<![CDATA[ItsIgnacioPortal's Blog]]>https://itsignacioportal.github.io/https://itsignacioportal.github.io/favicon.pngItsIgnacioPortal's Bloghttps://itsignacioportal.github.io/Ghost 4.48Mon, 02 Sep 2024 23:52:13 GMT60<![CDATA[Transparent compression on Android]]>Similarly to CompactGUI, transparent compression seems to be theoretically possible on Android.

These are the steps:

  1. Modify your android kernel to add full NTFS support via the NTFS-3G project. This has already been done:
    - https://www.xda-developers.com/full-ntfs-readwrite-support-for-android/ - https://superuser.com/questions/257267/is-it-a-good-idea-to-use-compressed-ntfs-filesystem-on-an-external-harddisk
  2. Insert the SD-Card
]]>
https://itsignacioportal.github.io/transparent-compression-on-android/667f7a08a01d42458867bd5eSat, 29 Jun 2024 03:21:08 GMTSimilarly to CompactGUI, transparent compression seems to be theoretically possible on Android.

These are the steps:

  1. Modify your android kernel to add full NTFS support via the NTFS-3G project. This has already been done:
    - https://www.xda-developers.com/full-ntfs-readwrite-support-for-android/ - https://superuser.com/questions/257267/is-it-a-good-idea-to-use-compressed-ntfs-filesystem-on-an-external-harddisk
  2. Insert the SD-Card into Windows
  3. Create an NTFS partition
  4. Create a /data folder
  5. Use compact.exe to enable the transparent compression features
  6. Insert the SD-Card into the phone
  7. Mount the NTFS partition
  8. Move all of the app files into their respective /data folder in the NTFS partition
  9. Create symbolic links for the app files

Boom, transparent compression on Android.


Before doing this, though, try this:

  • General cleanup using SDMaid 2/SE
  • Scan your storage usage using DiskUsage and delete big files.
  • Delete unnused files files from the Downloads folder.
  • Upload your files to the cloud, deleting the local copies and following the 3-2-1 backup rule.
  • Move apps to the SD-Card using Link2SD (also remember to modify the default-install location using `adb shell pm setInstallLocation 2`)
  • Buy a bigger SD-Card.
  • Buy a phone with a bigger internal storage.

Unless you have a need for keeping a gargantuan amount of apps installed all at the same time, there's no real use case for this lol.

]]>
<![CDATA[How to use a Firewall and a VPN at the same time on Android without root, without external self-hosted servers.]]>https://itsignacioportal.github.io/firewall-and-vpn-without-root-on-android/65e4be5c1761850c082a3271Thu, 09 May 2024 10:13:14 GMTThe apps necessary to do this are Insular, RethinkDNS and Sing-box.

This is an updated version of the “How to use NetGuard + personalDNSFilter+ Any VPN, without root, without external self-hosted servers.” guide.

Unlike the previous version of this guide, this setup has:

  • No DNS leaks.
  • No UDP leaks.
  • Less battery usage.
  • Only open-source software.

Requirements

  • Android 5.0+
  • Anywhere between 446.03 MB, up to 2500MB of available storage.
  • (Optional, hopefully) A computer and a cable to connect your phone to the computer.

The reason so much storage space is required is because this setup needs 4 different applications and the Android work-profile. The Android work-profile occupies varying amounts of storage depending on the Android OS version.

These are the core-steps of this guide:

  1. Install RethinkDNS in the Main Android Profile.
  2. Create an Android work-profile using Insular.
  3. Install Sing-box in the work-profile and configure it so that it can host a SOCKS5 proxy server.
  4. Configure RethinkDNS so it forwards all requests through the Sing-box SOCKS5 proxy server.
  5. Install a VPN app in the work-profile.
  6. Start the Sing-box SOCKS5 Proxy.
  7. Start RethinkDNS.
  8. Start the VPN.

This setup has been manually tested against DNS Leaks and UDP Leaks.

Setup

Insular or Shelter?

The first step is setting up an Android Work Profile. Currently the only open-source options available are Insular (a fork of "Island") and Shelter. Use of "Insular" is preferred on Android 12 devices.

Android Work Profiles

Island, Insular and Shelter are apps which take advantage of Android's work-profile in order to create a "sandbox"; This sandbox can give privacy invasive apps their own "private data pools" aka. their own storage for:

  • SMS History
  • Call History
  • File Storage

Having a separate profile on android also allows you to have multiple versions of a single app running simultaneously without modifying the app's APK. In contrast to other "parallel apps" apps, this approach allows us to easily get security updates from the playstore, as the app doesn't have to be modified and re-signed before installing it.

Another benefit of android Work Profiles are being able to hide one app from another app (For example, hiding Lucky Patcher from a game).

The greatest benefit of android Work Profiles is that they facilitate the use of two VPNs simultaneously.

Note that name of the open-source fork is "Insular", but in many places of the app the name still shows up as "Island". Do not be confused by this, the app you're using is Insular.

💡
TIP: Switching from Island to Insular
1. If you've setup the "Managed Mainland" feature, you must first rescind control of the mainland (Settings > Scoped settings > Mainland > Rescind).

2. Destroy the work-profile (Settings > Scoped settings > Island > Rescind)

3. Uninstall the Island app.

If you've already uninstalled Island and forgot to destroy the work-profile, you'll have to delete Island's leftover work-profile manually using ADB. Insular will not delete it for you.

Steps to setup Insular:

1) Download the app: https://f-droid.org/packages/com.oasisfeng.island.fdroid/

2) Launch the app and follow the setup instructions on-screen.

On most middle to high end Android devices released after 2016, Insular can be setup straightforward without hassle. But still on some devices, you may be notified during the setup with the error message “Sorry, your device (or ROM) is incompatible with Insular”, or other failures. In these cases, Insular could probably still work on your device if setup manually.
If you are prompted to encrypt your device during the setup, it means your device was not pre-encrypted out of box. If you don’t want device decryption (which may significantly degrade overall I/O performance on some low-end devices), it can be avoided with manual setup.

You will need a PC and a cable to connect your phone to your PC if you follow the manual setup guide.

Optional Features

These are some optional features you might be interested in. Although they're not necessary for this guide, they are very useful for boosting personal privacy.

💡
TIP: Freeze frequently woken apps.
Insular allows you to freeze any app in the work profile. Freezing an app blocks all its background behaviors. You can even create a launch shortcut for quick de-freezing and launching.

If you enable the "Managed mainland" feature, you can also freeze apps that are in the main profile. Link to setup guide.
💡
TIP: Give apps fake permissions.
Rikka's AppOps allows you to set some app's permissions to "ignored", which causes apps to believe they've been granted a permission, when in reality, if they try to use said permission they won't get any data. AppOps has work-profile support.

F-Droid Client

If you don't already have one, you should install an f-droid client. This guide uses the Droid-ify client (download here).

RethinkDNS

Steps to setup RethinkDNS:

  1. Install and open RethinkDNS.
  2. Setup the firewall (See: the "Apps" and "Firewall" sections in the app).
  3. Setup the DNS (See: the "DNS" section in the app). It's recommended that you use either DoT or ODoH.
  4. Setup the DNS blocklists (See: the "DNS" section in the app). To enable the "On-device blocklists" feature, tap on the text that says "Disabled" in the menu that pops up, and then tap on "Download Blocklists". If the download appears to be stuck, in the DNS menu enable the "Use in-app downloader" feature.
Screenshot of RethinkDNS, in the DNS settings menu with the option "Use in-app downloader" highlighted.
Screenshot of a RethinkDNS notification that says that the blocklists download was successful.

Sing-box

Sing-box is a fast, customizable and universal proxy platform that can be used to create network proxy servers, clients and transparent proxies. This app allows users to manage and use local and remote Sing-box profiles and provides platform specific feature implementations such as the TUN transparent proxy implementation through the Android VpnService.

Sing-box needs to be installed in the work-profile. The best way of doing this is to install an f-droid client in the work-profile, and then install Sing-box from said f-droid client. This ensures that you're always using an up-to-date version of Sing-box.

Here's how you can clone an app from your main-profile into your work-profile:

  1. Open Insular.
  2. Search for the app you want to clone.
  3. Tap on the three dots, and then on "Clone".
Screenshot of Insular with an app selected, highlighting the option "Clone" which is used to clone the selected app into the work-profile.

If you have Shizuku installed, you will be presented with an additional menu. There, you must select "Island":

Screenshot of a pop-up menu in Insular. The options are "via Shizuku", "via Play Store" and "Clone app to Island".

Then, in the main menu of Insular go to the Island tab, select your f-droid client from the list of apps, and then open it:

Screenshot of insular showing how to open the F-Droid client that's installed in the work-profile.

Then open the f-droid client, install "Sing-box" and open it.

In Sing-box you'll need to create a new "profile":

In this menu, select "Create Manually":

Screenshot of Sing-box, with the "Create Manually" option highlighted.

Give it the name "SOCKS5 Proxy for RethinkDNS". Leave "type" as "Local" and "Source" as "Create New".

Tap on the profile you've just created, and then on "Edit Content". In there, you must add this text:

{
    "outbounds":
    [
        {
            "type": "direct",
            "tag": "direct-out"
        }
    ],
    "inbounds":
    [
        {
            "type": "socks",
            "tag": "socks-in",
            "listen": "127.0.0.1",
            "listen_port": 5353,
            "users":
            [
                {
                    "username": "admin",
                    "password": "SECURE_PASSWORD_HERE"
                }
            ]
        }
    ]
}
‼️
WARNING: Insecure default password
Make sure you change the password in that text with one that's actually secure. Replace the text SECURE_PASSWORD_HERE.

RethinkDNS SOCKS5 Proxy setup

Go to RethinkDNS and then to the "Proxy" section. There you must enable the "Setup SOCKS5 Proxy" option; a menu will appear.

For App, leave it as "None". Set the Hostname to "127.0.0.1". Change the Port Number to 5353. Lastly, fill in your credentials: In the username field, type "admin". In the password field, enter the same password you generated previously (the password where you replaced the text "SECURE_PASSWORD_HERE").

Screenshot of RethinkDNS, setting up the SOCKS5 proxy. App = None. Port number = 5353. Username = admin. Password = your password here. "Block UDP Except DNS and NTP" checkbox = not checked.

Setup the real VPN

Once that's all been setup, all that is left is to install a VPN app in the work profile. You can use the same f-droid client you used for Sing-box to look for a good VPN. Both ProtonVPN and Mullvad VPN are available on f-droid.

Start everything

The final step of this guide is to start the apps you've configured in the following order:

  1. Start the VPN
  2. Start Sing-box and hit play on the profile you've created ("SOCKS5 Proxy for RethinkDNS").
  3. Start RethinkDNS.

After starting the VPN, if you did everything right, you should see some traffic starting to pop up on your VPN app:

You can verify that the VPN is working by going to any of the following sites with the VPN activated:

If you wish to disconnect from the VPN without dropping any packets, do this, in this specific order:

  1. Disable "Setup SOCKS5 Proxy" in RethinkDNS.
  2. Stop your VPN app and the SOCKS5 proxy on "Sing-box".
  3. "Deactivate" the work profile:
    • If you have a notification from Insular, deactivate the work profile using the notification.
    • If you don't have the notification (see: Insular#69) use the quick-settings toggle:
Screenshot of the Android quick settings menu, with the "Work apps" toggle highlighted.

F.A.Q.

Where do I install apps?

To be able to use all features of RethinkDNS, you must install any new apps in the main-profile (like you've always done). Apps installed in the work-profile will completely bypass RethinkDNS and their requests won't be filtered, allowing them to load ads and upload analytics data.

If you really want to install apps in the work profile, you can do the following:

If the VPN you've installed in the work-profile supports split-tunneling, you can enable the Android setting "Block connections without VPN" for the VPN (not for Rethink) and then add only Sing-box to the allow-list of the VPN app's split-tunneling settings. This prevents system-apps in the work profile from accessing the internet (such as Google Chrome and the Google Playstore).

This will also allow apps to be installed in the work profile with their own personal-storage-space for SMS, call logs, contacts, and files, without granting them internet access. Do note though, unlike the apps installed in the main-profile, apps installed in the work-profile will never have their requests filtered by RethinkDNS.

If you want to test a dangerous (malware-ridden) app, do not use the work-profile. Instead, use VirusTotal, Twoyi (download here), VirtualXPosed, or an Android-Studio Android-Emulator.

]]>
<![CDATA[How to setup Etesync for Tasks.org in Windows]]>https://itsignacioportal.github.io/how-to-setup-etesync-for-tasks-org-in-windows/63e4a0819e7e4526ac929f5dThu, 09 Feb 2023 12:39:37 GMTIn this blog I will explain how to set up etesync for local use (a server that will only be exposed to your trusted LAN).

If you wish to setup etesync for it to be exposed to the internet, an advanced guide which uses nginx in WSL and internal port-forwarding is available at https://github.com/tasks/tasks/issues/1256#issuecomment-1219065064. I disliked that setup guide because it was too complicated and resource intensive. The setup that I'll explain here uses 0% of CPU and 58.3MB of RAM when the server is idle, and up to 0.6% of CPU when it's working (I have a Intel Core i7-4702MQ CPU @ 2.20GHz). This setup is very lightweight.

Setup etesync for home usage

Installing git and python3

To start, you will need to install git and python. The easiest way of doing this is with chocolatey, so open powershell as administrator and run:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

After chocolatey has finished installing, close powershell and open it again as administrator. Run:

choco install git
choco install python3

Installing etesync

We will now setup the etesync server. To do this, open the Command Prompt (cmd) and run these commands:

cd %appdata%\..\Local
mkdir Etesync && cd Etesync
git clone https://github.com/ItsIgnacioPortal/etesync-server.git etebase
setx etesyncpath %appdata%\..\Local\Etesync\
mkdir etebase_storage && cd etebase_storage && mkdir static && mkdir media

Note that you're using my fork of the etesync-server repo. If it ever becomes outdated and you wish to get the latest version of the server, just take note of the changes I did in requierements-win.txt, then clone the main repo, and apply the changes to the requierements.txt

Now in an administrator command prompt:

cd %etesyncpath%\etebase
pip install -r requirements-win.txt

Now open your favorite text editor and paste this:

[global]
secret_file = secret.txt
debug = false
;Set the paths where data will be stored at
static_root = C:\Users\User\AppData\Local\Etesync\etebase_storage\static
media_root = C:\Users\User\AppData\Local\Etesync\etebase_storage\media

;Advanced options, only uncomment if you know what you're doing:
;static_url = /static/
;media_url = /user-media/
;language_code = en-us
;time_zone = UTC
;redis_uri = redis://localhost:6379

[allowed_hosts]
allowed_host1 = your.local.domain.here.com

[database]
engine = django.db.backends.sqlite3
name = db.sqlite3

[database-options]
; Add engine-specific options here, such as postgresql parameter key words

;[ldap]
;server = <The URL to your LDAP server>
;search_base = <Your search base>
;filter = <Your LDAP filter query. '%%s' will be substituted for the username>
; In case a cache TTL of 1 hour is too short for you, set `cache_ttl` to the preferred
; amount of hours a cache entry should be viewed as valid:
;cache_ttl = 5
;bind_dn = <Your LDAP "user" to bind as. Must be a bind user>
; Either specify the password directly, or provide a password file
;bind_pw = <The password to authenticate as your bind user>
;bind_pw_file = /path/to/the/file.txt

Save it in C:\Users\User\AppData\Local\Etesync\etebase (replace your username there) as etebase-server.ini

Note that in that file you have to modify the value of "static_root" and "media_root" so it has your correct windows username. Also, here is where we select what domain we'll be using. No, you don't need to register any domains, we'll do all of this locally. But we must pick a domain name for HTTPS to work. So in that file replace "your.local.domain.here.com" with whichever domain name you want.

Now in the command prompt run:

python %etesyncpath%\etebase\manage.py migrate

We need to tell windows what our domain name is. Open a text editor as administrator and open "C:\Windows\System32\drivers\etc\hosts". Add these lines at the bottom of the file:

#etesync server
YOUR-PC-WIFI-IP-ADDRESS your.local.domain.here.com

Finally, run:

cd %etesyncpath%\etebase
uvicorn etebase_server.asgi:application --host your.local.domain.here.com --port 8001

And your server will be live! Though the setup isn't done yet. Press CTRL+C and run these commands to setup some files and create an administrator user (Note: when you type the password, it won't be visible. Be careful with how you type!)

python %etesyncpath%\etebase\manage.py collectstatic
python %etesyncpath%\etebase\manage.py createsuperuser

Now the setup for the server is done. We now have to setup the web interface. Download this file: https://pim.etesync.com/etesync-web.tgz and extract it in C:\Users\User\AppData\Local\Etesync\ so that index.html is at C:\Users\User\AppData\Local\Etesync\etesync-web\index.html using 7zip. You'll have to install 7zip if you don't already have it installed:

choco install 7zip

To have HTTPS you must follow this tutorial. It's fairly complicated, but it's needed to have a secure connection with our server. After you've generated your rootCA.crt you have to install it in your windows PC, and in your phone.

  • Double click your rootCA.crt
  • Install certificate...
  • Store location -> Local Machine
  • Next
  • Browse -> "Trusted Root Certification Authorities"
  • Then finish the setup

For android, the setting to install a custom certificate was in Settings -> Security & Location -> (Advanced) -> Encryption & credentials -> Install from SD card (You don't actually need an SD card to use this option).

Start the servers:

cd %etesyncpath%\etebase
python -m uvicorn etebase_server.asgi:application --port 8001 --host your.local.domain.here.com --ssl-keyfile="C:\Users\User\AppData\Local\Etesync\cert\server.key" --ssl-certfile="C:\Users\User\AppData\Local\Etesync\cert\server.crt"

In another terminal:

cd %etesyncpath%\etesync-web\
python -m http.server 8002 --bind your.local.domain.here.com

Setup groups and your user

Now to setup the etesync users go to https://your.local.domain.here.com:8001/admin in your browser. There you need to enter the admin credentials you setup earlier.

Now you will have to create a group. Go to Groups -> New

And now name your group Etesync users. Below you have to double click ALL of the options that start with "django_etebase" until they're all in the right side. When you're done click save.

Once that's done, click on Users->New on the left side-bar

Pick a username, then continue. Before continuing to fill the form, set the user's password by clicking on the tiny link on the left:

Set your password and hit continue. Fill in your user information, and then add yourself to the "Etesync users" group. Just double click on "Etesync users" in the Available groups menu, then click SAVE.

Next we'll create a firewall rule to allow your phone to be able to talk to your etesync server. Open a command prompt as administrator and run:

netsh advfirewall firewall add rule name= "Etesync TCP" dir=in action=allow protocol=TCP localport=8001
netsh advfirewall firewall add rule name= "Etesync UDP" dir=in action=allow protocol=UDP localport=8001

And that's all done on the PC side! Now for the android setup:

Setup tasks.org

To setup your domain in android, there's several ways. The options available are

Since personalDNSfilter doesn't need any external services, and it's open source, that's what I'll use here. Just go through the app setup, and when you're done go to Advanced settings -> Configure additional hosts and add your domain name according to the format explained there:

>your.local.domain.here.com PC-IP-ADDRESS

If you're a NetGuard user, you might have to enable Three dots -> Settings -> Network Options -> Subnet routing. If you would like to use NetGuard and personalDNSfilter at the same time, check my other blogpost: How to use NetGuard + personalDNSFilter+ Any VPN, without root, without external self-hosted servers.

Now go to the Tasks.org app -> Settings -> Add account -> EteSync and then write the username and password that you setup earlier in django. Enable "Show advanced settings" and set the URL to https://your.local.domain.here.com:8001

After that hit the save button and you're done! Etesync is up and running. You can access the web interface in your PC on http://your.local.domain.here.com:8002

Note that in that page you will also have to enable "Advanced settings" and set the URL to https://your.local.domain.here.com:8001

If you're a firefox user you might get stuck in "Deriving encryption". If that's the case, you have to disable enhanced tracking protection and whitelist your domain in uBlockOrigin. You might also have to clear the cookies and local storage if it gets stuck during sign-in. The easiest way to do that is by using Cookie Auto Delete:

Here's how the tasks menu looks in etesync as of writing this:

Note that Tasks.org won't immediately upload all of your lists to your etesync instance. Instead, a new section will appear in the sidebar with your etesync username. To get your tasks to etesync you will have to select them, and then move them to their corresponding collection in etesync:

You can use the script below on your PC to quickly start the etesync server and it's web interface. Just save it in a file and double click it to launch it. Press CTRL+C on both windows to stop the server.

@echo off
start cmd /k cd %etesyncpath%\etebase ^&^& python -m uvicorn etebase_server.asgi:application --port 8001 --host your.local.domain.here --ssl-keyfile="C:\Users\User\AppData\Local\Etesync\cert\server.key" --ssl-certfile="C:\Users\User\AppData\Local\Etesync\cert\server.crt" ^& pause ^&^& exit

cd %etesyncpath%\etesync-web
python -m http.server 8002 --bind your.local.domain.here & pause && exit
]]>
<![CDATA[How to use NetGuard + personalDNSFilter+ Any VPN, without root, without external self-hosted servers.]]>https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-combo/63c1ee290d12ec2cec1b1d77Thu, 24 Mar 2022 06:59:16 GMTUpdated, and improved guide: https://itsignacioportal.github.io/firewall-and-vpn-without-root-on-android/

Together, with the people over at the personalDNSfilter Telegram group, we've discovered a way to run multiple "VPN"s at the same time by taking advantage of work profiles.

All of this started because I was trying to control Work-profile apps using the Netguard instance that I had on my main profile.

Screenshot. M66B saying that netguard has no work-profile support

After I read that comment from the Netguard dev, I realized that the work profile had a separate VPN slot, so therefor, it's possible for us to have an actual VPN and a SOCKS5 proxy server in the work profile, and then connect to this SOCKS5 proxy from the main profile using NetGuard. Below is a flowchart of how this whole thing is going to work:

A flowchart of how this whole setup works

Don't worry, the rest of this blog was written in a non-technical way, so it's easy to follow for non-technical people.

This has been tested on Android 9, on a Moto e6 plus. This blog assumes that you already know:

  • How to install an APK
  • How to use ADB

Requirements

  • Android 5.0+
  • 446.03 MB (446,030,000 bytes) of available storage
  • (Optional, hopefully) A computer and a cable to connect your phone to the computer.

Why so much storage?

Item Size
Work Profile: Island + ProtonVPN + SOCKS5 Proxy + System stuff 398.53MB
NetGuard 17.09MB
personalDNSFilter 5.67MB
Island 24.74MB
TOTAL 446.03MB

Setup caveats

WARNING: UDP LEAKS

Netguard does not currently support sending UDP traffic over the SOCKS5 proxy. This causes protocols which use UDP (such as HTTP/2 and HTTP/3) to ignore the proxy and go over the clearnet, completely bypassing this setup. Until this issue is resolved, there's two possible solutions.

Solution #1: Replace Netguard and personalDNSfilter with "Rethink DNS + Firewall"

Unlike Netguard, RethinkDNS supports UDP tunneling through a SOCKS5 proxy. RethinkDNS doesn't have DNS leaks, and you can use the "Block connections without VPN" android setting with it. If you're a networking pro, you should be able to do that using this guide as a vague reference; but if you're not as technically inclined, read on:

Solution #2: Use mull with custom about:config settings

If you just want to use a browser, you can keep Netguard and personalDNSfilter. But you'll have to use Mull (a hardened fork of Firefox for Android) with "network.http.http2.enabled = false", and "network.http.http3.enable = false" in about:config. You must do this to avoid leaks with this setup because HTTP versions greater than v1.1 use UDP.

If instead you want to use the Tor browser, you don't need to change any settings, since Tor does not use, nor support UDP.


If you're 100% sure that the app(s) you'll use do not use UDP, you can continue with this specific setup. If you're not sure, then rest assured that at least Tor can be used safely with this setup, but allowing any other apps through the firewall risks revealing your identity to the web services you interact with.

Scroll down to the TL;DR to see other possible ways to use a Firewall and a VPN at the same time.


DNS Leaks if personalDNSfilter isn't initialized

DNS queries will leak through the clearnet if personalDNSfilter isn't initialized once traffic is being routed through Netguard. To prevent any possible leaks, make sure personalDNSfilter is initialized before enabling the SOCKS5 proxy in Netguard.

This issue has been brought up to the developer of Netguard, and he's been unable to determine the cause.

I'd like to thank "FLAGEL" for briging these issues to my attention.

Battery usage

Because we're running multiple profiles and apps at the same time, this setup is fairly energy hungry. NetGuard and personalDNSfilter have a very small battery footprint, but the Android work profile is very resource intensive.

Unsupported devices

Some brands/devices do not fully support using a VPN in the work profile. To quote M66B (emphasis added):

NetGuard is supported in the primary profile only. It might or might not work in other profiles, but this scenario is not supported because is basically isn't supportable. I have wasted enough time on trying to support this in the past.

Something like "Shelter" is not standard Android and a manufacturer modification, which is the core problem because these modifications often do not take the Android VPN service into account too.

This setup might or might not work in your device, so make sure you test it before doing anything "risky". This guide is known not to work on some LG devices running Android 9. I've personally tested it in a Moto e6 plus with stock Android 9 and it works well.

There's many ways you can use a Firewall and a VPN at the same time (sorted from easiest to most complicated):

  • Use Adhell 3, the Samsung KNOX based content-blocker that doesn't require root and also allows you to use a VPN app at the same time.
  • Use AFWall+ (root required) instead of NetGuard. That way you can have a firewall and still use VPN apps "normally".
  • Install a VPN app and a SOCKS5 proxy server in the Android work profile, and then connect to this SOCKS5 proxy from the main profile using NetGuard.
  • Use a VPN provider that already offers a SOCKS5 proxy (like Mullvad), and then connect to this SOCKS5 proxy from NetGuard (Not recommended due to Netguard's UDP issues, and SOCKS5 not being encrypted)
  • Self-host a VPN-to-SOCKS5 server (Not recommended due to Netguard's UDP issues, and SOCKS5 not being encrypted)

Also see: https://android.stackexchange.com/questions/182341/how-to-use-a-firewall-and-a-vpn/247835#247835

I've only ever used the highlighted option, so that's what I'll describe here.

Pros:

  • It doesn't require root
  • You don't have to pay for a specific VPN (you can use Proton VPN)
  • You don't have to run/pay for any servers

Cons:

  • NetGuard leaks the UDP packets to the clearnet. An alternative solution is to use RethinkDNS instead of Netguard, or use only a browser that has HTTP/2 & HTTP/3 disabled through about:config, or use only the Tor Browser (because Tor doesn't use nor support UDP). Any other traffic will be leaked.
  • The work profile has to be enabled constantly for the VPN to stay running, and that uses a considerable ammount of battery.
  • The Android work profile requires about 398.53MB of storage.
  • The VPN service doesn't fully work on some Android devices: It's known not to work in some LG devices running Android 9, but it does work in a Moto e6 Plus running Android 9.

Steps:

  1. Install personalDNSfilter
  2. Install Island or Shelter (Preferibly Shelter, because it's FOSS and has no trackers)
  3. Setup Island/Shelter
  4. Setup personalDNSfilter to your liking
  5. Install "Every Proxy" in the work profile
  6. Install a VPN app (such as Proton VPN) in the work profile
  7. Disable battery optimizations for all of the apps you just installed (personalDNSfilter, Every Proxy, Proton VPN, and Island/Shelter)
  8. Configure "Every Proxy" to run a SOCKS5 proxy on the 10.1.10.1 interface, and set a username and password (Warning: do not make the password 126 characters long, that causes a crash. I recommend making the password 40 characters long.)
  9. Make sure NetGuard is running
  10. Start the SOCKS5 proxy in "Every Proxy"
  11. Set personalDNSfilter in Netguard as "unmanaged" (untick the "apply rules and conditions" box)
  12. In Netguard set the DNS servers to any WAN servers (for example: 94.140.14.14, and 94.149.14.15) (nothing will be sent to these servers)
  13. Create TCP and UDP forwarding rules for 127.0.0.1:53 -> 127.0.0.1:5300 to personalDNSfilter in NetGuard. Note that this isn't possible if you downloaded NetGuard from the google playstore. You must download netguard from either Github or from F-Droid
  14. Configure Netguard to use a SOCKS5 proxy server (10.1.10.1:1088, and input the same username and password as you did in "Every Proxy")

Glossary

Work Profiles

Island and Shelter are apps which take advantage of Android's work-profile  in order to create a "sandbox"; Using this sandbox, we can give privacy invasive apps their own "private data pools", aka, their own storage for:

  • SMS History
  • Call History
  • File Storage

Having a separate profile on android also allows you to have multiple versions of a single app running simultaneously without modifying the app's APK. In contrast to other "parallel apps" apps, this approach allows us to easily get security updates from the playstore, as the app doesn't have to be re-signed in the first place.

There's also the benefit of being able to hide an app from another app (For example, hiding Lucky Patcher from a game).

And lastly, but most important, a work profile allows us to have two VPNs at the same time.

F-Droid

F-Droid is an app store and software repository for Android, serving a similar function to the Google Play store. The main repository, hosted by the project, contains only free and open source apps. Applications can be browsed, downloaded and installed from the F-Droid website or client app without the need to register for an account.

SOCKS5 Proxy

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Network Port

In computer networking, a port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is identified for each transport protocol and address combination by a 16-bit unsigned number, known as the port number. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

A port number is always associated with an IP address of a host and the type of transport protocol used for communication. It completes the destination or origination network address of a message. Specific port numbers are reserved to identify specific services so that an arriving packet can be easily forwarded to a running application. For this purpose, port numbers lower than 1024 identify the historically most commonly used services and are called the well-known port numbers. Higher-numbered ports are available for general use by applications and are known as ephemeral ports.

IP Address

An Internet Protocol address (IP address) is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication.[1][2] An IP address serves two main functions: network interface identification and location addressing.

Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number.[2] However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998.[3][4][5] IPv6 deployment has been ongoing since the mid-2000s.

IP addresses are written and displayed in human-readable notations, such as 192.0.2.1 in IPv4, and 2001:db8:0:1234:0:567:8:1 in IPv6. The size of the routing prefix of the address is designated in CIDR notation by suffixing the address with the number of significant bits, e.g., 192.0.2.1/24, which is equivalent to the historically used subnet mask 255.255.255.0.

TL;DR: Your phone can have multiple IP Addresses (aka Network connections), and every port must be associated with an IP Address.

Index

Setup

Island or Shelter?

We must install one of these two apps. Island contains Google trackers, but it has a bigger userbase, therefor, less bugs. Meanwhile, Shelter is completely open-source, but has a smaller userbase. For this tutorial I'll be using Island, since that's what I'm currently using, but feel free to use Shelter if you prefer so.

1) Download the app: https://play.google.com/store/apps/details?id=com.oasisfeng.island&amp;gl=US

2) Launch the app and follow the setup instructions given by Island.

On most middle to high end Android devices released after 2016, Island can be setup straightforward without hassle. But still on some devices, you may got “incompatible with your device” message on Google Play Store, or be notified during the setup with error message “Sorry, your device (or ROM) is incompatible with Island”, or other failures. In these cases, Island could probably still work on your device if setup manually.
If you are prompted to encrypt your device during the setup, it means your device was not pre-encrypted out of box. If you don’t want device decription (which may significantly degrade overall I/O performance on some low-end devices), it can be avoided with manual setup.

You will need a PC and a cable to connect your phone to your PC if you follow the manual setup guide.

While you're at it, you might also want to setup these cool (but not necessary for this guide) features:

💡
TIP: Freeze frequently woken apps.
Island allows you to freeze any app in the work profile. Freezing an app blocks all its background behaviors. You can even create a launch shortcut for quick de-freezing and launching.

If you enable the "Managed mainland" feature you can also freeze apps that are in the main profile. Link to setup guide.
💡
TIP: Give apps fake permissions.
AppOps allows you to set some app permissions to "ignored", which make it so that the app thinks that it does have a permission, but when it tries to actually use it, it doesn't get any data. AppOps has work-profile support.

Netguard

Netguard is a FOSS app that allows us to control exactly which apps have access to the internet, and which don't. We can give an app WiFi access, mobile data access, or make it so that netguard doesn't control the app at all.

Installing the app

Here, we have two options: Installing from GitHub, or installing from F-Droid. We can't install netguard from the playstore because the playstore release doesn't support port-forwarding, and that feature is obligatory for us to be able to do our trick.

I recommend installing NetGuard from F-Droid, since it's easier to update it from there. If you don't already have an F-Droid client, I recommend using AuroraDroid. Simply download the APK file, and install it. After opening the app and finishing the setup, search for "NetGuard" and install the first result.

I recommend spending some time fine-tweaking which apps you give internet access to. Most apps only ask for internet access to show you ads/collect analytics.

Why personalDNSfilter?

The Netguard version from github already has hosts blacklists, so why not use just that? Well, Netguard's host blacklist implementation has a number of drawbacks:

NetGuard ignores the IP addresses in the hosts file, because it does not route blocked domains to localhost.
Wildcards are not supported due to performance and battery usage reasons.
It is not possible to edit the hosts file (change/add/delete domain names) with NetGuard

Also:

  • Host blocklists have to be updated manually.
  • You can't view exactly which domains have been blocked.
  • You can't create your own custom DNS resolutions: This is necessary if you're into self-hosting and you want HTTPS without a public domain.

personalDNSfilter overcomes all of these problems, and so for that reason I strongly recommend it.

Installing personalDNSfilter

This one's easy. You can either install it from F-Droid (using AuroraDroid), or you can install it from the playstore. They're both the same.

After installing the app, tap on "Advanced settings" and make them match this:

Screenshot of Advanced settings in personalDNSFilter. CNAME Cloaking protection: ON. DNS proxy mode without local VPN: ON. Allow only local DNS proxy requests: ON. Root mode without local VPN: OFF.

What we're doing here, is configuring pDNSf so it doesn't use a VPN slot, but instead opens a "DNS proxy" on port 5300.

Installing the SOCKS5 proxy

Now, you must launch the Google Playstore from within Island:

Screenshot of Launching the Google Playstore from within the Island app

Now search and install "Every Proxy". "Every Proxy" has no ads, and no trackers, hence, why I picked it. Make sure NetGuard is up and running on the main profile, and then launch the EveryProxy app, and hit the three dots on the top left corner, then "Settings". Scroll down to the bottom and make your settings match this:

Screenshot of configuration for the SOCKS5 proxy in Every Proxy. IP Address: 10.1.10.1. Port: 1088. Power save: Off. Auto Start at startup: Off. Enable basic authentication: On. Username: redacted. Password: redacted. More secure: On.

Of course, you must create a username and password. You don't really need to remember the password. Just copy it to your clipboard. (IMPORTANT: DO NOT make the password 126 characters long, else netguard will enter a crash loop that might crash your entire phone). Now go back to the main screen of the app, and start the SOCKS5 proxy. Make sure to disable battery optimizations for "Every Proxy", else Android might kill the app unexpectedly. If you don't know how to disable these optimizations, go to dontkillmyapp.com.

Screenshot of Every Proxy with SOCKS5 On.
"Every Proxy" with the SOCKS5 proxy activated

Configuring Netguard

Now you must go back to your main profile and open Netguard. Do NOT "Deactivate" the work profile.

Here's the tricky part. Go into NetGuard -> Three Dots (on the top right corner) -> Settings -> Advanced Options -> Port Forwarding

Once you're inside that menu, click the "+" icon on the top right corner. Make the details match the following screenshot:

Screenshot of netguard configuration. Protocol: TCP. Destination address: 127.0.0.1. Destination port: 5300. Destination app: personalDNSFilter.

Click OK. Now do the exact same thing again, but instead of selecting "TCP", select "UDP".

Basically, what we're doing is configuring netguard so whenever an outbound DNS request goes through port 53, it will be redirected to localhost (127.0.0.1) to port 5300 to personalDNSFilter. We use port 5300 because that's the only port that pDNSf can work on without having root, without occupying the VPN slot.

Now go back to the main screen of the app. Look for "personalDNSFilter" and untick the "Apply rules and conditions" checkbox:

screenshot of personalDNSfilter being excluded from control by netguard.

We do this so that there isn't an infinite DNS loopback: For example, if Google Chrome wants to resolve example.com, then the request will go through NetGuard, which will use 127.0.0.1 as the DNS resolver. pDNSf will resolve it according to its configuration, but when it makes the outbound dns resolution request to it's configured DNS servers, that request will be caught by NetGuard, which will try to resolve it using 127.0.0.1, so pDNSf requests tries to resolve it, but its caught by NetGuard, who tries to resolve it using 127.0.0.1, so pDNSf requests tries to resolve it, and so on and so forth....

Now we have to configure netguard to use the SOCKS5 proxy. Go to NetGuard -> Three Dots (on the top right corner) -> Settings -> Advanced Options and scroll down to the section about the SOCKS5 Proxies:

Netguard config screenshot. SOCKS5 address: 10.1.10.1. SOCKS5 port: 1088. Socks5 username: redacted. Socks5 password: redacted.

The "SOCKS5 username" and the "SOCKS5 password" must match the username and password that you configured on "Every Proxy".

Lastly, we have to configure the VPN DNS. Go to "Settings" -> "Advanced Options" and scroll down. Set both "VPN DNS" settings to any WAN external server (Avoid "localhost", "127.0.0.1", "10.1.10.1", "192.168.0.1", and such. Copy me if you're not sure on what server to use). It doesn't matter what servers you pick here, your DNS requests won't be sent to these servers. The DNS requests will be redirected to pDNSf thanks to the forwarding rule we setup earlier.

Why not just put "127.0.0.1" as the VPN DNS you ask? To put it simply, NetGuard has DNS Leaks which can only be avoided using this hacky method. Without this workaround, who our ISP is would be exposed, and nobody wants that!

If you want more information about how this whole setup works, click here.

Installing the actual VPN

Finally! Just like you installed "Every Proxy" on the work profile, now do the same but instead look for the VPN that you want. In my case, I'll be using ProtonVPN.

After starting the VPN, if you did everything right, you should see some traffic starting to pop up on your VPN app:

Screenshot of ProtonVPN with traffic coming through.

You can verify that the VPN is working by going to any of the following sites with the VPN activated:

Just make sure that your browser is controlled by NetGuard, else it will just bypass the entire system.

If you wish to disconnect from the VPN without dropping any packets, do this, in this specific order:

  • Disable "Use SOCKS5 proxy" in NetGuard.
  • Stop your VPN app and the SOCKS5 proxy on "Every Proxy" (the order of these two steps doesn't matter, hence why they're combined in a single bullet point).
  • "Deactivate" the work profile using the notification from Island.
]]>