If you wish to setup etesync for it to be exposed to the internet, an advanced guide which uses nginx in WSL and internal port-forwarding is available at https://github.com/tasks/tasks/issues/1256#issuecomment-1219065064. I disliked that setup guide because it was too complicated and resource intensive. The setup that I'll explain here uses 0% of CPU and 58.3MB of RAM when the server is idle, and up to 0.6% of CPU when it's working (I have a Intel Core i7-4702MQ CPU @ 2.20GHz). This setup is very lightweight.

Setup etesync for home usage

Installing git and python3

To start, you will need to install git and python. The easiest way of doing this is with chocolatey, so open powershell as administrator and run:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

After chocolatey has finished installing, close powershell and open it again as administrator. Run:

choco install git
choco install python3

Installing etesync

We will now setup the etesync server. To do this, open the Command Prompt (cmd) and run these commands:

cd %appdata%\..\Local
mkdir Etesync && cd Etesync
git clone https://github.com/ItsIgnacioPortal/etesync-server.git etebase
setx etesyncpath %appdata%\..\Local\Etesync\
mkdir etebase_storage && cd etebase_storage && mkdir static && mkdir media

Note that you're using my fork of the etesync-server repo. If it ever becomes outdated and you wish to get the latest version of the server, just take note of the changes I did in requierements-win.txt, then clone the main repo, and apply the changes to the requierements.txt

Now in an administrator command prompt:

cd %etesyncpath%\etebase
pip install -r requirements-win.txt

Now open your favorite text editor and paste this:

[global]
secret_file = secret.txt
debug = false
;Set the paths where data will be stored at
static_root = C:\Users\User\AppData\Local\Etesync\etebase_storage\static
media_root = C:\Users\User\AppData\Local\Etesync\etebase_storage\media

;Advanced options, only uncomment if you know what you're doing:
;static_url = /static/
;media_url = /user-media/
;language_code = en-us
;time_zone = UTC
;redis_uri = redis://localhost:6379

[allowed_hosts]
allowed_host1 = your.local.domain.here.com

[database]
engine = django.db.backends.sqlite3
name = db.sqlite3

[database-options]
; Add engine-specific options here, such as postgresql parameter key words

;[ldap]
;server = <The URL to your LDAP server>
;search_base = <Your search base>
;filter = <Your LDAP filter query. '%%s' will be substituted for the username>
; In case a cache TTL of 1 hour is too short for you, set `cache_ttl` to the preferred
; amount of hours a cache entry should be viewed as valid:
;cache_ttl = 5
;bind_dn = <Your LDAP "user" to bind as. Must be a bind user>
; Either specify the password directly, or provide a password file
;bind_pw = <The password to authenticate as your bind user>
;bind_pw_file = /path/to/the/file.txt

Save it in C:\Users\User\AppData\Local\Etesync\etebase (replace your username there) as etebase-server.ini

Note that in that file you have to modify the value of "static_root" and "media_root" so it has your correct windows username. Also, here is where we select what domain we'll be using. No, you don't need to register any domains, we'll do all of this locally. But we must pick a domain name for HTTPS to work. So in that file replace "your.local.domain.here.com" with whichever domain name you want.

Now in the command prompt run:

python %etesyncpath%\etebase\manage.py migrate

We need to tell windows what our domain name is. Open a text editor as administrator and open "C:\Windows\System32\drivers\etc\hosts". Add these lines at the bottom of the file:

#etesync server
YOUR-PC-WIFI-IP-ADDRESS your.local.domain.here.com

Finally, run:

cd %etesyncpath%\etebase
uvicorn etebase_server.asgi:application --host your.local.domain.here.com --port 8001

And your server will be live! Though the setup isn't done yet. Press CTRL+C and run these commands to setup some files and create an administrator user (Note: when you type the password, it won't be visible. Be careful with how you type!)

python %etesyncpath%\etebase\manage.py collectstatic
python %etesyncpath%\etebase\manage.py createsuperuser

Now the setup for the server is done. We now have to setup the web interface. Download this file: https://pim.etesync.com/etesync-web.tgz and extract it in C:\Users\User\AppData\Local\Etesync\ so that index.html is at C:\Users\User\AppData\Local\Etesync\etesync-web\index.html using 7zip. You'll have to install 7zip if you don't already have it installed:

choco install 7zip

To have HTTPS you must follow this tutorial. It's fairly complicated, but it's needed to have a secure connection with our server. After you've generated your rootCA.crt you have to install it in your windows PC, and in your phone.

• Double click your rootCA.crt
• Install certificate...
• Store location -> Local Machine
• Next
• Browse -> "Trusted Root Certification Authorities"
• Then finish the setup

For android, the setting to install a custom certificate was in Settings -> Security & Location -> (Advanced) -> Encryption & credentials -> Install from SD card (You don't actually need an SD card to use this option).

Start the servers:

cd %etesyncpath%\etebase
python -m uvicorn etebase_server.asgi:application --port 8001 --host your.local.domain.here.com --ssl-keyfile="C:\Users\User\AppData\Local\Etesync\cert\server.key" --ssl-certfile="C:\Users\User\AppData\Local\Etesync\cert\server.crt"

In another terminal:

cd %etesyncpath%\etesync-web\
python -m http.server 8002 --bind your.local.domain.here.com

Setup groups and your user

Now to setup the etesync users go to https://your.local.domain.here.com:8001/admin in your browser. There you need to enter the admin credentials you setup earlier.

Now you will have to create a group. Go to Groups -> New

And now name your group Etesync users. Below you have to double click ALL of the options that start with "django_etebase" until they're all in the right side. When you're done click save.

Once that's done, click on Users->New on the left side-bar

Pick a username, then continue. Before continuing to fill the form, set the user's password by clicking on the tiny link on the left:

Set your password and hit continue. Fill in your user information, and then add yourself to the "Etesync users" group. Just double click on "Etesync users" in the Available groups menu, then click SAVE.

Next we'll create a firewall rule to allow your phone to be able to talk to your etesync server. Open a command prompt as administrator and run:

netsh advfirewall firewall add rule name= "Etesync TCP" dir=in action=allow protocol=TCP localport=8001
netsh advfirewall firewall add rule name= "Etesync UDP" dir=in action=allow protocol=UDP localport=8001

And that's all done on the PC side! Now for the android setup:

Setup tasks.org

To setup your domain in android, there's several ways. The options available are

• pihole
• NextDNS
• personalDNSfilter

Since personalDNSfilter doesn't need any external services, and it's open source, that's what I'll use here. Just go through the app setup, and when you're done go to Advanced settings -> Configure additional hosts and add your domain name according to the format explained there:

>your.local.domain.here.com PC-IP-ADDRESS

If you're a NetGuard user, you might have to enable Three dots -> Settings -> Network Options -> Subnet routing. If you would like to use NetGuard and personalDNSfilter at the same time, check my other blogpost: How to use NetGuard + personalDNSFilter+ Any VPN, without root, without external self-hosted servers.

Now go to the Tasks.org app -> Settings -> Add account -> EteSync and then write the username and password that you setup earlier in django. Enable "Show advanced settings" and set the URL to https://your.local.domain.here.com:8001

After that hit the save button and you're done! Etesync is up and running. You can access the web interface in your PC on http://your.local.domain.here.com:8002

Note that in that page you will also have to enable "Advanced settings" and set the URL to https://your.local.domain.here.com:8001

If you're a firefox user you might get stuck in "Deriving encryption". If that's the case, you have to disable enhanced tracking protection and whitelist your domain in uBlockOrigin. You might also have to clear the cookies and local storage if it gets stuck during sign-in. The easiest way to do that is by using Cookie Auto Delete:

• CAD for Firefox
• CAD for Google Chrome
• CAD for Edge Chromium version

Here's how the tasks menu looks in etesync as of writing this:

Note that Tasks.org won't immediately upload all of your lists to your etesync instance. Instead, a new section will appear in the sidebar with your etesync username. To get your tasks to etesync you will have to select them, and then move them to their corresponding collection in etesync:

You can use the script below on your PC to quickly start the etesync server and it's web interface. Just save it in a file and double click it to launch it. Press CTRL+C on both windows to stop the server.

@echo off
start cmd /k cd %etesyncpath%\etebase ^&^& python -m uvicorn etebase_server.asgi:application --port 8001 --host your.local.domain.here --ssl-keyfile="C:\Users\User\AppData\Local\Etesync\cert\server.key" --ssl-certfile="C:\Users\User\AppData\Local\Etesync\cert\server.crt" ^& pause ^&^& exit

cd %etesyncpath%\etesync-web
python -m http.server 8002 --bind your.local.domain.here & pause && exit

All of this started because I was trying to control Work-profile apps using the Netguard instance that I had on my main profile.

After I read that comment from the Netguard dev, I realized that the work profile had a separate VPN slot, so therefor, it's possible for us to have an actual VPN and a SOCKS5 proxy server in the work profile, and then connect to this SOCKS5 proxy from the main profile using NetGuard. Below is a flowchart of how this whole thing is going to work:

Don't worry, the rest of this blog was written in a non-technical way, so it's easy to follow for non-technical people.

This has been tested on Android 9, on a Moto e6 plus. This blog assumes that you already know:

• How to install an APK
• How to use ADB

Requirements

• Android 5.0+
• 446.03 MB (446,030,000 bytes) of available storage
• (Optional, hopefully) A computer and a cable to connect your phone to the computer.

Why so much storage?

Setup caveats

WARNING: UDP LEAKS

Netguard does not currently support sending UDP traffic over the SOCKS5 proxy. This causes protocols which use UDP (such as HTTP/2 and HTTP/3) to ignore the proxy and go over the clearnet, completely bypassing this setup. Until this issue is resolved, there's two possible solutions.

Solution #1: Replace Netguard and personalDNSfilter with "Rethink DNS + Firewall"

Unlike Netguard, RethinkDNS supports UDP tunneling through a SOCKS5 proxy. RethinkDNS doesn't have DNS leaks, and you can use the "Block connections without VPN" android setting with it. If you're a networking pro, you should be able to do that using this guide as a vague reference; but if you're not as technically inclined, read on:

Solution #2: Use mull with custom about:config settings

If you just want to use a browser, you can keep Netguard and personalDNSfilter. But you'll have to use Mull (a hardened fork of Firefox for Android) with "network.http.http2.enabled = false", and "network.http.http3.enable = false" in about:config. You must do this to avoid leaks with this setup because HTTP versions greater than v1.1 use UDP.

If instead you want to use the Tor browser, you don't need to change any settings, since Tor does not use, nor support UDP.

If you're 100% sure that the app(s) you'll use do not use UDP, you can continue with this specific setup. If you're not sure, then rest assured that at least Tor can be used safely with this setup, but allowing any other apps through the firewall risks revealing your identity to the web services you interact with.

Scroll down to the TL;DR to see other possible ways to use a Firewall and a VPN at the same time.

DNS Leaks if personalDNSfilter isn't initialized

DNS queries will leak through the clearnet if personalDNSfilter isn't initialized once traffic is being routed through Netguard. To prevent any possible leaks, make sure personalDNSfilter is initialized before enabling the SOCKS5 proxy in Netguard.

This issue has been brought up to the developer of Netguard, and he's been unable to determine the cause.

I'd like to thank "FLAGEL" for briging these issues to my attention.

Battery usage

Because we're running multiple profiles and apps at the same time, this setup is fairly energy hungry. NetGuard and personalDNSfilter have a very small battery footprint, but the Android work profile is very resource intensive.

Unsupported devices

Some brands/devices do not fully support using a VPN in the work profile. To quote M66B (emphasis added):

NetGuard is supported in the primary profile only. It might or might not work in other profiles, but this scenario is not supported because is basically isn't supportable. I have wasted enough time on trying to support this in the past.

Something like "Shelter" is not standard Android and a manufacturer modification, which is the core problem because these modifications often do not take the Android VPN service into account too.

This setup might or might not work in your device, so make sure you test it before doing anything "risky". This guide is known not to work on some LG devices running Android 9. I've personally tested it in a Moto e6 plus with stock Android 9 and it works well.

Index

• Setup
  • Island or Shelter?
  • NetGuard
    • Installing the app
  • Why personalDNSfilter?
  • Installating personalDNSfilter
  • Installing the SOCKS5 proxy
  • Configuring NetGuard
  • Installing the actual VPN
• Conclusion

Setup

Island or Shelter?

We must install one of these two apps. Island contains Google trackers, but it has a bigger userbase, therefor, less bugs. Meanwhile, Shelter is completely open-source, but has a smaller userbase. For this tutorial I'll be using Island, since that's what I'm currently using, but feel free to use Shelter if you prefer so.

1) Download the app: https://play.google.com/store/apps/details?id=com.oasisfeng.island&gl=US

2) Launch the app and follow the setup instructions given by Island.

On most middle to high end Android devices released after 2016, Island can be setup straightforward without hassle. But still on some devices, you may got “incompatible with your device” message on Google Play Store, or be notified during the setup with error message “Sorry, your device (or ROM) is incompatible with Island”, or other failures. In these cases, Island could probably still work on your device if setup manually.

If you are prompted to encrypt your device during the setup, it means your device was not pre-encrypted out of box. If you don’t want device decription (which may significantly degrade overall I/O performance on some low-end devices), it can be avoided with manual setup.

You will need a PC and a cable to connect your phone to your PC if you follow the manual setup guide.

While you're at it, you might also want to setup these cool (but not necessary for this guide) features:

Netguard

Netguard is a FOSS app that allows us to control exactly which apps have access to the internet, and which don't. We can give an app WiFi access, mobile data access, or make it so that netguard doesn't control the app at all.

Installing the app

Here, we have two options: Installing from GitHub, or installing from F-Droid. We can't install netguard from the playstore because the playstore release doesn't support port-forwarding, and that feature is obligatory for us to be able to do our trick.

I recommend installing NetGuard from F-Droid, since it's easier to update it from there. If you don't already have an F-Droid client, I recommend using AuroraDroid. Simply download the APK file, and install it. After opening the app and finishing the setup, search for "NetGuard" and install the first result.

I recommend spending some time fine-tweaking which apps you give internet access to. Most apps only ask for internet access to show you ads/collect analytics.

Why personalDNSfilter?

The Netguard version from github already has hosts blacklists, so why not use just that? Well, Netguard's host blacklist implementation has a number of drawbacks:

NetGuard ignores the IP addresses in the hosts file, because it does not route blocked domains to localhost.

Wildcards are not supported due to performance and battery usage reasons.

It is not possible to edit the hosts file (change/add/delete domain names) with NetGuard

Also:

• Host blocklists have to be updated manually.
• You can't view exactly which domains have been blocked.
• You can't create your own custom DNS resolutions: This is necessary if you're into self-hosting and you want HTTPS without a public domain.

personalDNSfilter overcomes all of these problems, and so for that reason I strongly recommend it.

Installing personalDNSfilter

This one's easy. You can either install it from F-Droid (using AuroraDroid), or you can install it from the playstore. They're both the same.

After installing the app, tap on "Advanced settings" and make them match this:

What we're doing here, is configuring pDNSf so it doesn't use a VPN slot, but instead opens a "DNS proxy" on port 5300.

Installing the SOCKS5 proxy

Now, you must launch the Google Playstore from within Island:

Now search and install "Every Proxy". "Every Proxy" has no ads, and no trackers, hence, why I picked it. Make sure NetGuard is up and running on the main profile, and then launch the EveryProxy app, and hit the three dots on the top left corner, then "Settings". Scroll down to the bottom and make your settings match this:

Of course, you must create a username and password. You don't really need to remember the password. Just copy it to your clipboard. (IMPORTANT: DO NOT make the password 126 characters long, else netguard will enter a crash loop that might crash your entire phone). Now go back to the main screen of the app, and start the SOCKS5 proxy. Make sure to disable battery optimizations for "Every Proxy", else Android might kill the app unexpectedly. If you don't know how to disable these optimizations, go to dontkillmyapp.com.

Configuring Netguard

Now you must go back to your main profile and open Netguard. Do NOT "Deactivate" the work profile.

Here's the tricky part. Go into NetGuard -> Three Dots (on the top right corner) -> Settings -> Advanced Options -> Port Forwarding

Once you're inside that menu, click the "+" icon on the top right corner. Make the details match the following screenshot:

Click OK. Now do the exact same thing again, but instead of selecting "TCP", select "UDP".

Basically, what we're doing is configuring netguard so whenever an outbound DNS request goes through port 53, it will be redirected to localhost (127.0.0.1) to port 5300 to personalDNSFilter. We use port 5300 because that's the only port that pDNSf can work on without having root, without occupying the VPN slot.

Now go back to the main screen of the app. Look for "personalDNSFilter" and untick the "Apply rules and conditions" checkbox:

We do this so that there isn't an infinite DNS loopback: For example, if Google Chrome wants to resolve example.com, then the request will go through NetGuard, which will use 127.0.0.1 as the DNS resolver. pDNSf will resolve it according to its configuration, but when it makes the outbound dns resolution request to it's configured DNS servers, that request will be caught by NetGuard, which will try to resolve it using 127.0.0.1, so pDNSf requests tries to resolve it, but its caught by NetGuard, who tries to resolve it using 127.0.0.1, so pDNSf requests tries to resolve it, and so on and so forth....

Now we have to configure netguard to use the SOCKS5 proxy. Go to NetGuard -> Three Dots (on the top right corner) -> Settings -> Advanced Options and scroll down to the section about the SOCKS5 Proxies:

The "SOCKS5 username" and the "SOCKS5 password" must match the username and password that you configured on "Every Proxy".

Lastly, we have to configure the VPN DNS. Go to "Settings" -> "Advanced Options" and scroll down. Set both "VPN DNS" settings to any WAN external server (Avoid "localhost", "127.0.0.1", "10.1.10.1", "192.168.0.1", and such. Copy me if you're not sure on what server to use). It doesn't matter what servers you pick here, your DNS requests won't be sent to these servers. The DNS requests will be redirected to pDNSf thanks to the forwarding rule we setup earlier.

Why not just put "127.0.0.1" as the VPN DNS you ask? To put it simply, NetGuard has DNS Leaks which can only be avoided using this hacky method. Without this workaround, who our ISP is would be exposed, and nobody wants that!

If you want more information about how this whole setup works, click here.

Installing the actual VPN

Finally! Just like you installed "Every Proxy" on the work profile, now do the same but instead look for the VPN that you want. In my case, I'll be using ProtonVPN.

After starting the VPN, if you did everything right, you should see some traffic starting to pop up on your VPN app:

You can verify that the VPN is working by going to any of the following sites with the VPN activated:

• whatismyipaddress.com
• browserleaks.org/dns
• whoer.net

Just make sure that your browser is controlled by NetGuard, else it will just bypass the entire system.

If you wish to disconnect from the VPN without dropping any packets, do this, in this specific order:

• Disable "Use SOCKS5 proxy" in NetGuard.
• Stop your VPN app and the SOCKS5 proxy on "Every Proxy" (the order of these two steps doesn't matter, hence why they're combined in a single bullet point).
• "Deactivate" the work profile using the notification from Island.