[APP][6.0+] NetGuard - No-root firewall

What are you mainly using NetGuard for?

  • Reducing data usage

    Votes: 455 30.7%
  • Saving battery

    Votes: 315 21.3%
  • Increasing privacy

    Votes: 817 55.2%
  • Blocking ads

    Votes: 955 64.5%

  • Total voters
    1,481
Search This thread

iwanttoknow

Senior Member
Jun 21, 2016
501
98
Hi Marcel,

Is it possible you indicate the date of FAQ NetGuard last version ?
So it could be possible to know if there are new questions.
 
Last edited:

LoveWins

Member
Feb 25, 2021
6
0
I'm a paid pro feature user of NetGuard 2.299, using the non-play store version with Filter Traffic. When I do enable Filter Traffic, my app notifications (eg Google Voice) are delayed. I can open Google Voice and see new messages but do not get the notification until I turn off Filter Traffic.

The new message is in the app but the app notification does not appear until I disable Filter Traffic in NetGuard.

One thing I've noticed is that VPN DNS: is blank for both values. Do I need entry here for Filter Traffic to work correctly or I am experiencing some other issue?
 

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
I'm a paid pro feature user of NetGuard 2.299, using the non-play store version with Filter Traffic. When I do enable Filter Traffic, my app notifications (eg Google Voice) are delayed. I can open Google Voice and see new messages but do not get the notification until I turn off Filter Traffic.

The new message is in the app but the app notification does not appear until I disable Filter Traffic in NetGuard.

One thing I've noticed is that VPN DNS: is blank for both values. Do I need entry here for Filter Traffic to work correctly or I am experiencing some other issue?
Please make sure Google Play services is allowed to access the internet.
 

tgeppert

Member
Jan 28, 2022
5
0
On a plain vanilla installation of NetGuard with Pro features enabled I have enabled the protocol before I activated NetGuard. Now I cannot get into the protocol screen anymore.
When I tap on "Protokoll anzeigen" in the three dot menu I get thrown to the home screen. Netguard is still running so I can get back to its main screen by swiping left to right on the bottom of the home screen. Even if I deactivate NetGuard I cannot get into the protocol screen anymore. Also rebooting the device doesn't change this.
Only clearing the storage of Netguard and enabling the Pro features again allows me to enter the protocol screen. Again as soon as I enable the protocol feature I cannot get into the protocol screen anymore.

NetGuard versions: 2.300 beta and 2.299
Phone: Pixel 6
OS: GrapheneOS
Environment: I've installed NetGuard for a secondary user but this user does not have a work profile.
 

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
On a plain vanilla installation of NetGuard with Pro features enabled I have enabled the protocol before I activated NetGuard. Now I cannot get into the protocol screen anymore.
When I tap on "Protokoll anzeigen" in the three dot menu I get thrown to the home screen. Netguard is still running so I can get back to its main screen by swiping left to right on the bottom of the home screen. Even if I deactivate NetGuard I cannot get into the protocol screen anymore. Also rebooting the device doesn't change this.
Only clearing the storage of Netguard and enabling the Pro features again allows me to enter the protocol screen. Again as soon as I enable the protocol feature I cannot get into the protocol screen anymore.

NetGuard versions: 2.300 beta and 2.299
Phone: Pixel 6
OS: GrapheneOS
Environment: I've installed NetGuard for a secondary user but this user does not have a work profile.
NetGuard isn't supported in profiles because most of the time this doesn't work properly.

https://github.com/M66B/NetGuard#user-content-compatibility
 

tgeppert

Member
Jan 28, 2022
5
0
NetGuard isn't supported in profiles because most of the time this doesn't work properly.

https://github.com/M66B/NetGuard#user-content-compatibility
Looks like there is a misunderstanding on my side. I did read the above but because of the concepts explained in Users for system developers I was under the impression that it is just not supported to install NetGuard in a work profile.

Could you please help me to understand the limitations in detail and clarify a little bit ?

What I have on my device is the system user, i.e. the primary user you get after installing the OS.
For this user I have also created a work profile with the shelter application. So my understanding is that this did create a profile group with the profile of the parent user as the personal profile and a managed profile as the work profile.
NetGuard is installed in none of these.
Instead I created another user with Settings--->System--->Multiple Users--->Add User.
I did install NetGuard when logged in as this secondary user.
I have not created a work profile for this secondary user.

What exactly can I do and what should I not do to get a properly working NetGuard installation ?

a. Can I have just one user with a personal and a work profile and install NetGuard into the personal profile ?
b. Or is it completely discouraged to create a profile group no matter into which profile NetGuard gets installed ?
c. Is it possible to have multiple users, all of them without a work profile and install NetGuard for the primary user ?
d. Is it possible to install NetGuard for a secondary user as long as none of the users has a work profile ?
e. Or is it completely discouraged to setup multiple users as well as any work profile ?

This whole terminology with users, profiles, profile groups, parent profile and managed profiles is a little confusing.
 

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
Looks like there is a misunderstanding on my side. I did read the above but because of the concepts explained in Users for system developers I was under the impression that it is just not supported to install NetGuard in a work profile.

Could you please help me to understand the limitations in detail and clarify a little bit ?

What I have on my device is the system user, i.e. the primary user you get after installing the OS.
For this user I have also created a work profile with the shelter application. So my understanding is that this did create a profile group with the profile of the parent user as the personal profile and a managed profile as the work profile.
NetGuard is installed in none of these.
Instead I created another user with Settings--->System--->Multiple Users--->Add User.
I did install NetGuard when logged in as this secondary user.
I have not created a work profile for this secondary user.

What exactly can I do and what should I not do to get a properly working NetGuard installation ?

a. Can I have just one user with a personal and a work profile and install NetGuard into the personal profile ?
b. Or is it completely discouraged to create a profile group no matter into which profile NetGuard gets installed ?
c. Is it possible to have multiple users, all of them without a work profile and install NetGuard for the primary user ?
d. Is it possible to install NetGuard for a secondary user as long as none of the users has a work profile ?
e. Or is it completely discouraged to setup multiple users as well as any work profile ?

This whole terminology with users, profiles, profile groups, parent profile and managed profiles is a little confusing.
NetGuard is supported in the primary profile only. It might or might not work in other profiles, but this scenario is not supported because is basically isn't supportable. I have wasted enough time on trying to support this in the past.

Something like "Shelter" is not standard Android and a manufacturer modification, which is the core problem because these modifications often do not take the Android VPN service into account too.
 

tgeppert

Member
Jan 28, 2022
5
0
Hmmm, so if I remove "Shelter" and with it the work profile, is it then OK to have more than one user configured on the device ?
As far as I understand the "Multiple Users" feature it is standard Android and available via Settings--->System--->Multiple Users--->Add User.
 

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
Hmmm, so if I remove "Shelter" and with it the work profile, is it then OK to have more than one user configured on the device ?
As far as I understand the "Multiple Users" feature it is standard Android and available via Settings--->System--->Multiple Users--->Add User.
Multiple users = multiple profiles.
This isn't supported because it too often doesn't work.
You can try though.
 

tgeppert

Member
Jan 28, 2022
5
0
Multiple users = multiple profiles.
OK understood. This was my misunderstanding. The explanation of the concepts in the document Users for system developers left the impression on me that there is a difference between multiple users and multiple profiles for one user.

Now with your comment and some more investigation it looks to me more like the first user on an Android device is something special and different from other users that you add later via the system settings. There are some sources mentioning a "system user" but so far I couldn't figure out if this system user is tied to the first user on an Android device or if it's possible to assign it to a user or even have multiple users with this capability.

However, thanks for the clarification. Maybe it would help to put this in even clearer terms in the FAQ, i.e. discourage to have more than one user on the Android device. As it stands currently it did at least for me sound like it just doesn't work properly in work profiles. That's why I thought setting up a second user without a work profile would be OK.
 

tgeppert

Member
Jan 28, 2022
5
0
And BTW everything works with Netguard installed in the personal, i.e. main profile of the primary user. (y)

The strange thing is that in the installation for the second user, i.e. the one where I cannot get into the protocol screen after enabling the protocol feature, everything else seems to work. In the details for an App it shows me the connections the App has initiated and I can even block them selectively. :oops: OK, I'll count myself lucky that this works. :)
 

Dakkaron

Senior Member
Jan 13, 2013
60
16
Thanks for the awesome app! Been using it for years!

I recently upgraded to Android 11 (was 7 before)and that broke one of my workflows.

I use a script that fetches a few adblock lists, combins them and offers them on a local http server on my device. Then the script calls the intent to reload the adblock list from my local server.

With Android 8+, apps need to declare in the manifest, that it's ok for them to access a localhost http server. If it's not declared, it's blocked with a toast saying that it's blocked.

So I tried a local https server instead, but that also doesn't work,because it doesn't accept self-signed certificates.

Would it be possible to unblock localhost http connections?

More informations on that topic can be found here: https://stackoverflow.com/questions/45940861/android-8-cleartext-http-traffic-not-permitted
 

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
Thanks for the awesome app! Been using it for years!

I recently upgraded to Android 11 (was 7 before)and that broke one of my workflows.

I use a script that fetches a few adblock lists, combins them and offers them on a local http server on my device. Then the script calls the intent to reload the adblock list from my local server.

With Android 8+, apps need to declare in the manifest, that it's ok for them to access a localhost http server. If it's not declared, it's blocked with a toast saying that it's blocked.

So I tried a local https server instead, but that also doesn't work,because it doesn't accept self-signed certificates.

Would it be possible to unblock localhost http connections?

More informations on that topic can be found here: https://stackoverflow.com/questions/45940861/android-8-cleartext-http-traffic-not-permitted
This can't be done by NetGuard because it works a level lower than apps.
 

Dakkaron

Senior Member
Jan 13, 2013
60
16
Ok, how about adding some config option to fetch the hosts file from a local path? So that it can then be reloaded using the intent?

Also, maybe my intent wasn't quite clear. I don't want Netguard to enable http access for other apps. I want Netguard to be able to download the hosts file from a http server running on localhost.

The link I posted in the last comment details, this should be possible by adding a network_security_config.xml (check out the answers in the linked stackoverflow post). According to the Stackoverflow and the linked documentation, in Android 9 just changed the defaults for all apps from allowing http connections to disallowing them. But apps can still override them back to allowing http.
 
Last edited:

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
Ok, how about adding some config option to fetch the hosts file from a local path? So that it can then be reloaded using the intent?

Also, maybe my intent wasn't quite clear. I don't want Netguard to enable http access for other apps. I want Netguard to be able to download the hosts file from a http server running on localhost.

The link I posted in the last comment details, this should be possible by adding a network_security_config.xml (check out the answers in the linked stackoverflow post). According to the Stackoverflow and the linked documentation, in Android 9 just changed the defaults for all apps from allowing http connections to disallowing them. But apps can still override them back to allowing http.
http in 2022, seriously?

 

Dakkaron

Senior Member
Jan 13, 2013
60
16
Please check again my use case.

Netguard currently only allows for a single hosts file, which it downloads from a server. Combining lists or custom entries are not supported.

I need multiple lists combined plus some custom entries.

My solution so far was to have a script running locally, which downloads and merges the lists and my custom entries.
Then it starts a local http server (which is running locally on my phone, reachable from Netguard as http://localhost:8001) and uses the eu.faircode.netguard.DOWNLOAD_HOSTS_FILE intent to force Netguard to redownload the hosts file from localhost.

This can either work with a http server (was possible on Android 7, not possible on Android 11, except with the workaround posted above).
Since it is running on localhost, I cannot use a real certificate for a local https server (because they don't exist). And Netguard doesn't allow https with a self-signed certificate.

Another solution would be that Netguard could be configured to "download" a hosts file from local storage. Which it, afaik, can't do right now.

So, yes, http from localhost in 2022, seriously. Or self-signed https. Or sync from local file system.
 

M66B

Recognized Developer
Aug 1, 2010
25,752
54,937
Please check again my use case.

Netguard currently only allows for a single hosts file, which it downloads from a server. Combining lists or custom entries are not supported.

I need multiple lists combined plus some custom entries.

My solution so far was to have a script running locally, which downloads and merges the lists and my custom entries.
Then it starts a local http server (which is running locally on my phone, reachable from Netguard as http://localhost:8001) and uses the eu.faircode.netguard.DOWNLOAD_HOSTS_FILE intent to force Netguard to redownload the hosts file from localhost.

This can either work with a http server (was possible on Android 7, not possible on Android 11, except with the workaround posted above).
Since it is running on localhost, I cannot use a real certificate for a local https server (because they don't exist). And Netguard doesn't allow https with a self-signed certificate.

Another solution would be that Netguard could be configured to "download" a hosts file from local storage. Which it, afaik, can't do right now.

So, yes, http from localhost in 2022, seriously. Or self-signed https. Or sync from local file system.
Next version:

 

Top Liked Posts

  • 2
    @iwanttoknow

    Here's a discussion on the F-droid forum on how to set up NetGuard with Orbot or another vpn:


    I have used Fennec browser with NetGuard & CalyxOS vpn, Fennec browser with NetGuard & Proton vpn, and Tor browser with NetGuard.
    Orbot was too slow.
    I *think* CalyxOS vpn connects to a Tor relay.
    1
    Hi, @iwanttoknow

    I do not surf the web on my phones anymore, but NetGuard is installed on them and my tablet.

    It has been a couple of years since I used ProtonVPN. I think ProtonVPN was set up similar to the case for using Netguard with Orbot.

    Doesn't the browser one uses leak the IP address?
    and then there's fingerprinting (device, browser, do not track, add-ons, etc...) that leak and can be used to identify a user?

    Fennec was the only browser I've used that you can edit the about:config menu with NetGuard and a vpn and successfully pass leak tests on EFF and browserleaks.

    Most browsers used today do not allow users to disable javascript, but Samsung Internet does.

    But, I think the browser can still be fingerprinted because of customization tweaks, settings and add-ons. This is why when you use Tor browser, the developers ask that you do not add add-ons or tweak the settings so you will appear (fingerprinted) like everyone else.

    Tor browser worked well with NetGuard.
    1
    @iwanttoknow

    I used ProtonVPN from F-droid's website about a year+ ago, and no longer have an account.

    ProtonVPN users have to create/sign-in for an account with ProtonVPN. F-droid also notes the vpn service uses non-free network service (anti-feature).

    I don't remember the exact setup to work with PVPN and NetGuard, except that it is similar to how to set it up with other vpn services as mentioned on the F-droid forum - SOCKS5 and ip settings.

    One of the vpn services, cannot recall which one, I think you can temporarily turn off NetGuard, turn off NetGuard "always connected vpn," then connect vpn service, then turn on NetGuard.

    After surfing internet - disable vpn service, turn on NetGuard "always on" vpn.

    As I mentioned, it has been a while since I do not have browsers installed on my phones any longer.

    Just have NetGuard keeping watch on those sneaky services and android apps.
  • 6
    Even without further development and support, we owe Marcel a huge thank you for the apps and support he gave us over the years.
    It is very sad to see him leave the scene. I never met Marcel in person but feel like I'm losing a close friend.
    I hope Marcel's girlfriend recovers rapidly and fully.
    6
    Thread re-opened on request of OP @M66B who allowed me to share his PM with you:

    Can you please open all threads again?

    This is to give people a chance to discuss and to help each other. It doesn't mean I will resume development though.
    3
    @M66B don't stop your good work. Without play store how users buy PRO features.? Please be kind enough to provide alternative method.
    3
    On special request by PM of OP, Marcel aka @M66B, I have to inform you as follows:
    Can you please write in each XDA thread that the GitHub repos have been restored?
    Marcel, I know you can't respond here but personally I hope that this isn't your final decision.
    2
    The past days I received death threats while my girlfriend is sick, for apps which are basically free to use. How would you feel?
    That's the evidence of your apps are awesome and lots of people enjoy it. No one can be really famous without receiving death threats. There are and always will be some dummies (may be benefit or compete related) trying to crash you. If you quit now, then you are letting them to win.

    But since you decided to terminate the development of your great projects, I believe you have good reasons and I totally respect that. Anyway I want to thank you for all these years of your hard work, and good luck.
  • 351
    ic_launcher.png


    NetGuard provides simple and advanced ways to block access to the internet - no root required.
    Applications and addresses can individually be allowed or denied access to your Wi-Fi and/or mobile connection.

    Blocking access to the internet can help:
    • reduce your data usage
    • save your battery
    • increase your privacy

    Features:
    • Simple to use
    • No root required
    • 100% open source
    • No calling home
    • No tracking or analytics
    • No advertisements
    • Actively developed and supported
    • Android 5.1 and later supported
    • IPv4/IPv6 TCP/UDP supported
    • Tethering supported
    • Optionally allow when screen on
    • Optionally block when roaming
    • Optionally block system applications
    • Optionally forward ports, also to external addresses (not available if installed from the Play store)
    • Optionally notify when an application accesses the internet
    • Optionally record network usage per application per address
    • Optionally block ads using a hosts file (not available if installed from the Play store)
    • Material design theme with light and dark theme

    PRO features
    • Log all outgoing traffic; search and filter access attempts; export PCAP files to analyze traffic
    • Allow/block individual addresses per application
    • New application notifications; configure NetGuard directly from the notification
    • Display network speed graph in a status bar notification
    • Select from five additional themes in both light and dark version

    There is no other no-root firewall, except for clones, offering all these features.

    This XDA thread is about using the latest version of NetGuard.
    Off topic comments are allowed as long they are related to NetGuard and are in the general interest of the followers of this thread.

    Discussion of purchases is not allowed here, please contact me via here instead.

    NetGuard is being maintained and supported, but new features won't be added anymore.

    For ad blocking, see here. Ad blocking is provide "as-is".

    More information on Github:

    Downloads:

    Screenshots:
    101-main.png
    102-main-details.png

    103-main-access.png
    108-notifications.png


    For more screenshots, see here.






    XDA:DevDB Information
    NetGuard, App for all devices (see above for details)

    Contributors
    M66B
    Source Code: https://github.com/M66B/NetGuard/


    Version Information
    Status: Stable

    Created 2015-10-25
    Last Updated 2020-03-11
    26
    25
    I have just released stable version 2.39.

    Changelog/download
    https://github.com/M66B/NetGuard/releases/tag/2.39

    This version will be available in the Play store after Google's approval.

    Usage data sharing has been removed from this version.

    The future of this project depends on the general support for this project. You can for example write something positive here or in the Play store, press the thanks button, donate something, purchase a pro feature or contribute translations or source code.
    17
    NetGuard is currently in alpha testing phase.
    Please report any problems you encounter.

    It would be nice if someone could design an appropriate icon.
    17
    I have just released beta version 2.21.

    Changelog/download:
    https://github.com/M66B/NetGuard/releases/tag/2.21

    This version will be available as beta version in the Play store after Google's approval.