Guide: How to use Netguard and Orbot

Guide: How to use Netguard and Orbot

Private Your Tech

This guide answers the question:

How to use Netguard and Orbot together to route your traffic via the Tor Network with Netguard as Firewall?


There is now an easier option to achieve a similar setup:
Using Inviziible Pro https://t.me/InviZiblePro_Group, which has all of the same advantages, firewall, plus encrypted DNS and i2P.

This setup will still give you more control though.


Introduction

Using only Orbot or many VPNs masks your IP address, but it doesn't stop apps from accessing the internet and possibly sending out private info, wasting your data and battery while they're at it.

Without a rooted phone you can't stop many apps from getting internet access, and rooting a phone is a security risk.

Using Netguard you can block internet access to any app preventing even the system apps from 'calling home'.

That's better privacy and more control. But Netguard alone doesn't do anything to your IP address, luckily we can use Orbot as a SOCKS5 proxy through Netguard, to mask your IP and encrypt your TCP traffic through the Tor network. UDP traffic is not sent through the proxy unfortunately, so your DNS is not encrypted unless you can use AnDroid 9+ built in encrypted DNS.


Guide

Download Netguard:
https://f-droid.org/app/eu.faircode.netguard

Download Orbot:
https://f-droid.org/app/org.torproject.android


  1. Open Netguard, turn it on, and follow it's prompts. Then in your android VPN settings. (Settings/networks/more/VPN/) long click on netguard and set it as your always-on VPN.
  2. In its three-dot ⋮ menu, enable "Lockdown traffic".
  3. In netguards advanced options, set it to manage system apps.
  4. Find Orbot in Netguard, click on it and uncheck "apply rules and conditions". Same for Tor Browser if you have it, or any app you don't want to use Orbot.
  5. Follow the settings in this video: https://t.me/privateyourtech/45080
  6. In Netguard's settings/advanced options, change the VPN DNS to a desired DNS server:
    https://wiki.lelux.fi/dns/resolvers/
    https://kb.adguard.com/en/general/dns-providers
  7. Encrypted DNS is not possible in Netguard but can be set outside of the app in Android v9 or above with the built in Android settings.
    (Or you could try find a DNS proxy app...)
  8. In Netguard, choose the apps you want to allow internet access by clicking on them and checking 'allow in lockdown mode.'
  9. Test by searching "what's my IP in DuckDuckGo" or use ipleak.net.
  10. If you have a really slow network: ln Orbot, try changing it from "Global (Auto)'' to a country near you (try use a DNS service in a similar area).
  11. If you don't want a certain app to go through Orbot, repeat step 4 for that app.
  12. Optionally in Netguard, go to settings/backup and download their hosts file or input your own to block ads and tracking.
  13. Before turning your phone off always put in flight mode and disable WiFi to avoid boot leaks (IP showing).


Disclaimers

  • You will experience some latency in your network.
  • You will occasionally get annoying reCAPTCHA requests on certain sites maybe (if you do get frequent captcha requests, try changing your country as in step 9).
  • Newpipe (YouTube client) will give problems. You can avoid that sometimes by changing country as in step 9.
  • I can't advice what system apps may need access to internet on your device.
  • The Tor Network suffers from Torrents and isn't ideal for them, so use step 4 for Torrent apps and watch videos in low res, this reduces strain on the network.
  • Android can possibly use something called intents for apps to access internet via allowed apps, even with this firewall setup. Use a trusted ROM or FOSS apps to reduce this risk.


For Samsung Galaxy users

On some devices, the Samsung app is listening on the same network port that Orbot needs. Download 'SockStat' from Google Play. Look for the app on port 9050. Force stop and disable that app. You can also try to change Orbot's "Tor SOCKS" setting under the Debug section to 9051 or AUTO. You can see the fix in this video: https://www.youtube.com/watch?v=yK-nK4F67_g


Using Shelter, work profile or entirely different profile

  1. Install Netguard in the work profile but Not Orbot
  2. Turn on a setting in the non-work profile Orbot: ''Open Proxy on All Interfaces''
  3. Set the work profile Netguard to exactly the same
  4. Test the IP address in that work profiles browser (search "what's my IP" in DuckDuckGo)


For advertisement and tracker blocking:

Go to settings/backup and click download hosts file.

If you want to block more things with the hosts file see Energized Pro

I use their Bluhost file and add 'append' more lists.

To use it paste the host file link in the 'Host File Download URL' tab in Netguard.


Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org