this post was submitted on 14 Dec 2023
37 points (97.4% liked)

Privacy

31799 readers
137 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Question for the group on a problem I'm trying to solve: How can I block internet access for some apps on standard, OOTB Android?

My current set-up is to use Proton VPN with the Android settings "Always-on VPN" and "Block connections without VPN" and then use Proton VPN's Split-tunneling to exclude certain apps from using the VPN. This has the desired effect of blocking certain apps from having access to the internet.

However, I now find that I need to use certain Apps without the VPN but with internet access. In the past, I'd used something like NetGuard to control which apps have internet access, but, as Android only allows one VPN slot, this would require me to swap out Proton VPN.

So my problem statement: I'd like to be able to continue to use Proton VPN, exclude some apps from using that VPN but still have access to the internet, and block still other apps from the internet entirely. I'm struggling to find a way to do this.

Any suggestions are welcome!

all 27 comments
sorted by: hot top controversial new old
[–] Decentralizr@lemmy.world 10 points 10 months ago (4 children)

You can do this. But you need to use rethinkdns and download the configuration of the proton vpn wireguard server(s) you wanna reach. You can have internet blocked for individual apps, have some tunnel without VPN but DNS and firewall protection and some go through servers of proton (even per app to different servers). It’s a powerful tool. You won’t get the same protection as you would get with let’s say GrapheneOS but you are getting damn close to it if done right

[–] ashtrix@lemmy.ca 2 points 10 months ago

Was going to say this. Rethinkdns is awesome

[–] deepdive@lemmy.world 1 points 10 months ago

Rethinkdns is probably your best bet! Right now they are missing an important feature where It takes wireguard's DNS configuration into account, making it obsolete for those who have private dns in a local environnement with an upstream dns !

Can't wait for version 0.5.6 😄

[–] ShellMonkey@lemmy.socdojo.com 1 points 10 months ago

Interesting idea, a DNS filter won't do much for traffic pointed at a specific IP though. Curious how that would set the system wide DNS without being a root level app.

[–] MajorHavoc@lemmy.world 9 points 10 months ago* (last edited 10 months ago) (3 children)

If you're interested in that level of control, it's time to look hard at GrapheneOS. "Internet" is a permission you can grant or deny for each app, under GrapheneOS.

~~But I'm not aware of a way to selectively direct phone traffic through Proton VPN, at the phone. Even on GrapheneOS.~~

~~Enough skill with an expensive router could do it, but only on your home network, or only while routing all of your phone traffic back to your home network via yet another VPN.~~

Edit: TIL, Proton VPN supports split tunneling. Sweet! Look under Settings - Advanced - Split Tunneling - then pick your apps to include/exclude.

Edit 2: TIL DivestOS also supports "Internet" as a per app Permission. Very cool.

[–] miss_brainfart@lemmy.ml 6 points 10 months ago (1 children)

DivestOS can also deny internet access, for the people who don't have a Pixel

[–] BearOfaTime@lemm.ee 2 points 10 months ago

DivestOS seems to give a nice balance between vanilla Android and Graphene. I really like it.

[–] starlord@lemm.ee 3 points 10 months ago (1 children)

I've been suspecting I'd need GrapheneOS for a while now. Might finally be time to jump.

[–] federalreverse@feddit.de 1 points 10 months ago

CalyxOS runs on a similar set of devices, is free, and does include a firewall app too. I still run Netguard, but that's mostly for ad-blocking.

[–] theDutchBrother@lemmy.world 2 points 10 months ago (1 children)

You can route traffic through VPN on the phone, then just use split tunneling to exclude apps that should have regular network access without VPN. But you have to switch off "Block connections without VPN" in settings.

[–] MajorHavoc@lemmy.world 2 points 10 months ago (1 children)

Oh hey, thanks! I never particularly wanted any of my apps to route around the VPN, but there the option it is under Advanced, when split tunneling is enabled. Could be handy. Thanks!

[–] theDutchBrother@lemmy.world 2 points 10 months ago* (last edited 10 months ago)

NP. Yeah I only routed Tor browser around the VPN in the past to not slow it down too much but I hardly use Tor anymore so VPN routes everything now.

[–] Steve@communick.news 5 points 10 months ago* (last edited 10 months ago) (1 children)

The apps you want to block entirely, you can go into Android settings for each of them individually, and turn off all their Mobile Data & WiFi access options.

Apps that you want to allow outside Proton VPN, you can add to the Split Tunneling list in Proton VPN. But you have to turn off the Block Without VPN option.

It sounds like that'll get you what you want.

[–] starlord@lemm.ee 3 points 10 months ago

Yeah, I've seen this before but I just apparently don't have that option. All I have is "Mobile Data" which appears to leak a little despite being turned off...

[–] _s10e@feddit.de 4 points 10 months ago

Just a note: The app 'Rethink DNS and Firewall' can do this with any Wireguard VPN.

[–] MigratingtoLemmy@lemmy.world 3 points 10 months ago

You need root for that. This is trivial with root.

If you don't want to patch with Magisk, look at KernelSU

[–] lemmydripzdotz123@lemmy.world 2 points 10 months ago (1 children)

It can't be used with ProtonVPN (I assume) but I use NoRoot Firewall for exactly this purpose. It works by setting up a VPN and letting you enable / disable network access for each app, including system apps. It can also block on just WiFi or just cell data or both or neither. It blocks all apps by default until you configure their access. You can also setup more advanced rules for all apps or just some apps. For instance, you can set it where an app can contact AppCompany.com but not Google.com

[–] backhdlp@lemmy.blahaj.zone 2 points 10 months ago (1 children)
[–] leds@feddit.dk 3 points 10 months ago

Yes +1 for Netguard , works like a charm

[–] wincing_nucleus073@lemm.ee 2 points 10 months ago (3 children)

it seems like you merely need to disable the "Block connections without VPN".

Then in your android settings there should be a toggle to deny network access to certain apps in the android permission settings. so the apps that are split tunneled you can just deny or allow network

[–] _s10e@feddit.de 4 points 10 months ago (1 children)

Do all versions of Android have this? I'm on Samsung Android 14 and I can't find this.

[–] Vexz@kbin.social 2 points 10 months ago

I don't have a Samsung but on my device:
Settings > Internet & Connectivity > VPN > Cogweel next to the VPN settings > There's the option

[–] starlord@lemm.ee 3 points 10 months ago (2 children)

I haven't been able to find this setting. I've heard about it on other devices but mine doesn't seem to have it.

[–] Vexz@kbin.social 1 points 10 months ago

On my device: Settings > Internet & Connectivity > VPN > Cogweel next to the VPN settings > There's the option

[–] wincing_nucleus073@lemm.ee 1 points 10 months ago

Which setting exactly are you referring to?