[APP][6.0+] NetGuard - No-root firewall

What are you mainly using NetGuard for?

  • Reducing data usage

    Votes: 456 30.8%
  • Saving battery

    Votes: 316 21.3%
  • Increasing privacy

    Votes: 818 55.2%
  • Blocking ads

    Votes: 956 64.5%

  • Total voters
    1,482
Search This thread

iwanttoknow

Senior Member
Jun 21, 2016
502
99
Hi Marcel,

Is it possible you indicate the date of FAQ NetGuard last version ?
So it could be possible to know if there are new questions.
 
Last edited:

LoveWins

Member
Feb 25, 2021
6
0
I'm a paid pro feature user of NetGuard 2.299, using the non-play store version with Filter Traffic. When I do enable Filter Traffic, my app notifications (eg Google Voice) are delayed. I can open Google Voice and see new messages but do not get the notification until I turn off Filter Traffic.

The new message is in the app but the app notification does not appear until I disable Filter Traffic in NetGuard.

One thing I've noticed is that VPN DNS: is blank for both values. Do I need entry here for Filter Traffic to work correctly or I am experiencing some other issue?
 

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
I'm a paid pro feature user of NetGuard 2.299, using the non-play store version with Filter Traffic. When I do enable Filter Traffic, my app notifications (eg Google Voice) are delayed. I can open Google Voice and see new messages but do not get the notification until I turn off Filter Traffic.

The new message is in the app but the app notification does not appear until I disable Filter Traffic in NetGuard.

One thing I've noticed is that VPN DNS: is blank for both values. Do I need entry here for Filter Traffic to work correctly or I am experiencing some other issue?
Please make sure Google Play services is allowed to access the internet.
 

tgeppert

Member
Jan 28, 2022
5
0
On a plain vanilla installation of NetGuard with Pro features enabled I have enabled the protocol before I activated NetGuard. Now I cannot get into the protocol screen anymore.
When I tap on "Protokoll anzeigen" in the three dot menu I get thrown to the home screen. Netguard is still running so I can get back to its main screen by swiping left to right on the bottom of the home screen. Even if I deactivate NetGuard I cannot get into the protocol screen anymore. Also rebooting the device doesn't change this.
Only clearing the storage of Netguard and enabling the Pro features again allows me to enter the protocol screen. Again as soon as I enable the protocol feature I cannot get into the protocol screen anymore.

NetGuard versions: 2.300 beta and 2.299
Phone: Pixel 6
OS: GrapheneOS
Environment: I've installed NetGuard for a secondary user but this user does not have a work profile.
 

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
On a plain vanilla installation of NetGuard with Pro features enabled I have enabled the protocol before I activated NetGuard. Now I cannot get into the protocol screen anymore.
When I tap on "Protokoll anzeigen" in the three dot menu I get thrown to the home screen. Netguard is still running so I can get back to its main screen by swiping left to right on the bottom of the home screen. Even if I deactivate NetGuard I cannot get into the protocol screen anymore. Also rebooting the device doesn't change this.
Only clearing the storage of Netguard and enabling the Pro features again allows me to enter the protocol screen. Again as soon as I enable the protocol feature I cannot get into the protocol screen anymore.

NetGuard versions: 2.300 beta and 2.299
Phone: Pixel 6
OS: GrapheneOS
Environment: I've installed NetGuard for a secondary user but this user does not have a work profile.
NetGuard isn't supported in profiles because most of the time this doesn't work properly.

https://github.com/M66B/NetGuard#user-content-compatibility
 

tgeppert

Member
Jan 28, 2022
5
0
NetGuard isn't supported in profiles because most of the time this doesn't work properly.

https://github.com/M66B/NetGuard#user-content-compatibility
Looks like there is a misunderstanding on my side. I did read the above but because of the concepts explained in Users for system developers I was under the impression that it is just not supported to install NetGuard in a work profile.

Could you please help me to understand the limitations in detail and clarify a little bit ?

What I have on my device is the system user, i.e. the primary user you get after installing the OS.
For this user I have also created a work profile with the shelter application. So my understanding is that this did create a profile group with the profile of the parent user as the personal profile and a managed profile as the work profile.
NetGuard is installed in none of these.
Instead I created another user with Settings--->System--->Multiple Users--->Add User.
I did install NetGuard when logged in as this secondary user.
I have not created a work profile for this secondary user.

What exactly can I do and what should I not do to get a properly working NetGuard installation ?

a. Can I have just one user with a personal and a work profile and install NetGuard into the personal profile ?
b. Or is it completely discouraged to create a profile group no matter into which profile NetGuard gets installed ?
c. Is it possible to have multiple users, all of them without a work profile and install NetGuard for the primary user ?
d. Is it possible to install NetGuard for a secondary user as long as none of the users has a work profile ?
e. Or is it completely discouraged to setup multiple users as well as any work profile ?

This whole terminology with users, profiles, profile groups, parent profile and managed profiles is a little confusing.
 

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
Looks like there is a misunderstanding on my side. I did read the above but because of the concepts explained in Users for system developers I was under the impression that it is just not supported to install NetGuard in a work profile.

Could you please help me to understand the limitations in detail and clarify a little bit ?

What I have on my device is the system user, i.e. the primary user you get after installing the OS.
For this user I have also created a work profile with the shelter application. So my understanding is that this did create a profile group with the profile of the parent user as the personal profile and a managed profile as the work profile.
NetGuard is installed in none of these.
Instead I created another user with Settings--->System--->Multiple Users--->Add User.
I did install NetGuard when logged in as this secondary user.
I have not created a work profile for this secondary user.

What exactly can I do and what should I not do to get a properly working NetGuard installation ?

a. Can I have just one user with a personal and a work profile and install NetGuard into the personal profile ?
b. Or is it completely discouraged to create a profile group no matter into which profile NetGuard gets installed ?
c. Is it possible to have multiple users, all of them without a work profile and install NetGuard for the primary user ?
d. Is it possible to install NetGuard for a secondary user as long as none of the users has a work profile ?
e. Or is it completely discouraged to setup multiple users as well as any work profile ?

This whole terminology with users, profiles, profile groups, parent profile and managed profiles is a little confusing.
NetGuard is supported in the primary profile only. It might or might not work in other profiles, but this scenario is not supported because is basically isn't supportable. I have wasted enough time on trying to support this in the past.

Something like "Shelter" is not standard Android and a manufacturer modification, which is the core problem because these modifications often do not take the Android VPN service into account too.
 

tgeppert

Member
Jan 28, 2022
5
0
Hmmm, so if I remove "Shelter" and with it the work profile, is it then OK to have more than one user configured on the device ?
As far as I understand the "Multiple Users" feature it is standard Android and available via Settings--->System--->Multiple Users--->Add User.
 

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
Hmmm, so if I remove "Shelter" and with it the work profile, is it then OK to have more than one user configured on the device ?
As far as I understand the "Multiple Users" feature it is standard Android and available via Settings--->System--->Multiple Users--->Add User.
Multiple users = multiple profiles.
This isn't supported because it too often doesn't work.
You can try though.
 

tgeppert

Member
Jan 28, 2022
5
0
Multiple users = multiple profiles.
OK understood. This was my misunderstanding. The explanation of the concepts in the document Users for system developers left the impression on me that there is a difference between multiple users and multiple profiles for one user.

Now with your comment and some more investigation it looks to me more like the first user on an Android device is something special and different from other users that you add later via the system settings. There are some sources mentioning a "system user" but so far I couldn't figure out if this system user is tied to the first user on an Android device or if it's possible to assign it to a user or even have multiple users with this capability.

However, thanks for the clarification. Maybe it would help to put this in even clearer terms in the FAQ, i.e. discourage to have more than one user on the Android device. As it stands currently it did at least for me sound like it just doesn't work properly in work profiles. That's why I thought setting up a second user without a work profile would be OK.
 

tgeppert

Member
Jan 28, 2022
5
0
And BTW everything works with Netguard installed in the personal, i.e. main profile of the primary user. (y)

The strange thing is that in the installation for the second user, i.e. the one where I cannot get into the protocol screen after enabling the protocol feature, everything else seems to work. In the details for an App it shows me the connections the App has initiated and I can even block them selectively. :oops: OK, I'll count myself lucky that this works. :)
 

Dakkaron

Senior Member
Jan 13, 2013
60
19
Thanks for the awesome app! Been using it for years!

I recently upgraded to Android 11 (was 7 before)and that broke one of my workflows.

I use a script that fetches a few adblock lists, combins them and offers them on a local http server on my device. Then the script calls the intent to reload the adblock list from my local server.

With Android 8+, apps need to declare in the manifest, that it's ok for them to access a localhost http server. If it's not declared, it's blocked with a toast saying that it's blocked.

So I tried a local https server instead, but that also doesn't work,because it doesn't accept self-signed certificates.

Would it be possible to unblock localhost http connections?

More informations on that topic can be found here: https://stackoverflow.com/questions/45940861/android-8-cleartext-http-traffic-not-permitted
 

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
Thanks for the awesome app! Been using it for years!

I recently upgraded to Android 11 (was 7 before)and that broke one of my workflows.

I use a script that fetches a few adblock lists, combins them and offers them on a local http server on my device. Then the script calls the intent to reload the adblock list from my local server.

With Android 8+, apps need to declare in the manifest, that it's ok for them to access a localhost http server. If it's not declared, it's blocked with a toast saying that it's blocked.

So I tried a local https server instead, but that also doesn't work,because it doesn't accept self-signed certificates.

Would it be possible to unblock localhost http connections?

More informations on that topic can be found here: https://stackoverflow.com/questions/45940861/android-8-cleartext-http-traffic-not-permitted
This can't be done by NetGuard because it works a level lower than apps.
 

Dakkaron

Senior Member
Jan 13, 2013
60
19
Ok, how about adding some config option to fetch the hosts file from a local path? So that it can then be reloaded using the intent?

Also, maybe my intent wasn't quite clear. I don't want Netguard to enable http access for other apps. I want Netguard to be able to download the hosts file from a http server running on localhost.

The link I posted in the last comment details, this should be possible by adding a network_security_config.xml (check out the answers in the linked stackoverflow post). According to the Stackoverflow and the linked documentation, in Android 9 just changed the defaults for all apps from allowing http connections to disallowing them. But apps can still override them back to allowing http.
 
Last edited:

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
Ok, how about adding some config option to fetch the hosts file from a local path? So that it can then be reloaded using the intent?

Also, maybe my intent wasn't quite clear. I don't want Netguard to enable http access for other apps. I want Netguard to be able to download the hosts file from a http server running on localhost.

The link I posted in the last comment details, this should be possible by adding a network_security_config.xml (check out the answers in the linked stackoverflow post). According to the Stackoverflow and the linked documentation, in Android 9 just changed the defaults for all apps from allowing http connections to disallowing them. But apps can still override them back to allowing http.
http in 2022, seriously?

 

Dakkaron

Senior Member
Jan 13, 2013
60
19
Please check again my use case.

Netguard currently only allows for a single hosts file, which it downloads from a server. Combining lists or custom entries are not supported.

I need multiple lists combined plus some custom entries.

My solution so far was to have a script running locally, which downloads and merges the lists and my custom entries.
Then it starts a local http server (which is running locally on my phone, reachable from Netguard as http://localhost:8001) and uses the eu.faircode.netguard.DOWNLOAD_HOSTS_FILE intent to force Netguard to redownload the hosts file from localhost.

This can either work with a http server (was possible on Android 7, not possible on Android 11, except with the workaround posted above).
Since it is running on localhost, I cannot use a real certificate for a local https server (because they don't exist). And Netguard doesn't allow https with a self-signed certificate.

Another solution would be that Netguard could be configured to "download" a hosts file from local storage. Which it, afaik, can't do right now.

So, yes, http from localhost in 2022, seriously. Or self-signed https. Or sync from local file system.
 

M66B

Recognized Developer
Aug 1, 2010
25,760
55,071
Please check again my use case.

Netguard currently only allows for a single hosts file, which it downloads from a server. Combining lists or custom entries are not supported.

I need multiple lists combined plus some custom entries.

My solution so far was to have a script running locally, which downloads and merges the lists and my custom entries.
Then it starts a local http server (which is running locally on my phone, reachable from Netguard as http://localhost:8001) and uses the eu.faircode.netguard.DOWNLOAD_HOSTS_FILE intent to force Netguard to redownload the hosts file from localhost.

This can either work with a http server (was possible on Android 7, not possible on Android 11, except with the workaround posted above).
Since it is running on localhost, I cannot use a real certificate for a local https server (because they don't exist). And Netguard doesn't allow https with a self-signed certificate.

Another solution would be that Netguard could be configured to "download" a hosts file from local storage. Which it, afaik, can't do right now.

So, yes, http from localhost in 2022, seriously. Or self-signed https. Or sync from local file system.
Next version:

 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    Even without further development and support, we owe Marcel a huge thank you for the apps and support he gave us over the years.
    It is very sad to see him leave the scene. I never met Marcel in person but feel like I'm losing a close friend.
    I hope Marcel's girlfriend recovers rapidly and fully.
    6
    Thread re-opened on request of OP @M66B who allowed me to share his PM with you:

    Can you please open all threads again?

    This is to give people a chance to discuss and to help each other. It doesn't mean I will resume development though.
    4
    @M66B
    Hi, Marcel,
    I just want to say Thank You!

    I hope in due time, you will return to developing and maintaining your applications.

    I downloaded your apps from your GH webpage.

    Very disturbing to read the lack of explanation from Google concerning your e-mail client, and you have received death threats

    Wishing you the very Best!

    @Mk_xda22
    I could pass the IP leak test on browserleaks using NetGuard (on Marcel's GH page) with Proton VPN (F-droid) and CalyxOS VPN (F-droid) with Fennec Fox (F-droid) on degooglefied Galaxy Tab S4, Note9 and Note20 Ultra 5G.


    Hi there, just saw your reply, Yes i did figure it out eventually, not using a VPN of course since I’m not ROOTed so i have to choose either a VPN-firewall or a VPN-service provider like NordVPN which I also have and would recommend Nord if you trust them to read all your data and if you trust your apps cuz now there is no firewall to block them. Regarding the solution you described well, it’s good but for rooted + degoogled phones, actually around 3-months ago I decided to apply it on my old Mate-8 running Orio and its surprisingly stable, I thought for sure it will get bricked. So it has [Netguard + Orbot using SOCKS5], but then I discovered it’s still leaking requests to Buidu (Huawei remember) and also 8.8.8.8 and my DNS ISP and a ton of others (using DNS Logger apps you can see this info) , so I added AFWall+ on top of that for those pesky system apps and downloaded all the offline host blockers for NetGuard and felt safe for some time actually 😊 but nope! If you do the ultimate test (which is rather easy to do) and switch on the mobile hotspot on your LAPTOP and use it to tether the phone data (so now ALL phone data must pass through the laptop hotspot! – well at least for the scope of this discussion 😉 and assuming your Android OS is not Hijacked by whoever made that custom ROM to begin with) and then fireup Wireshark, set it to capture the hotspot channel only, investigate the DataStream coming from your supersecure phone, now you will see the reality. So, in short I found many leaks that required plugging I used AppOpsx Xposed for changing hundreds of parameters and Adaway helped too. But the main leaked info that really bothered me was the MAC address and IMEI. So I spent the next week deleting them from the device (not spoofing them but changing them permanently). Don’t you just hate it when you already paid for purchasing the device but it still remains owned by others!

    Take care that the more layers of security you will apply the slower the connectivity and less functional the experience will become, it is a balance between convenience and security, only you can say how much is enough for you. Ultimate security is not owning a smart phone.

    Back to the unROOTed Samsung S20plus, well most of the previous solutions can not be applied there, I was not able to completely plug the DNS leaks whatever methods I devised or blogs I read, there was always one DNS server at least seeing my real ip geolocation and rout-traceable back to me, I tried RethinkDNS from FDROID with better results but don’t use their analytic dns (or now you will have to trust these 3-dudes) only use the Proxy dns option and forward it to Orbot and select also the option “Prevent DNS Leaks” and the option “Block all UDP traffic Except DNS and NTP” . of course I didn’t dare do the WireShark test for the Unrooted phone (I think I will find my personal photo in the datastream!) but I guess that’s about the best you can get on an unrooted phone.
    3
    @M66B don't stop your good work. Without play store how users buy PRO features.? Please be kind enough to provide alternative method.
    3
    On special request by PM of OP, Marcel aka @M66B, I have to inform you as follows:
    Can you please write in each XDA thread that the GitHub repos have been restored?
    Marcel, I know you can't respond here but personally I hope that this isn't your final decision.
  • 351
    ic_launcher.png


    NetGuard provides simple and advanced ways to block access to the internet - no root required.
    Applications and addresses can individually be allowed or denied access to your Wi-Fi and/or mobile connection.

    Blocking access to the internet can help:
    • reduce your data usage
    • save your battery
    • increase your privacy

    Features:
    • Simple to use
    • No root required
    • 100% open source
    • No calling home
    • No tracking or analytics
    • No advertisements
    • Actively developed and supported
    • Android 5.1 and later supported
    • IPv4/IPv6 TCP/UDP supported
    • Tethering supported
    • Optionally allow when screen on
    • Optionally block when roaming
    • Optionally block system applications
    • Optionally forward ports, also to external addresses (not available if installed from the Play store)
    • Optionally notify when an application accesses the internet
    • Optionally record network usage per application per address
    • Optionally block ads using a hosts file (not available if installed from the Play store)
    • Material design theme with light and dark theme

    PRO features
    • Log all outgoing traffic; search and filter access attempts; export PCAP files to analyze traffic
    • Allow/block individual addresses per application
    • New application notifications; configure NetGuard directly from the notification
    • Display network speed graph in a status bar notification
    • Select from five additional themes in both light and dark version

    There is no other no-root firewall, except for clones, offering all these features.

    This XDA thread is about using the latest version of NetGuard.
    Off topic comments are allowed as long they are related to NetGuard and are in the general interest of the followers of this thread.

    Discussion of purchases is not allowed here, please contact me via here instead.

    NetGuard is being maintained and supported, but new features won't be added anymore.

    For ad blocking, see here. Ad blocking is provide "as-is".

    More information on Github:

    Downloads:

    Screenshots:
    101-main.png
    102-main-details.png

    103-main-access.png
    108-notifications.png


    For more screenshots, see here.






    XDA:DevDB Information
    NetGuard, App for all devices (see above for details)

    Contributors
    M66B
    Source Code: https://github.com/M66B/NetGuard/


    Version Information
    Status: Stable

    Created 2015-10-25
    Last Updated 2020-03-11
    26
    25
    I have just released stable version 2.39.

    Changelog/download
    https://github.com/M66B/NetGuard/releases/tag/2.39

    This version will be available in the Play store after Google's approval.

    Usage data sharing has been removed from this version.

    The future of this project depends on the general support for this project. You can for example write something positive here or in the Play store, press the thanks button, donate something, purchase a pro feature or contribute translations or source code.
    17
    NetGuard is currently in alpha testing phase.
    Please report any problems you encounter.

    It would be nice if someone could design an appropriate icon.
    17
    I have just released beta version 2.21.

    Changelog/download:
    https://github.com/M66B/NetGuard/releases/tag/2.21

    This version will be available as beta version in the Play store after Google's approval.