Firewall Your Android with a VPN

I have recently been playing with an unrooted device and looked at firewall options, one of my basic needs.    When you root your Android tablet or phone (equivalent of an Apple iOS jailbreak), you get access to the underlying system.  That access makes adding a firewall like AFWall+ easy.  I was interested to see Netguard, an open source firewall that uses Android’s VPN API to create a firewall without root.

Root is the ultimate super user on a Linux-based system.  With root, you can do pretty much anything.  For a firewall, you need to access the iptables and root access enables that.   Netguard’s approach is slightly different.  It acts like a local VPN, both the entry point and the exit.  When you turn on the app, it connects to Android’s VPN function and all of your traffic goes through it.  Unlike a typical VPN, your traffic isn’t going through any remote servers; the VPN activity is contained within your device.

Which Netguard Distribution?

This means you can control what goes through that VPN with a bit of effort.  And because the VPN functionality is accessible to any user, it can be done on any phone.  I thought this was pretty slick.

Netguard is open source and can be found from three sources.  I ended up using the slightly dated version available through the open source F-Droid catalog, although Netguard discourages it and doesn’t list this version on its Github page.  So, based on your needs:

  • the official Github version.  You can use the hosts file to do ad blocking, but it comes with advertisements of its own.  You can disable the ads by purchasing a pro license.
  • the Google Play version.  You can firewall but not ad block.
  • the F-Droid version.  This is a repackaged version that trails the Github one.  It allows ad blocking and does not come with its own advertisements.

As I say, the F-Droid version is fine for me for testing.  I didn’t want ads in-app and did want to see how the ad blocking worked.  This feature would mean that I also had a replacement for AdAway, an open source ad-blocker needing root.

The Hosts with the Most

Netguard provides your typical firewall access controls.  You can select whether you want to block or enable all wi-fi connections or wireless data.  Then you can select, for each app, whether it can access wi-fi or wireless data.  As soon as I’d toggled the settings for each of my apps and started Netguard, the behavior was the same as it had been on a rooted device with AFWall+.

Some apps stopped working because I’d failed to give access to some sub-part.  And as always, on Android, you have to toggle access to a whole bunch of functions as a group.  But it gave me the confidence that only the apps that I wanted accessing the Internet were doing so.

Turning on the ad blocking feature was also easy.  It is not called ad block.  But it uses a hosts file, available to it through its VPN approach, to enable the ability to block certain domains.  You can follow Netguard’s steps for setting it up.  The instructions have a URL to a hosts file (that I couldn’t access on FIrefox but could on Chrome), but you don’t really need it.  When you access Netguard’s Settings menu and select Backup, there is a one-click download on the menu.  You can also import your own hosts file if you want to block additional domains.

Click the menu option to download and install the hosts file that includes the advertising domains to block
Click the menu option to download and install the hosts file that includes the advertising domains to block

It’s such a clean option for those who can’t root their devices.  As I was learning about Netguard, I remembered that I’d done a similar thing with my Windows computer to block ads on Skype.  You can customize your Windows hosts file to block certain domains.  This is a running list of domains to block that you can add to your hosts file.  You need to refresh (flush) your network settings if you tinker with the hosts file (hit your Windows key, type CMD, right-click on the option to open a Command Prompt and select run as administrator, then type, in the black window that appears, ipconfig /flushdns).  If your network stops acting the way you want, return to your hosts file and delete what you added.

Netguard, like any Android firewall, is limited in what it can block.  Google Play Services is a pipeline for all sorts of rubbish, so if an app uses it to send or receive usage data, there’s nothing you can do about that.  But it certainly cuts down on those apps that might otherwise be checking home without your knowledge.

Unlike other firewalls, you can’t use a VPN with it.  Since Netguard is, in fact, acting as a VPN, you lose your firewall capability if you connect to a proper end-to-end VPN.  Unless your VPN is also limiting access, blocked apps will start communicating again.  For me, this is probably a deal breaker.  But if you can’t root a device and don’t use a VPN, Netguard is an excellent alternative.