[APP][6.0+] NetGuard - No-root firewall

[MeansWell]

Ohhh, I'm sorry to hear that. Thanks for letting me know, I will update right away!

 

[iwanttoknow]

Hi Marcel,

Is it possible you indicate the date of FAQ NetGuard last version ?
So it could be possible to know if there are new questions.

 

[LoveWins]

I'm a paid pro feature user of NetGuard 2.299, using the non-play store version with Filter Traffic. When I do enable Filter Traffic, my app notifications (eg Google Voice) are delayed. I can open Google Voice and see new messages but do not get the notification until I turn off Filter Traffic.

The new message is in the app but the app notification does not appear until I disable Filter Traffic in NetGuard.

One thing I've noticed is that VPN DNS: is blank for both values. Do I need entry here for Filter Traffic to work correctly or I am experiencing some other issue?

 

[M66B]

I'm a paid pro feature user of NetGuard 2.299, using the non-play store version with Filter Traffic. When I do enable Filter Traffic, my app notifications (eg Google Voice) are delayed. I can open Google Voice and see new messages but do not get the notification until I turn off Filter Traffic.

The new message is in the app but the app notification does not appear until I disable Filter Traffic in NetGuard.

One thing I've noticed is that VPN DNS: is blank for both values. Do I need entry here for Filter Traffic to work correctly or I am experiencing some other issue?

Please make sure Google Play services is allowed to access the internet.

 

[LoveWins]

Please make sure Google Play services is allowed to access the internet.

Just checked and confirmed that Google Play services (com.google.android.gms) is allowed WiFi and cell. What else can I check?

 

[M66B]

Just checked and confirmed that Google Play services (com.google.android.gms) is allowed WiFi and cell. What else can I check?

I am not sure. You can check the global log (via the three-dots overflow menu) for things which are blocked and should be allowed.

 

[tgeppert]

On a plain vanilla installation of NetGuard with Pro features enabled I have enabled the protocol before I activated NetGuard. Now I cannot get into the protocol screen anymore.
When I tap on "Protokoll anzeigen" in the three dot menu I get thrown to the home screen. Netguard is still running so I can get back to its main screen by swiping left to right on the bottom of the home screen. Even if I deactivate NetGuard I cannot get into the protocol screen anymore. Also rebooting the device doesn't change this.
Only clearing the storage of Netguard and enabling the Pro features again allows me to enter the protocol screen. Again as soon as I enable the protocol feature I cannot get into the protocol screen anymore.

NetGuard versions: 2.300 beta and 2.299
Phone: Pixel 6
OS: GrapheneOS
Environment: I've installed NetGuard for a secondary user but this user does not have a work profile.

 

[M66B]

On a plain vanilla installation of NetGuard with Pro features enabled I have enabled the protocol before I activated NetGuard. Now I cannot get into the protocol screen anymore.
When I tap on "Protokoll anzeigen" in the three dot menu I get thrown to the home screen. Netguard is still running so I can get back to its main screen by swiping left to right on the bottom of the home screen. Even if I deactivate NetGuard I cannot get into the protocol screen anymore. Also rebooting the device doesn't change this.
Only clearing the storage of Netguard and enabling the Pro features again allows me to enter the protocol screen. Again as soon as I enable the protocol feature I cannot get into the protocol screen anymore.

NetGuard versions: 2.300 beta and 2.299
Phone: Pixel 6
OS: GrapheneOS
Environment: I've installed NetGuard for a secondary user but this user does not have a work profile.

NetGuard isn't supported in profiles because most of the time this doesn't work properly.

https://github.com/M66B/NetGuard#user-content-compatibility

 

[tgeppert]

NetGuard isn't supported in profiles because most of the time this doesn't work properly.

https://github.com/M66B/NetGuard#user-content-compatibility

Looks like there is a misunderstanding on my side. I did read the above but because of the concepts explained in Users for system developers I was under the impression that it is just not supported to install NetGuard in a work profile.

Could you please help me to understand the limitations in detail and clarify a little bit ?

What I have on my device is the system user, i.e. the primary user you get after installing the OS.
For this user I have also created a work profile with the shelter application. So my understanding is that this did create a profile group with the profile of the parent user as the personal profile and a managed profile as the work profile.
NetGuard is installed in none of these.
Instead I created another user with Settings--->System--->Multiple Users--->Add User.
I did install NetGuard when logged in as this secondary user.
I have not created a work profile for this secondary user.

What exactly can I do and what should I not do to get a properly working NetGuard installation ?

a. Can I have just one user with a personal and a work profile and install NetGuard into the personal profile ?
b. Or is it completely discouraged to create a profile group no matter into which profile NetGuard gets installed ?
c. Is it possible to have multiple users, all of them without a work profile and install NetGuard for the primary user ?
d. Is it possible to install NetGuard for a secondary user as long as none of the users has a work profile ?
e. Or is it completely discouraged to setup multiple users as well as any work profile ?

This whole terminology with users, profiles, profile groups, parent profile and managed profiles is a little confusing.

 

[M66B]

Looks like there is a misunderstanding on my side. I did read the above but because of the concepts explained in Users for system developers I was under the impression that it is just not supported to install NetGuard in a work profile.

Could you please help me to understand the limitations in detail and clarify a little bit ?

What I have on my device is the system user, i.e. the primary user you get after installing the OS.
For this user I have also created a work profile with the shelter application. So my understanding is that this did create a profile group with the profile of the parent user as the personal profile and a managed profile as the work profile.
NetGuard is installed in none of these.
Instead I created another user with Settings--->System--->Multiple Users--->Add User.
I did install NetGuard when logged in as this secondary user.
I have not created a work profile for this secondary user.

What exactly can I do and what should I not do to get a properly working NetGuard installation ?

a. Can I have just one user with a personal and a work profile and install NetGuard into the personal profile ?
b. Or is it completely discouraged to create a profile group no matter into which profile NetGuard gets installed ?
c. Is it possible to have multiple users, all of them without a work profile and install NetGuard for the primary user ?
d. Is it possible to install NetGuard for a secondary user as long as none of the users has a work profile ?
e. Or is it completely discouraged to setup multiple users as well as any work profile ?

This whole terminology with users, profiles, profile groups, parent profile and managed profiles is a little confusing.

NetGuard is supported in the primary profile only. It might or might not work in other profiles, but this scenario is not supported because is basically isn't supportable. I have wasted enough time on trying to support this in the past.

Something like "Shelter" is not standard Android and a manufacturer modification, which is the core problem because these modifications often do not take the Android VPN service into account too.

 

[tgeppert]

Hmmm, so if I remove "Shelter" and with it the work profile, is it then OK to have more than one user configured on the device ?
As far as I understand the "Multiple Users" feature it is standard Android and available via Settings--->System--->Multiple Users--->Add User.

 

[M66B]

Hmmm, so if I remove "Shelter" and with it the work profile, is it then OK to have more than one user configured on the device ?
As far as I understand the "Multiple Users" feature it is standard Android and available via Settings--->System--->Multiple Users--->Add User.

Multiple users = multiple profiles.
This isn't supported because it too often doesn't work.
You can try though.

 

[tgeppert]

Multiple users = multiple profiles.

OK understood. This was my misunderstanding. The explanation of the concepts in the document Users for system developers left the impression on me that there is a difference between multiple users and multiple profiles for one user.

Now with your comment and some more investigation it looks to me more like the first user on an Android device is something special and different from other users that you add later via the system settings. There are some sources mentioning a "system user" but so far I couldn't figure out if this system user is tied to the first user on an Android device or if it's possible to assign it to a user or even have multiple users with this capability.

However, thanks for the clarification. Maybe it would help to put this in even clearer terms in the FAQ, i.e. discourage to have more than one user on the Android device. As it stands currently it did at least for me sound like it just doesn't work properly in work profiles. That's why I thought setting up a second user without a work profile would be OK.

 

[tgeppert]

And BTW everything works with Netguard installed in the personal, i.e. main profile of the primary user.

The strange thing is that in the installation for the second user, i.e. the one where I cannot get into the protocol screen after enabling the protocol feature, everything else seems to work. In the details for an App it shows me the connections the App has initiated and I can even block them selectively. OK, I'll count myself lucky that this works.

 

[Dakkaron]

Thanks for the awesome app! Been using it for years!

I recently upgraded to Android 11 (was 7 before)and that broke one of my workflows.

I use a script that fetches a few adblock lists, combins them and offers them on a local http server on my device. Then the script calls the intent to reload the adblock list from my local server.

With Android 8+, apps need to declare in the manifest, that it's ok for them to access a localhost http server. If it's not declared, it's blocked with a toast saying that it's blocked.

So I tried a local https server instead, but that also doesn't work,because it doesn't accept self-signed certificates.

Would it be possible to unblock localhost http connections?

More informations on that topic can be found here: https://stackoverflow.com/questions/45940861/android-8-cleartext-http-traffic-not-permitted

 

[M66B]

Thanks for the awesome app! Been using it for years!

I recently upgraded to Android 11 (was 7 before)and that broke one of my workflows.

I use a script that fetches a few adblock lists, combins them and offers them on a local http server on my device. Then the script calls the intent to reload the adblock list from my local server.

With Android 8+, apps need to declare in the manifest, that it's ok for them to access a localhost http server. If it's not declared, it's blocked with a toast saying that it's blocked.

So I tried a local https server instead, but that also doesn't work,because it doesn't accept self-signed certificates.

Would it be possible to unblock localhost http connections?

More informations on that topic can be found here: https://stackoverflow.com/questions/45940861/android-8-cleartext-http-traffic-not-permitted

This can't be done by NetGuard because it works a level lower than apps.

 

[Dakkaron]

Ok, how about adding some config option to fetch the hosts file from a local path? So that it can then be reloaded using the intent?

Also, maybe my intent wasn't quite clear. I don't want Netguard to enable http access for other apps. I want Netguard to be able to download the hosts file from a http server running on localhost.

The link I posted in the last comment details, this should be possible by adding a network_security_config.xml (check out the answers in the linked stackoverflow post). According to the Stackoverflow and the linked documentation, in Android 9 just changed the defaults for all apps from allowing http connections to disallowing them. But apps can still override them back to allowing http.

 

[M66B]

Ok, how about adding some config option to fetch the hosts file from a local path? So that it can then be reloaded using the intent?

Also, maybe my intent wasn't quite clear. I don't want Netguard to enable http access for other apps. I want Netguard to be able to download the hosts file from a http server running on localhost.

The link I posted in the last comment details, this should be possible by adding a network_security_config.xml (check out the answers in the linked stackoverflow post). According to the Stackoverflow and the linked documentation, in Android 9 just changed the defaults for all apps from allowing http connections to disallowing them. But apps can still override them back to allowing http.

http in 2022, seriously?

Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

letsencrypt.org

 

[Dakkaron]

Please check again my use case.

Netguard currently only allows for a single hosts file, which it downloads from a server. Combining lists or custom entries are not supported.

I need multiple lists combined plus some custom entries.

My solution so far was to have a script running locally, which downloads and merges the lists and my custom entries.
Then it starts a local http server (which is running locally on my phone, reachable from Netguard as http://localhost:8001) and uses the eu.faircode.netguard.DOWNLOAD_HOSTS_FILE intent to force Netguard to redownload the hosts file from localhost.

This can either work with a http server (was possible on Android 7, not possible on Android 11, except with the workaround posted above).
Since it is running on localhost, I cannot use a real certificate for a local https server (because they don't exist). And Netguard doesn't allow https with a self-signed certificate.

Another solution would be that Netguard could be configured to "download" a hosts file from local storage. Which it, afaik, can't do right now.

So, yes, http from localhost in 2022, seriously. Or self-signed https. Or sync from local file system.

 

[M66B]

Please check again my use case.

Netguard currently only allows for a single hosts file, which it downloads from a server. Combining lists or custom entries are not supported.

I need multiple lists combined plus some custom entries.

My solution so far was to have a script running locally, which downloads and merges the lists and my custom entries.
Then it starts a local http server (which is running locally on my phone, reachable from Netguard as http://localhost:8001) and uses the eu.faircode.netguard.DOWNLOAD_HOSTS_FILE intent to force Netguard to redownload the hosts file from localhost.

This can either work with a http server (was possible on Android 7, not possible on Android 11, except with the workaround posted above).
Since it is running on localhost, I cannot use a real certificate for a local https server (because they don't exist). And Netguard doesn't allow https with a self-signed certificate.

Another solution would be that Netguard could be configured to "download" a hosts file from local storage. Which it, afaik, can't do right now.

So, yes, http from localhost in 2022, seriously. Or self-signed https. Or sync from local file system.

Next version:

Added network security config · M66B/[email protected]

A simple way to block access to the internet per app - Added network security config · M66B/[email protected]

github.com