How to use a Firewall and a VPN at the same time on Android without root, without external self-hosted servers.

For this guide we'll be using Insular, RethinkDNS and Sing-box.

This is an updated version of the “How to use NetGuard + personalDNSFilter+ Any VPN, without root, without external self-hosted servers.” guide.

Unlike the previous version of this guide, this setup has:

  • No DNS leaks.
  • No UDP leaks.
  • Less battery usage.
  • Only open-source software.

Requirements

  • Android 5.0+
  • Anywhere between 446.03 MB, up to 2500MB of available storage.
  • (Optional, hopefully) A computer and a cable to connect your phone to the computer.

Why so much storage? Well, we'll be using 4 different applications and the Android work-profile to make this entire setup work. The Android work-profile occupies varying amounts of storage depending on the Android OS version.

This is what we're going to do:

  1. Install RethinkDNS in the Main Android Profile.
  2. Create an Android work-profile using Insular.
  3. Install Sing-box in the work-profile and configure it so that it can host a SOCKS5 proxy server.
  4. Configure RethinkDNS so it forwards all requests through the Sing-box SOCKS5 proxy server.
  5. Install a VPN app in the work-profile.
  6. Start the Sing-box SOCKS5 Proxy.
  7. Start RethinkDNS.
  8. Start the VPN.

This setup has been manually tested against DNS Leaks and UDP Leaks, and it's demonstrated safe-to-use.

Setup

Insular or Shelter?

The first step is setting up an Android Work Profile. Currently the only open-source options available are Insular (a fork of Islan) and Shelter. For this tutorial I'll be using Insular because in my experience Shelter doesn't work very well in Android 12 devices, but feel free to use Shelter anyway if you prefer so.

Android Work Profiles

Island, Insular and Shelter are apps which take advantage of Android's work-profile in order to create a "sandbox"; Using this sandbox, we can give privacy invasive apps their own "private data pools", aka, their own storage for:

  • SMS History
  • Call History
  • File Storage

Having a separate profile on android also allows you to have multiple versions of a single app running simultaneously without modifying the app's APK. In contrast to other "parallel apps" apps, this approach allows us to easily get security updates from the playstore, as the app doesn't have to be re-signed in the first place.

There's also the benefit of being able to hide an app from another app (For example, hiding Lucky Patcher from a game).

And lastly, but most importantly, a work profile allows us to have two VPNs at the same time.

Note that name of the open-source fork is "Insular", but in many places of the app the name still shows up as "Island". Do not be confused by this, the app you're using is Insular.

💡
TIP: Switching from Island to Insular
1. If you've setup the "Managed Mainland" feature, you must first rescind control of the mainland (Settings > Scoped settings > Mainland > Rescind).

2. Destroy the work-profile (Settings > Scoped settings > Island > Rescind)

3. Uninstall the Island app.

If you've already uninstalled Island and forgot to destroy the work-profile, you'll have to delete Island's leftover work-profile manually using ADB. Insular will not delete it for you.

Steps to setup Insular:

1) Download the app: https://f-droid.org/packages/com.oasisfeng.island.fdroid/

2) Launch the app and follow the setup instructions on-screen.

On most middle to high end Android devices released after 2016, Insular can be setup straightforward without hassle. But still on some devices, you may be notified during the setup with the error message “Sorry, your device (or ROM) is incompatible with Insular”, or other failures. In these cases, Insular could probably still work on your device if setup manually.
If you are prompted to encrypt your device during the setup, it means your device was not pre-encrypted out of box. If you don’t want device decryption (which may significantly degrade overall I/O performance on some low-end devices), it can be avoided with manual setup.

You will need a PC and a cable to connect your phone to your PC if you follow the manual setup guide.

While you're at it, you might also want to setup these cool (but not necessary for this guide) features:

💡
TIP: Freeze frequently woken apps.
Insular allows you to freeze any app in the work profile. Freezing an app blocks all its background behaviors. You can even create a launch shortcut for quick de-freezing and launching.

If you enable the "Managed mainland" feature, you can also freeze apps that are in the main profile. Link to setup guide.
💡
TIP: Give apps fake permissions.
Rikka's AppOps allows you to set some app's permissions to "ignored", which causes apps to believe they've been granted a permission, when in reality, if they try to use said permission they won't get any data. AppOps has work-profile support.

F-Droid Client

If you don't already have one, you should install an f-droid client. For this guide I'll be using Droid-ify (download here).

RethinkDNS

Steps to setup RethinkDNS:

  1. Install and open RethinkDNS.
  2. Setup the firewall (See: the "Apps" and "Firewall" sections in the app).
  3. Setup the DNS (See: the "DNS" section in the app). It's recommended that you use either DoT or ODoH.
  4. Setup the DNS blocklists (See: the "DNS" section in the app). To enable the "On-device blocklists" feature, tap on the text that says "Disabled" in the menu that pops up, and then tap on "Download Blocklists". If the download appears to be stuck, in the DNS menu enable the "Use in-app downloader" feature.
Screenshot of RethinkDNS, in the DNS settings menu with the option "Use in-app downloader" highlighted.
Screenshot of a RethinkDNS notification that says that the blocklists download was successful.

Sing-box

Sing-box is a fast, customizable and universal proxy platform that can be used to create network proxy servers, clients and transparent proxies. This app allows users to manage and use local and remote Sing-box profiles and provides platform specific feature implementations such as the TUN transparent proxy implementation through the Android VpnService.

We need to install Sing-box in the work-profile. The best way of doing this is to install an f-droid client in the work-profile, and then install Sing-box from said f-droid client. This ensures that we're always using an up-to-date version of Sing-box.

Here's how you can clone an app from your main-profile into your work-profile:

  1. Open Insular.
  2. Search for the app you want to clone.
  3. Tap on the three dots, and then on "Clone".
Screenshot of Insular with an app selected, highlighting the option "Clone" which is used to clone the selected app into the work-profile.

If you have Shizuku installed, you will be presented with an additional menu. There, you must select "Island":

Screenshot of a pop-up menu in Insular. The options are "via Shizuku", "via Play Store" and "Clone app to Island".

Then, in the main menu of Insular go to the Island tab, select your f-droid client from the list of apps, and then open it:

Screenshot of insular showing how to open the F-Droid client that's installed in the work-profile.

Then open the f-droid client, install "Sing-box" and open it.

In Sing-box we'll need to create a new "profile":

In this menu, select "Create Manually":

Screenshot of Sing-box, with the "Create Manually" option highlighted.

Give it the name "SOCKS5 Proxy for RethinkDNS". Leave "type" as "Local" and "Source" as "Create New".

Tap on the profile you've just created, and then on "Edit Content". In there, you must add this code:

{
    "outbounds":
    [
        {
            "type": "direct",
            "tag": "direct-out"
        }
    ],
    "inbounds":
    [
        {
            "type": "socks",
            "tag": "socks-in",
            "listen": "127.0.0.1",
            "listen_port": 5353,
            "users":
            [
                {
                    "username": "admin",
                    "password": "SECURE_PASSWORD_HERE"
                }
            ]
        }
    ]
}
‼️
WARNING: Insecure default password
Make sure you change the password in that text with one that's actually secure. Replace the text SECURE_PASSWORD_HERE.

RethinkDNS SOCKS5 Proxy setup

Go to RethinkDNS and then to the "Proxy" section. There you must enable the "Setup SOCKS5 Proxy" option, and a menu will pop-up. We'll set this up using the settings of the proxy profile we created in Sing-box.

For app, leave it as "None". Hostname is 127.0.0.1. Change the "Port Number" to 5353. Fill in your credentials (Use username "admin", and for the password use the same password you put in the Sing-box profile config).

Screenshot of RethinkDNS, setting up the SOCKS5 proxy. App = None. Port number = 5353. Username = admin. Password = your password here. "Block UDP Except DNS and NTP" checkbox = not checked.

Setup the real VPN

Once that's all been setup, all that is left is to install a VPN app in the work profile. You can use the same f-droid client you used for Sing-box to look for a good VPN. Both ProtonVPN and Mullvad VPN are available on f-droid.

Start everything

  1. Start the VPN
  2. Start Sing-box and hit play on the profile you've created ("SOCKS5 Proxy for RethinkDNS").
  3. Start RethinkDNS.

After starting the VPN, if you did everything right, you should see some traffic starting to pop up on your VPN app:

You can verify that the VPN is working by going to any of the following sites with the VPN activated:

If you wish to disconnect from the VPN without dropping any packets, do this, in this specific order:

  1. Disable "Setup SOCKS5 Proxy" in RethinkDNS.
  2. Stop your VPN app and the SOCKS5 proxy on "Sing-box".
  3. "Deactivate" the work profile:
    • If you have a notification from Insular, deactivate the work profile using the notification.
    • If you don't have the notification (see: Insular#69) use the quick-settings toggle:
Screenshot of the Android quick settings menu, with the "Work apps" toggle highlighted.

F.A.Q.

Where do I install apps?

To be able to use all features of RethinkDNS, you must install any new apps in the main-profile (like you've always done). Apps installed in the work-profile will completely bypass RethinkDNS and their requests won't be filtered, allowing them to load ads and upload analytics data.

If you really want to install apps in the work profile, you can do the following:

If the VPN you've installed in the work-profile supports split-tunneling, you can enable the Android setting "Block connections without VPN" for the VPN (not for Rethink) and then add only Sing-box to the allow-list of the VPN app's split-tunneling settings. This prevents system-apps in the work profile from accessing the internet (such as Google Chrome and the Google Playstore).

This will also allow apps to be installed in the work profile with their own personal-storage-space for SMS, call logs, contacts, and files, without granting them internet access. Do note though, unlike the apps installed in the main-profile, apps installed in the work-profile will never have their requests filtered by RethinkDNS.

If you want to test a dangerous (malware-ridden) app, do not use the work-profile. Instead, use VirusTotal, Twoyi (download here) and/or VirtualXPosed.



Having trouble?

For a one-time USD$10 donation you can get one-on-one troubleshooting support for any of my guides/projects. I'll help you fix any issue you may have encountered regarding usage/deployment of one of my guides. More info in my Github Sponsors profile.