS, [...] it doesn't make sense to use NetGuard", isn't it?
LineageOS has this too, and it’s available on a fair bit of non-Pixel phones.
LineageOS doesn't really cut off the INTERNET access properly. Graphene's approach is more robust. I still wonder why such an important feature is not in the AOSP itself
Hmm, I haven’t looked much into it, but I assumed they both expose the same mechanism from AOSP?
https://grapheneos.org/faq#firewall
> still wonder why such an important feature is not in the AOSP itself
Really? Remind yourself who works on Android. Google have been removing functionalities that benefit privacy for ever, and then put half backed alternative buried under tons of settings.
I am well aware of that. AOSP still has quite a lot of contributors outside of google
Which company decides which contributions get accepted?
It can do other things. It can monitor network traffic and block ads within apps through multiple host files . Also having a single app to toggle is more UX friendly than toggling multiple apps network access.
Running pihole as your home DNS is far more feasible for blocking ads and other intrusive requests. The UX perspective is a valid point
But that ties you down to connecting to a vpn every single time you leave home.
You can have a remote instance of pi hole, normally renting a cheap VPS
NetGuard allows you to block specific hosts. I use it on GrapheneOS for monitoring and selective host blocking.
I use NetGuard on GrapheneOS to block mobile data for certain apps.
I am very happy with IodéOS (a privacy-focused OS based on Lineage) as it has a per-app firewall and adblocker built into the OS. A major drawback of "stock android" is that google itself has elevated privileges, which is a strong argument for degoogling android at the OS level. Until recently, it has been pretty difficult to find a degoogled OS for a given device, (less than 1%) but now with GSIs it's getting better: https://blog.iode.tech/what-are-gsis-and-how-to-install-them...
After seeing the post[0] yesterday about how much surveillance can be done using mobile app data that can be bought online by pretty much anyone... I am very happy to learn about NetGuard today.
[0] https://news.ycombinator.com/item?id=41923931
Better off disabling advertising components, which of course needs root. There's tools like AppManager for that - https://github.com/MuntashirAkon/AppManager/
Don't forget to periodicly update the hosts file: Settings -> Backup -> Download hosts file.
The creator also made XPrivacyLua (hooks Android API system calls to block premissions)
Software worth paying for. I bought a license for a Google free lineage os phone that I’ve since moved on from, but still use as a media and general purpose computing device.
LineageOS is fine for me, just I wish I could restrict connections to some ip ranges somehow, like allowing only 10.x.x.x in/out connections from given app on os level
Similar but open source: https://github.com/celzero/rethink-app
> similar but open source
Netguard (per HN title) is open-source GPLv3: https://github.com/M66B/NetGuard
Rethink uses cloud services by default?
rdns dev here
> Rethink uses cloud services by default?
There isn't anything sinister going on here with the use of "cloud services" [0][1]. Rethink, which is geared more towards anti-censorship, has its default resolver "ip-fronted" on Cloudflare (whose IPs are seldom blocked) and it works great in countries where the app is popular.
Users can opt to switch to any DoH, DoT, ODoH, DNSCrypt v3 resolver of their choice. In fact, we encourage users on our reddit/telegram groups to use ODoH (we also run a public-facing ODoH proxy) and DNSCrypt upstreams because of their privacy guarantees.
[0] If anything, hosting it cost us a bomb: https://old.reddit.com/r/rethinkdns/comments/17h2y6r / https://archive.md/slpZ9
[1] Our stub resolvers are open-source & "open deploy" (ie deploy straight from github actions): https://github.com/serverless-dns/serverless-dns/actions/
FWIW, Netguard's UI feels like one of an average opensource mobile app, while Rethink is a very polished experience. Well done!
> rdns dev here
I have a question for you about RethinkDNS:
Can you point me the link to one thread or question about Netguard on some major internet forums like HN, Reddit or similar, where you or other RethinkDNS devs did not jump in and hijacked the thread? Only one example, please?
Your spammy marketing tactics of spamming makes your product looks like a scum, and I don't even have a desire to test.
Also, why do you keep comparing one on device firewall like Netguard with a cloud first solution like RethinkDNS?
> hijacked the thread
I (try and) mostly only respond to subthreads that mention Rethink.
> why do you keep comparing one on device firewall like Netguard with a cloud first solution like RethinkDNS
Rethink isn't cloud-first.
> where you or other RethinkDNS devs
There's 2 of us. The other one isn't on HN, or reddit, or any other forum.
> spammy marketing tactics of spamming makes your product looks like a scum
I'm sorry you think that.
Right, I saw their pro features listed and skipped over the oss mention.
Yes rethink uses public fly resolver by default but you can self host that as well. Apologies, that's something I should have mentioned.
https://github.com/serverless-dns/serverless-dns
I tried Rethink for the day.
I had previously set Android's private DNS to dns.adguard-dns.com, which didn't block anything.
Rethink's battery usage is 15 - 20% on my pixel in logging mode.
It definitely works, but I can't seem to associate blocked requests with apps, which renders it far less useful.
Overall I think it's a very busy UI.
You definitely want to exclude Firefox with uBO as elsewise Firefox behaves as though the network is down, whereas with uBO you can interactively choose to proceed.
I see there is an option to download the block lists locally. Does that mean it no longer uses DNS blocking? I see it described as a DNS blocker but it requires a VPN.
Anyway, off to try a Adaway next.
> Rethink's battery usage is 15 - 20% on my pixel in logging mode.
This is unusually high. It doesn't cross 3% on my Android, but I'm using a version (v055o( that's yet to launch (but will in a week or so).
If you only need DNS based blocking, tap on the down-arrow next to the STOP/START button and choose DNS-only mode. That should bring down battery use to 1% or so.
> but I can't seem to associate blocked requests with apps, which renders it far less useful.
Rethink most definitely can. Make sure to turn OFF Private DNS (instead of setting it to Opportunistic or Automatic).
Ex A: https://mastodon.social/@tuxicoman@social.jesuislibre.net/11...
Ex B: https://mastodon.social/@33dBm@lazysocial.de/112051004405969...
> ...download the block lists locally. Does that mean it no longer uses DNS blocking
If you download the blocklists locally, then you can set those on your device, and use any DNS upstream (DoH/DoT/DNS53/DNSCrypt/ODoH) and the rules should be applied, regardless.
NetGuard is amazing. Whats disgusting is that android has so many permissions controls EXCEPT network access! it's insane and its because its just a data vacuuming device.
Does this show anything at all without purchases? I installed it and turned on notify on access and I have gotten no notifications so far.
Looks like most of the information features require a purchase... And the price is only visible at checkout.
If you downloaded the Play Store version, it can't intercept all the apps
How does that compare to having filtering done by the VPN? Many VPN services tend to do that nowadays, right?
is this the best available option on Android? Is there any alternative I should give a try?
GrapheneOS has Network as an Android permission, that you can grant/revoke per app
While I'm normally not someone who pays for apps, and is annoyed at fdroid releases having paid features, I had such a fun time figuring out and bypassing the challenge/response part of the app (without just commenting it out and recompiling) that I decided to send €1.23 his way.
When you try to purchase pro features it should really display the price...
AOSP has a pretty well functioning firewall, good enough that GrapheneOS implements and builds on it.
https://grapheneos.org/faq#firewall
Yeah there's no stats or traffic info, but until Android has a real way of using multiple VPN interfaces or exposes adding routes to users/apps, these VPN-based local tools are a no-go.
How do you use this if you already have an always-on VPN enabled?
You cant. It complains that some other VPN is already running.
There's a somewhat complex way to use it together with another VPN app, with work profiles, see see https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-co...
But in case the VPN app supports running as a simple proxy, without using the VPN service, you can avoid work profiles and just have NetGuard connect to it.
Blokada (blokada.org) is another good alternative.