I have a rather peculiar #Android problem.
- I use personalDNSfilter (zenz-solutions.de/personaldnsf…) to block ads system-wide. It's basically like running a local pi-hole using a local VPN.
- I would also like to use Orbot (#Tor) and run some apps (specifically Nextcloud) that don't natively support proxying through Orbot's VPN.
The problem is, Android won't let me run two VPNs at the same time. And blocking ads without a VPN would require rooting my phone, which I don't want to do. However:
- personalDNSfilter can expose the DNS server on port 5300 without using the VPN (which is useless in itself).
- Orbot can expose its HTTP and SOCKS proxy without using the VPN (which is also useless in itself).
Is there some way to setup a custom VPN that would combine these two things, i.e., let me route some apps through Orbot's proxy and use the local DNS server (provided by personalDNSfilter) at port 5300? I was looking at OpenVPN for Android (github.com/schwabe/ics-openvpn), but I'm honestly really confused. Help please? 😅 Boosts appreciated.
GitHub - schwabe/ics-openvpn: OpenVPN for Android
OpenVPN for Android. Contribute to schwabe/ics-openvpn development by creating an account on GitHub.GitHub
Truls
in reply to Radomír Žemlička • • •After a lot of playing around with add blockers on Android I settled on using dnsforge.de/ as the DNS resolver which does the ad blocking on the DNS level without any apps. You lose the ability to customize the blocklist, but I found the ones they use sufficient for me.
However, I don't know if that would work with Orbot
dnsforge.de DNS Resolver
dnsforge.deRadomír Žemlička
in reply to Truls • • •Jiří Eischmann
in reply to Radomír Žemlička • • •Radomír Žemlička
in reply to Jiří Eischmann • • •Jiří Eischmann
in reply to Radomír Žemlička • • •Alexandre
in reply to Jiří Eischmann • • •Hello @Razemix, with #AdGuardHome you can use it inside and outside you LAN.
Here, I set it as DHCP server and it acts as DNS resolver for all the endpoints on my local network. But I also declare each device with an unique identifier and set private DNS on all of them. Profiles for iOS devices can be generated from the #AGH dashboard.
My AGH is serving DoT, DoH and DoQ protocols. This way, strangers cannot use my resolver to poison it.
VPN connection is not required is this setup to use your AGH outside your local network.
You need a domain name, a free certificate (Let’s Encrypt), open two ports (443 & 853 on UDP & TCP) in your router and firewall, write a tiny script to update your DNS record if your WAN IP address is dynamic.
Network ports are: #DoT (853/TCP), #DoQ (853/UDP), #DoH HTTP/2 (443/TCP), DoH HTTP/3 (443/UDP).
All you devices and family ones can use your personal secure DNS.
You can also completely replace standard DNS client on all your computers with #dnsproxy software developed by AGH team. All your devices will use secure DNS.
@sesivany
F-Droid
in reply to Radomír Žemlička • • •InviZible Pro: increase your security, protect you | F-Droid - Free and Open Source Android App Repository
f-droid.orgRadomír Žemlička
in reply to F-Droid • • •Tomáš Odehnal
in reply to Radomír Žemlička • • •Radomír Žemlička
in reply to Tomáš Odehnal • • •Tomáš Odehnal
in reply to Radomír Žemlička • • •Also I'm not sure about your usecase, but I guess the unfiltered DNS for those apps is not something you want. 😬
Tomáš Odehnal
in reply to Tomáš Odehnal • • •I just found out that I haven't had latest version installed (Obtainium vs their GitHub releases, oh well).
The latest has split DNS, should help.
"Split DNS to route DNS requests from apps over selected upstream resolvers."
Radomír Žemlička
in reply to Tomáš Odehnal • • •@def Well, bypassing apps didn't do much. I also tried to update it and the DNS splitting probably works (it skips my filters in proxied apps) but it still fails on .onion domains. (Note that when i run Orbot in VPN mode and route apps through it, it works fine, so Orbot DNS server is not the problem.)
On the other hand, I managed to configure Firefox to use the Orbot proxy directly (for .onion domains only), so I can continue using personalDNSfilter in VPN mode. It doesn't really help with native apps that don't let you configure proxy (like Nextcloud), but at least I can use PWAs through Firefox. I would like to have automatic backup of photos (and this requires the native app), but I can probably figure out something else (maybe Syncthing).
Radomír Žemlička
in reply to Radomír Žemlička • • •CalDAV, CardDAV and WebDAV for Android
www.davx5.comTomáš Odehnal
in reply to Radomír Žemlička • • •I'm still curious about the usecase. Connecting to resources like those mentioned via tor is... weird? 😀 The only thing that comes to my mind is bypassing of filters on the internet connection itself. But we can leave this hanging if you wish 😀
Radomír Žemlička
in reply to Tomáš Odehnal • • •1) Use some WireGuard provider like Tailscale or Netbird. (I don't really like the idea of giving some random company access to my server though. Also, it would be problematic to set up since I want to continue using Android's VPN slot for ad blocking.)
2) Use Tor and expose the server as a hidden service.
I don't know, is it that weird? Maybe there's a better solution and I just can't see it. 😅
Tomáš Odehnal
in reply to Radomír Žemlička • • •I wasn't aware of that possibility and quickly checking how it works I'm not sure I would use it, but I know shit about the details so maybe I'm the weird 😀
Would VPS and Wireguard self hosting be an option? You could host ad blocking DNS on the home server as well (or maybe keep personalDNSfilter without VPN mode? Again, I know shit about that .).
My setup is similar. I have a public IP but don't use it because I don't feel like exposing services directly. I got a cheap VPS from Hetzner and publish stuff from home via Pangolin (reverse proxy and VPN server). The services are accessible from internetz directly now, however I'm planning to add auth and SSO on Pangolin to make it more secure (and usable).