✅ You're reading the latest version of this guide.

It's often considered impossible to use both a firewall and a VPN at the same time on android without root, mainly due to the fact that you can normally only connect to a single VPN at a time, and firewall apps require this “VPN slot” in order to capture all device traffic.

But by taking advantage of the Android Work Profile, it's actually possible to connect to two VPNs at the same time, allowing use of a firewall app and an actual VPN app at the simultaneously.

Technical overview: To properly route all network traffic where it corresponds we're going to install InviziblePRO-BETA in the main profile, setup a work-profile using Insular, connect InviziblePRO-BETA to a SOCKS5 proxy managed by Sing-Box from the work-profile, and then setup ProtonVPN to manage all work-profile connections.

Below is a simplified flowchart that visualizes the entire setup.

This guide has been tested on Lineage OS v19 (Based on Android 12). The following security tests were ran through this setup: testing for IP address leaks, DNS leaks and UDP leaks. No issues were detected in this configuration. Additionally, this setup only uses free and open source software.

Index

• Alternative solutions
• Requiremenets
• Setup
  • Getting an F-Droid Client
  • Insular or Shelter?
  • Setup InviziblePRO BETA
  • Setup Sing-Box
  • InviziblePRO BETA SOCKS5 Proxy Setup
  • Setup the real VPN
• Start everything
• Verifying everything works
• Hardening
• F.A.Q.
  • Where do I install apps?
  • How do I block an app's internet access?
  • How do I setup DNS filtering?
  • How do I update Sing-Box and the VPN app?
  • How do I exclude an app from the VPN?

Alternative solutions

Before arriving at this configuration, many alternative solutions were considered.

Proposal #1: Instead of using a VPN app, just install any firewall app and connect to an external SOCKS5 proxy server. This would have the benefit of masking the source IP when interacting with the internet, and also not having to use so many apps simultaneously. Encrypted DNS resolutions could be achieved by using the android built-in "Private DNS" feature, which uses DoH.

Problem 1-A: The SOCKS5 protocol is not encrypted. All content is sent as-is from the SOCKS5 client to the SOCKS5 server. This would mean that network content such as insecure HTTP and DoH resolver addresses can still be intercepted by network intruders and ISPs.

Problem 1-B: VPN providers offer just that, VPNs. To get a SOCKS5 proxy server that you can trust you'd need to set it up yourself, which would cause you to have recurring monthly costs, but only a portion of the benefits of a full-fledged VPN.

Proposal #2: Don't use a dedicated firewall app. Instead just use regular VPN app, enable Settings → Network and Internet → VPN → Your-VPN-Here → Block connections without VPN, and then enable split-tunneling on your VPN app. This would allow selective blocking of internet access to any android app, while also maintaining all of the benefits of a full VPN.

Problem 2-A: No network-specific filtering. When using the split-tunneling configuration, either you allow full network access, or you block it completely. There is no fine-grained control. With a dedicated firewall app you could control LAN access, mobile data access, and wifi access separately. This fine-grained access allows you to restrict LAN access while still allowing WiFi access, preventing attackers (Like eBay or BeFF) from scanning your local WiFi.

Problem 2-B: DNS filtering. When using a VPN app you can not import DNS block-lists locally. Instead you must rely on DNS filtering done at the server-level, like how a PiHole operates. This has the disadvantage of forcing you to self-host an internet-facing server in order to have DNS filtering on your device, possibly incurring recurring monthly costs.

The setup described in this blogpost does not have any of the problems described above. Previous versions of this guide had UDP leaks, DNS leaks, proprietary software, and didn't allow LAN access with secure settings. In this version of the guide we have thwarted all of those problems, allowing for the best possible privacy-protecting rootless network setup.

Requirements

• Android 5.0+
• Anywhere between 446.03 MB, up to 2500MB of available storage.
• (Optional, hopefully) A computer and a cable to connect your phone to the computer.

The reason so much storage space is required is because this setup needs 4 different applications and the Android work-profile. The Android work-profile occupies varying amounts of storage depending on the Android OS version.

Setup

Getting an F-Droid Client

If you don't already have one, you should install an f-droid client. This guide uses the Droid-ify client (download here).

Insular or Shelter?

The first step is setting up an Android Work Profile. Currently the only open-source options available are Insular (a fork of "Island") and Shelter. Insular is preferred on Android 12 (or newer) devices.

Note that name of the open-source fork is "Insular", but in many places of the app the name still shows up as "Island". Do not be confused by this, the app you're using is Insular.

In order to setup Insular you must first download the app and then follow the steps shown in-app.

Note from the Insular documentation:

On most middle to high end Android devices released after 2016, Insular can be setup straightforward without hassle. But still on some devices, you may be notified during the setup with the error message “Sorry, your device (or ROM) is incompatible with Insular”, or other failures. In these cases, Insular could probably still work on your device if setup manually.

If you are prompted to encrypt your device during the setup, it means your device was not pre-encrypted out of box. If you don’t want device decryption (which may significantly degrade overall I/O performance on some low-end devices), it can be avoided with manual setup.

You will need a PC and a cable to connect your phone to your PC if you follow the manual setup guide.

Optional Features

These are some optional features you might be interested in. Although they're not necessary for this guide, they are very useful for boosting personal privacy.

Setup InviziblePRO BETA

First make sure you have enabled the Izzy-on-Droid f-droid repo in Droid-ify. To do that simply open the app, tap the three dots icon on the top-right corner, then tap on "Repositories". There you can enable the Izzy-on-Droid repository. You can then download the InviziblePRO BETA app from this link: https://apt.izzysoft.de/fdroid/index/apk/pan.alexander.tordnscrypt, or by looking up "InviZible Pro **BETA**" in droid-ify.

Once you've installed invizible you must open the app, accept the EULA, and then disable "Hide IP with TOR". Using device-wide TOR is likely to bring up many problems of services blocking TOR traffic.

Next we'll prevent DNS leaks from happening by enabling the setting at Sidebar → Fast Settings → Prevent DNS leaks. We'll also disable the "Route All traffic through Tor" setting.

Now comes the DNSCrypt settings. We must verify that DNSCrypt queries are being sent through the SOCKS5 Proxy by going to Sidebar → DNSCrypt Settings and verifying that "Outbound proxy" is enabled, and with a Proxy port of "5353" Also make sure to disable Sidebar → DNSCrypt Settings → Force TCP. This will increase the performance of DNSCrypt.

Setup Sing-Box

Sing-box is a fast, customizable and universal proxy platform that can be used to create network proxy servers, clients and transparent proxies. This app allows users to manage and use local and remote Sing-box profiles and provides platform specific feature implementations such as the TUN transparent proxy implementation through the Android VPN Service.

Sing-box needs to be installed in the work-profile. The best way of doing this is to install an f-droid client in the work-profile, and then install Sing-box from said f-droid client. This ensures that you're always using an up-to-date version of Sing-box.

We'll install the same F-Droid client app in both profiles. Here's how you can clone an app from your main-profile into your work-profile:

1. Open Insular.
2. Search for the app you want to clone.
3. Tap on the three dots, and then on "Clone".

If you have Shizuku installed, you will be presented with an additional menu. There, you must select "Island":

Then, in the main menu of Insular go to the Island tab, select your f-droid client from the list of apps, and then open it:

Then open the f-droid client, install "Sing-box" and open it.

In Sing-box you'll need to create a new "profile":

In this menu, select "Create Manually":

Give it the name "SOCKS5 Proxy for InviziblePRO". Leave "type" as "Local" and "Source" as "Create New", then press Create.

Now tap on the profile you've just created, and then on "Edit Content". In there, you must add this text:

{
    "outbounds":
    [
        {
            "type": "direct",
            "tag": "direct-out"
        }
    ],
    "inbounds":
    [
        {
            "type": "socks",
            "tag": "socks-in",
            "listen": "127.0.0.1",
            "listen_port": 5353
        }
    ]
}

InviziblePRO BETA SOCKS5 Proxy Setup

Now we'll setup the connection between InviziblePRO BETA and Sing-Box. First you must make sure that the Sing-Box socks5 proxy is activated. To do this simply go to the dashboard section of Sing-Box, and press the play button.

Now open Invizible and go to Sidebar → Common Settings → Use socks5 proxy. There, leave “Proxy server” as “127.0.0.1” and set “Proxy port” to 5353. Also make sure to enable all of these settings in that screen:

• Use proxy for apps that bypass Tor.
• Use proxy for DNSCrypt.
• Use proxy fr Tor.
• Use proxy for Purple I2P.

It should look like this.

One last thing we must do in this screen, is exclude both Sing-Box, and the VPN app we installed. Press the “Exclude applications” button, and enable exclusion for sing-box and for your VPN app. If they're not on the list, then clone singbox and your VPN app into the main profile, the same way we cloned the f-droid client into the work profile.

Setup the real VPN

Once that's all been setup, all that is left is to install a VPN app in the work profile. You can use the same f-droid client you used for Sing-box to look for a good VPN. Both ProtonVPN and Mullvad VPN are available on f-droid.

Start everything

The final step of this guide is to start the apps you've configured in the following order:

1. Start the VPN
2. Start Sing-box and hit play on the profile you've created ("SOCKS5 Proxy for InviziblePRO").
3. Start InviziblePRO.

After starting the VPN, if you did everything right, you should see some traffic starting to pop up on your VPN app:

You should also see some traffic flowing through the SOCKS5 Proxy. If no traffic is going through the SOCKS5 Proxy, you may have setup something wrong, or you may need to restart your device.

Verifying everything works

You can verify that the VPN is working by going to any of the following sites with the VPN activated:

• whatismyipaddress.com
• browserleaks.org/dns
• whoer.net

If you wish to disconnect from the VPN without dropping any packets, do this, in this specific order:

1. Disable "Setup SOCKS5 Proxy" in RethinkDNS.
2. Stop your VPN app and the SOCKS5 proxy on "Sing-box".
3. "Deactivate" the work profile:
   • If you have a notification from Insular, deactivate the work profile using the notification.
   • If you don't have the notification (see: Insular#69) use the quick-settings toggle:

Hardening

The very last step in this guide is to harden the setup to prevent network leaks outside the firewall and VPN.

In the Android settings, go to VPN configuration and enable these settings for InviziblePRO and for the VPN you installed.

• Block network connections without VPN.
• Always on VPN.

It's also recommended to go through the list of system apps in the work profile and disable any unwanted apps.

F.A.Q.

Where do I install apps?

All new apps must be installed in the main-profile (like you've always done). Apps installed in the work-profile will completely bypass InviziblePRO and their requests won't be filtered, allowing them to load ads and upload analytics data.

If you want to isolate a privacy invasive app, do not use the work profile; instead, try Twoyi (download here) or VirtualXPosed. For testing potentially dangerous apps (apps that may contain malware) you may use VirusTotal, or the Android-Studio Android-Emulator.

How do I block an app's internet access?

Open Invizible and go to Sidebar → Firewall.

How do I setup DNS filtering?

Open Invizible and go to Sidebar → DNSCrypt Settings → Blacklist.

How do I update Sing-Box and the VPN app?

Open Insular, and then open the Droid-ify. Simply press the update button at the top to update all repositories, and then go to the “Updates” section.

How do I exclude an app from the VPN?

To exclude an app from the VPN (but keep the Firewall rules and DNS filters active) go to Sidebar → Common Settings → Use socks5 proxy → Exclude Applications and exclude the app you want from there.