kasnder
commented
4 years ago This is very interesting. What do you think users would need this for?
Open famewolf opened 4 years ago
kasnder
commented
4 years ago This is very interesting. What do you think users would need this for?
famewolf
commented
4 years ago 1) Using a REAL vpn in combination with trackercontrol. (For example Windscribe is free and I use it to keep my data safe when using public wifi) 2) Using an encrypted dns service. (For example app 1.1.1.1) 3) Using an no root ad blocker (for example DNS66 (open source)) 4) Using any combination of the above with trackercontrol assume those other apps support socks5 proxy parent or child.
sudomain
commented
3 years ago I found out about TrackerControl through FDroid. Currently I use NetGuard (a per-app firewall for Android that uses the system VPN service) to whitelist access to WiFi/mobile data for certain apps. Most of my apps don't need network access, but for those that do I'd like to be able to use TrackerControl to see what they're doing. For reference, there are a couple of other FDroid apps that can act as a SOCKS "server" on the same device: Shadowsocks FOSS and Orbot.
famewolf
commented
3 years ago If I rememeber right he now supports socks 5 proxies...the problem is the app he is going to use ALSO has to support them and handle which is going to be the parent and which the child....finally it could probably only be done with root since the apps would still need to intercept all traffic which kinda defeats whole purpose. No easy way to do right now.
kasnder
commented
3 years ago Orbot and others supported by TrackerControl. I'm working on port forwarding to support private DNS. #87 Hence, I'll close this issue.
kasnder
commented
3 years ago I'm reopening this because a TC user pointed out that they use a work profile with a VPN (e.g. with Island or the FOSS fork Insular). Profiles use separate network connections, so TC and VPN can be used at the same time -- just not together.
traviszim
commented
3 years ago That's good to know, I enjoy using the tracker control and it's actually working unlike some I've written for .
sudomain
commented
3 years ago I'd like to make a what might seem like a strange request. If there aren't plans to have TC act as a SOCKS proxy server to chain together VPN apps, could TC implement an app firewall for WiFi/mobile data? It seems like this project already borrows some code from NetGuard anyway. I realize it might be outside the scope of the project, but I figured I'd ask.
famewolf
commented
3 years ago To clarify you want the ability to specify if an app can access internet via wifi or mobile or both? If that's what you meant I also like the idea but you should consider opening a ticket as a feature request so the dev can review it when he has time and may not remember it buried in this request. They could possibly be sub sliders under the "internet" slider for wifi and mobile that auto turn on internet if one of them is selected...and turns internet off is both sliders are off. Turning internet on would enable both and turning it off would disable both.
On Mar 11 2021, at 11:31 am, sudomain @.***> wrote:
I'd like to make a what might seem like a strange request. If there aren't plans to have TC act as a SOCKS proxy server to chain together VPN apps, could TC implement an app firewall for WiFi/mobile data? It seems like this project already borrows some code from NetGuard anyway. I realize it might be outside the scope of the project, but I figured I'd ask. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub (https://github.com/OxfordHCC/tracker-control-android/issues/61#issuecomment-796866719), or unsubscribe (https://github.com/notifications/unsubscribe-auth/ABCY74EWI6XIGKLQFAZULCTTDDO3PANCNFSM4NIBEWXQ).
kasnder
commented
3 years ago I think this has been discussed in #80. Newer Android versions ship such a feature from the device settings, as far as I'm concerned. I'm also trying to avoid overlap with NetGuard. Instead, I'm working on #153.
sudomain
commented
3 years ago To clarify you want the ability to specify if an app can access internet via wifi or mobile or both?
Both. This is what NetGuard does (see the screenshots in this README). Right now, both TC and NetGuard use the single VPN service (though not the same time) and both allow chaining the traffic to other apps that act as SOCKS5 proxy servers (such as ShadowSOCKS and Orbit), but neither TC or NetGuard implement a SOCKS proxy themselves so they are incompatible.
Basically if I'm using TC all apps have network access and I can see what they're doing, but if I'm using NetGuard only someapps have network, but I can't see what those are doing.
roman82101
commented
3 years ago Greetings, the application is implemented by the SOCKS5 function, and will add Shadowsocks not difficult?
kasnder
commented
3 years ago Greetings, the application is implemented by the SOCKS5 function, and will add Shadowsocks not difficult?
I have very limited experience with this. How would it be used with TC?
huuhaa
commented
3 years ago I think it would be nice if there would be option to chain with wireguard tunnel.
Usage for this: PiVPN at home (yea it does have also Pi-hole, but...) which gives access to MotionEye camera, which sends notification via telegram if movement detected. With that notification message there's a link for local network / MotionEye, which obviously doesn't work without VPN (when not connected to home network) & I don't want to include image(s) to that message, but option to check & download wanted images. Currently this doesn't work if Tracker Control is used.
Sure it would also be great if that wireguard tunnel could be set automatically on when not connected to home wi-fi. Soon that is possible to do / automate with Easer, but not when Tracker Control is on / it would just change phone to use that wireguard vpn tunnel instead of Tracker Control.
As an addition if Tracker Control would support wireguard as default (I do hope that option to choose "on demand" as well as options always off or on would be there), it would then make it possible to use external vpn services for those who wants to. Not every service provide wireguard conf, but nowdays more and more does.
jbrepogmailcom
commented
2 years ago I would really really like to use TrackerControl and NetGuard together at the same time - that seems to be ultimate protection. Please continue on making it reality. Thank you very much! Jan
kasnder
commented
2 years ago I would really really like to use TrackerControl and NetGuard together at the same time - that seems to be ultimate protection. Please continue on making it reality. Thank you very much! Jan
NetGuard seems to be able to do anything that TrackerControl does. Is there anything particular that you're missing?
ghost
commented
2 years ago I use my Work profile (using Shelter) in a combination of TC and MullvadVPN. (Personal profiles go through the VPN without TC.) Mullvad has a socks proxy feature so you can chain with TC.
This may be useful for some people, so I would like to share my setting.
(I'm sorry, my English is not good)
You'll need mullvadVPN app, sagerNet and TC. All can be found in fdorid.
Install mullvadVPN and sagerNet in your Personal profile. Install TC in your Work profile.
Launch sagerNet, Open Settings ("≡" in the upper left > Settings) Set as following: -Automatic connection is turned on -Service Mode = Proxy only -Remote DNS = 100.64.0.7 -Direct DNS = 100.64.0.7 -SOCKS5 Proxy port = 2080 -Local DNS Port = 6450
and configure a SOCKS proxy ("+" Button in the upper right > Manual Settings > SOCKS) -Profile Name = Mullvad SOCKS5 (or any name you like) -Server = 10.64.0.1 -Remote Port = 1080 -Tap the checkmark in the upper right
Then, -Select Mullvad SOCKS5 -Tap the plane button at the bottom right -Tap the bottom to check the connection
Open TC in your work profile.
Set SOCKS5 Proxy as follows: SOCKS5 address: 127.0.0.1 SOCKS5 port: 2080
Set Port fowarding as follows: Prorocol = UDP Source Port = 53 Destination address = 127.0.0.1 Destination port = 6450 Destination app = nobody
Connect to https://mullvad.net/check/ to see if it works!
Edit:
SagerNet no longer seems to work.
(SOCKS5 proxy feature broken?)
Use AnXray instead (but it is no longer maintained😅).
kasnder
commented
2 years ago I use my Work profile (using Shelter) in a combination of TC and MullvadVPN. Personal profiles go through the VPN without TC. Mullvad has a socks proxy feature so you can chain with TC.
This may be useful for some people, so I would like to share my setting.
Oh wow! This is extremely helpful! Thank you for sharing!
LeOS-GSI
commented
2 years ago I use my Work profile (using Shelter) in a combination of TC and MullvadVPN. (Personal profiles go through the VPN without TC.) Mullvad has a socks proxy feature so you can chain with TC.
Nice how to, but I would prefer running TC on main and the other VPN in workprofile, because I think most apps will be installed in main profile. I prefer installing in work profile only theses apps which need to run over external VPN and have small amount of data, which could be share with BigBrother
X-Raph-X
commented
2 years ago I use my Work profile (using Shelter) in a combination of TC and MullvadVPN. (Personal profiles go through the VPN without TC.) Mullvad has a socks proxy feature so you can chain with TC.
This may be useful for some people, so I would like to share my setting.
(I'm sorry, my English is not good)
Hi @jbas23, i'am speaking to you because my English is poor as well :-D (i'am french, it may be an excuse...)
Could you please give me some clarification about your config because I'am not familiar with SOCKS5 or with MullvadVPN. I understood that MullVadVPN is a VPN provider and it can act as proxy SOCKS5 server. So, firts, the MullVadVPN client is launched on your android device. Then you configure SagerNet to act as a Proxy client connected to MullvadVPN proxy and to act as a local proxy for TC. Then TC is set to use the proxy server provided by SagerNet. My question are :
Thank you very much for your help !
If this discussion disturb the management of this issue, i'am available to speak in a private channel.
PS : the last release (0.8-beta02) of SagerNet occurs the last 11th of April. Perhaps it works now !
kasnder
commented
2 years ago I use my Work profile (using Shelter) in a combination of TC and MullvadVPN. (Personal profiles go through the VPN without TC.) Mullvad has a socks proxy feature so you can chain with TC. This may be useful for some people, so I would like to share my setting. (I'm sorry, my English is not good)
Hi @jbas23, i'am speaking to you because my English is poor as well :-D (i'am french, it may be an excuse...)
Could you please give me some clarification about your config because I'am not familiar with SOCKS5 or with MullvadVPN. I understood that MullVadVPN is a VPN provider and it can act as proxy SOCKS5 server. So, firts, the MullVadVPN client is launched on your android device. Then you configure SagerNet to act as a Proxy client connected to MullvadVPN proxy and to act as a local proxy for TC. Then TC is set to use the proxy server provided by SagerNet. My question are :
* When TC is use to the proxy SOCKS5, it won't add a VPN connection any more to android ? So it is possible to let functionating the MullvadVPN client ? * What is the goal to use Android profiles (Work and Personal) ? * In my case, i want to run a WireGuard VPN to my self hosted VPN server and I want to benefits of the protection of TC. I cannot run them both. So if I add a proxy server SOCKS5 behind my self hosted VPN server, I would be able to set the same configuration than you but with self hosted services instead of MullvadVPN ? Correct ?Thank you very much for your help !
If this discussion disturb the management of this issue, i'am available to speak in a private channel.
PS : the last release (0.8-beta02) of SagerNet occurs the last 11th of April. Perhaps it works now !
You might find this guide helpful: https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-combo/
X-Raph-X
commented
2 years ago Thank you very much @kasnder, I will have a try...
ghost
commented
2 years ago I use my Work profile (using Shelter) in a combination of TC and MullvadVPN. (Personal profiles go through the VPN without TC.) Mullvad has a socks proxy feature so you can chain with TC.
Nice how to, but I would prefer running TC on main and the other VPN in work profile, because I think most apps will be installed in main profile. I prefer installing in work profile only theses apps which need to run over external VPN and have small amount of data, which could be share with BigBrother
Sorry for the late reply.
I use GrapheneOS, so my personal profile does not have gapps, facebook or any other bloated apps installed. I only install apps from fdroid on my personal profile.
Therefore, all Big Brother applications are installed in the work profile.
Also, the work profile has the advantage of being able to freeze apps with Shelter etc.
If you have most of the apps installed on your personal profile, then, as you say, you might as well install TC on your personal profile and another VPN on your work profile .
Small recommendation:
If you install MullvadVPN in your WORK profile,
ALL apps in your work profile(including bloated (system) apps) can access the Internet without going through TC.
To prevent this, block the connections of app that you don't want to access the internet (or even all apps except AnXray):
in the Android VPN settings,
tap MullvadVPN,
turn on Block connections without VPN
and in the Mullvad split tunneling settings,
turn on Show system apps,
exclude app that you don't want to access the internet.
The connections of these apps will be blocked by Android because they try to connect without going through the MullvadVPN.
ghost
commented
2 years ago Hi @X-Raph-X, sorry for the late reply.
* When TC is use to the proxy SOCKS5, it won't add a VPN connection any more to android ? So it is possible to let functionating the MullvadVPN client ?
You mean if you can use other VPN apps in the same profile when using TC with SOCKS5? Unfortunately no :disappointed: One profile can use only one VPN service.
* What is the goal to use Android profiles (Work and Personal) ?This is because one profile can only use one VPN service.
By using two profiles, you can chain two VPN services.* In my case, i want to run a WireGuard VPN to my self hosted VPN server and I want to benefits of the protection of TC. I cannot run them both. So if I add a proxy server SOCKS5 behind my self hosted VPN server, I would be able to set the same configuration than you but with self hosted services instead of MullvadVPN ? Correct ?
In your case, you are using a self-hosted VPN. then, you don't need to use work profile. Also, there is no need to set up a SOCKS5 server 😄 . I use the official Mullvad app and use the work profile because I wanted to be able to switch vpn servers easily. Since you use your own server, you don't switch VPN servers often, right? Try this:
Install SagerNet (not AnXray).
Open SagernNet go to Settings ("≡" in the upper left corner -> Settings).
Configure as follows
Auto connect.ON.Add a WireGuard config (Go to the first screen, "+" button in upper right corner)
Open TC, Search "SagerNet" and tap it,
MonitoringSet SOCKS5 Proxy as follows:
Set Port forwarding as follows:
Check IP/DNS leaks
PS : the last release (0.8-beta02) of SagerNet occurs the last 11th of April. Perhaps it works now !
I hope so, but I find the SagerNet app itself unstable. And the developers are unfriendly and too strict. If you ever open an issue there, make sure it follows the template. Otherwise, it will be labeled as spam :fearful:
If it does not work well or if you have any questions, please feel free to ask 😆 . I will do my best. (but don't expect a quick reply) :sweat_smile:
X-Raph-X
commented
2 years ago Hi @jbas23, thank you very much for your answer but at the end, I found my ideal "workflow". So I use Shelter to activate Work profile. The work profile is used to run the Wireguard VPN plus an instance of Firefox. As the both app are in the same profile, it is possible to reach my PhotoPrism server throught the VPN (I don't want to open it on Internet). I add a shortcut of the firefox in the work profile that open my "local" URL through the VPN. And, as PhotoPrism works very in mobile browser, like an app. No other app is used in the work profile, except Fdroid, so my privacy is protected. The personal profile use TC to secure my privacy with all other common app and the app from the vendor of the phone (Xiaomi).
It is very complex for a standard user, but no simple solution exists.
The purpose of all this stuff is to protect my privacy by using a maximum of opensource and self hosted app : Debian Linux server, NextCloud, associative french email provider (zaclys), PhotoPrism as photo gallery, Wireguard.
Thanks a lot
And I will have a look to GrapheneOS right now
ghost
commented
2 years ago And I will have a look to GrapheneOS right now
This is not related to this issue, but
GrapheneOS is Android with enhanced security. It sandboxes many things. It provides a high level of protection against exploitation of unknown vulnerabilities. Sandboxed Google Play is great. You can run Google Play (which is needed to run many apps in Google Play) without having to give special permissions! https://grapheneos.org/features/
Calyx is also recommended. MicroG, Mozilla location services and dialer integration with Signal and WhatsApp. https://calyxos.org/features/ I read somewhere that the developer wants to make a VPN chaining feature.
Both can:
PS: News FairEmail & NetGuard Development Has Been Discontinued. Marcel, the developer, has archived the repo... As an alternative, TrackerControl has been introduced and many users will switch to it.
X-Raph-X
commented
2 years ago Thank you for all this great information. But I need to change my phone first, I don't have Pixel ...
famewolf
commented
2 years ago You might not have to. Just about every device has at least one custom rom that's "Pixel Experience".....I'm running PixelPlusUI which runs on multiple devices and it's fantastic. You can choose whether to root or not and google pay works out of the box.
First custom rom I've found that gives battery life as good as the stock oxygenos 10 did.
LeOS-GSI
commented
2 years ago Hi @jbas23, thank you very much for your answer but at the end, I found my ideal "workflow". So I use Shelter to activate Work profile. The work profile is used to run the Wireguard VPN plus an instance of Firefox. As the both app are in the same profile, it is possible to reach my PhotoPrism server throught the VPN (I don't want to open it on Internet). I add a shortcut of the firefox in the work profile that open my "local" URL through the VPN. And, as PhotoPrism works very in mobile browser, like an app. No other app is used in the work profile, except Fdroid, so my privacy is protected. The personal profile use TC to secure my privacy with all other common app and the app from the vendor of the phone (Xiaomi).
It is very complex for a standard user, but no simple solution exists.
The purpose of all this stuff is to protect my privacy by using a maximum of opensource and self hosted app : Debian Linux server, NextCloud, associative french email provider (zaclys), PhotoPrism as photo gallery, Wireguard.
Thanks a lot
And I will have a look to GrapheneOS right now
come in my group in flash LeOS :) .. full ungoogled AndroidOS https://leos-gsi-de https://t.me/LeOS_Support
ghost
commented
2 years ago I'm sorry I started talking about this, This is not related to this issue, and may be better discussed elsewhere. If anyone is interested, please see below. Custom ROMs with enhanced security and privacy are simply explained. https://www.privacyguides.org/android/ https://www.privacyguides.org/android/overview/
That site introduces DivestOS for those who do not have a Pixel phone. https://divestos.org/ (Device List)
im-not-food
commented
9 months ago Here's my method using Termux, inspired by @jbas23's comment. I assume that TC is installed in the work profile and Termux is installed in the personal profile. If you find any mistake, please let me know.
Install following apps from f-droid.
Disable battery optimization for Termux to ensure it can run in the background without being killed by the system. You can use the website Don't Kill My App for instructions specific to your device.
Open Termux and run the following command to upgrade the packages:
pkg upgradeThis command will update all the installed packages to their latest versions. Follow the prompts and enter "y" when asked to proceed with the upgrade.
Install the required packages by running the following command:
pkg install microsocks rinetdThis command will install the microsocks and rinetd packages, which are necessary for setting up the VPN chaining. Enter "y" when prompted to proceed with the installation.
Create a boot script for Termux by running the following command:
mkdir -p ~/.termux/boot
nano ~/.termux/boot/00-vpn-chainingThe first command creates a directory called "boot" inside the ".termux" directory in your home folder. The "boot" folder is executed when the phone is booted. The second command opens the nano text editor to create a new file called "00-vpn-chaining" inside the "boot" directory.
In the nano editor, paste the following script:
#!/data/data/com.termux/files/usr/bin/shconf='127.0.0.1 5353/udp 100.64.0.2 53/udp' echo "$conf" | rinetd -c /dev/stdin
microsocks -i 127.0.0.1 -p 1080
This script starts the rinetd service to forward UDP traffic from port 5353 to 100.64.0.2:53, which is the VPN DNS address.
It then starts microsocks, a lightweight SOCKS5 server, on the local address 127.0.0.1 and port 1080.
Press Ctrl + X to exit nano, then press Y to save the changes.
> NOTE:
100.64.0.2 is the IP address of the VPN DNS.
If you use a VPN other than Mullvad, replace it with the appropriate IP address.
You can find it in the WireGuard/OpenVPN configuration file.
8. Make the boot script executable by running the following command:
```bash
chmod +x ~/.termux/boot/00-vpn-chainingSet TrackerControl as follows:
Reboot your phone and wait until both Termux and TC are started.
That's it!
X-Raph-X
commented
9 months ago Great! I was waiting a solution for a while. Thank you very much for sharing, I will have a try!
X-Raph-X
commented
9 months ago Just to be sure, the vpn is installed in the personal profile isn't it?
im-not-food
commented
9 months ago Yes, you need to install it in the personal profile.
kasnder
commented
9 months ago Another user mentioned this guide: https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-combo/
I'm droppping it here to close the other issue. #141
huuhaa
commented
1 month ago Could it be considered to solve VPN similar way as ReThinkDNS + Firewall does it? Basicly add Proxy section to app, under that there could be option for current option & more, like:
This would be similar & solve to #351 also.. As well as make #377 not needed, cause biggest reason for that at end too is to.. Be able to use also VPN.
With Setup Wireguard option, user could load wireguard conf file similarly as with ReThinkDNS and thus connection would use vpn via TrackerControl. Simple and no need to mess with workprofiles. Sure might not be as easy todo it..
Since the app already supports a child socks proxy if it also supported a parent then potentially other apps that "require" a local vpn could chain themselves through the socks proxy. This might eliminate the need for local support of the encrypted dns and ad blocking while allowing someone to use this app in coordination with a REAL vpn.
This would of course require the other apps to make a change to support the proxy but it has potential.