Built for Business - Learn more about BlackBerry KEY2
  1. chetmanley's Avatar
    Hello,

    Thought I should share what I've learned regarding the setup of Netguard through Orbot. Sadly, this is the closest we can get to a true Firewall + VPN solution on a Blackberry Android.

    What this solution will provide is a way to monitor, allow and/or block all connections made by every system/application on the phone while trying to provide a level of internet anonymity as provided by TOR.

    Ideally, we would want to have the Firewall, plus a VPN, then TOR if desired, however we cannot accomplish this without root access. If you aren't concerned about the firewall component, then you can run the last two without needing root (VPN + TOR).

    Step one: Purchase Netguard www.netguard.me . If you don't want to do this via Google Play, you can purchase from the developer directly, he will then email you an unlock code which can be used on all future updates which are downloaded from within the application.

    Step two: Install the Orbot / Tor Browser combo from F-Droid or Google Play / Yalp

    Step three: Open Netguard, go to Settings->Network Options and select Subset Routing ON.
    Then go to Settings->Advanced Options and scroll down to Use SOCKS5 Proxy and toggle that on.

    For the SOCKS5 Address enter 127.0.0.1 (the default Orbot address) and for the SOCKS5 port enter 9050 (also default in Orbot) - these can be changed in Orbot if required for some reason.

    Ensure that Orbot and Tor Browser are not being filtered by Netguard, otherwise it will just start a feedback loop and no connection will be made.

    Step four: Start Orbot and connect to TOR

    Step five: Switch back to Netguard and activate the firewall.

    To test if its working, open your normal browser (not Tor Browser) and go to www.dnsleaktest.com or similar to confirm the IP address its showing is the same as Orbot.

    Unfortunately, this setup cannot route UDP requests, so there will be a DNS leak. However, in Netguard settings you can change the DNS server to one other than your ISP.

    Step six: The fun part - monitoring all those unwanted connections and setting up the rules to block them from all your apps as required.

    If you want to exclude an application from being routed via TOR, then you need to exclude it from the Firewall filters.

    I hope this helps, unfortunately its not a full solution to the security+privacy problem (that would be solved if BB could integrate a firewall into the phone somehow), but at the moment, its the closest we can get on a BB android.

    Cheers

    Edit: Added important step in bold about ensuring Orbot isnt filtered.
    Last edited by chetmanley; 05-12-19 at 01:18 AM.
    01-10-18 07:38 PM
  2. dpw09's Avatar
    Hello,

    Thought I should share what I've learned regarding the setup of Netguard through Orbot. Sadly, this is the closest we can get to a true Firewall + VPN solution on a Blackberry Android.

    What this solution will provide is a way to monitor, allow and/or block all connections made by every system/application on the phone while trying to provide a level of internet anonymity as provided by TOR.

    Ideally, we would want to have the Firewall, plus a VPN, then TOR if desired, however we cannot accomplish this without root access. If you aren't concerned about the firewall component, then you can run the last two without needing root (VPN + TOR).

    Step one: Purchase Netguard. If you don't want to do this via Google Play, you can purchase from the developer directly, he will then email you an unlock code which can be used on all future updates which are downloaded from within the application.

    Step two: Install the Orbot / Orfox combo from F-Droid or Google Play / Yalp

    Step three: Open Netguard, go to Settings->Network Options and select Subset Routing ON.
    Then go to Settings->Advanced Options and scroll down to Use SOCKS5 Proxy and toggle that on.

    For the SOCKS5 Address enter 127.0.0.1 (the default Orbot address) and for the SOCKS5 port enter 9050 (also default in Orbot) - these can be changed in Orbot if required for some reason.

    Ensure that Orbot is not being filtered by Netguard, otherwise it will just start a feedback loop and no connection will be made.

    Step four: Start Orbot and connect to TOR

    Step five: Switch back to Netguard and activate the firewall.

    To test if its working, open your normal browser and go to www.dnsleaktest.com or similar to confirm the IP address its showing is the same as Orbot.

    Unfortunately, this setup cannot route UDP requests, so there will be a DNS leak .

    Step six: The fun part - monitoring all those unwanted connections and setting up the rules to block them from all your apps as required.

    If you want to exclude an application from being routed via TOR, then you need to exclude it from the Firewall filters. For example, I didn;t want my standard Firefox browser to go via TOR because it causes some websites to force Captchas (like crackberry). So in this case I turned off its connection filtering in Netguard and now it connects to the internet normally. Ideally, this is where the VPN layer would take over and fill the gap...

    I hope this helps, unfortunately its not a full solution to the security+privacy problem (that would be solved if BB could integrate a firewall into the phone somehow), but at the moment, its the closest we can get on a BB android.

    Cheers

    Edit: Added important step in bold about ensuring Orbot isnt filtered.
    I use no root data firewall https://play.google.com/store/apps/d...anjia.firewall on my daughters phone. Don't want her using stuff like youtube or any streaming while on our shared data plan so I block on mobile and allow on wifi.
    01-15-18 01:05 PM
  3. Ulferini Schusterotti's Avatar
    I used to install AFwall+ on all my rooted phones but since the KEYone and PRIV are unrootable I also switched to NetGuard and I really like it.
    chetmanley likes this.
    01-22-18 04:10 AM
  4. Mecca EL's Avatar
    Why not turn on Data Controls? You can control which app is allowing to access the net, and how it accesses it. It's baked into to Oreo, and should be present in Nougat.
    01-22-18 05:22 AM
  5. Mecca EL's Avatar
    Why not turn on Data Controls? You can control which app is allowing to access the net, and how it accesses it. It's baked into to Oreo, and should be present in Nougat.
    Here's a screen shot
    Attached Thumbnails How-To:  Netguard + Orbot-17189.jpg  
    01-22-18 05:23 AM
  6. dpw09's Avatar
    Why not turn on Data Controls? You can control which app is allowing to access the net, and how it accesses it. It's baked into to Oreo, and should be present in Nougat.
    I'm going to guess he doesn't have Oreo or he probably would. My daughters nor my phones have Oreo either.
    chetmanley likes this.
    01-22-18 11:50 PM
  7. chetmanley's Avatar
    Why not turn on Data Controls? You can control which app is allowing to access the net, and how it accesses it. It's baked into to Oreo, and should be present in Nougat.

    I didn't know Oreo had that option. Nougat doesn't have that option afaik and BB devices haven't received Oreo yet.

    While that is a welcome addition, it isn't a perfect solution because its all or nothing.

    For example - BBM Enterprise: I don't want to disable all of its net access for obvious reasons, but I also don't need it making specific connections to Mix Panel for data collection. The same goes with BB Hub + Services; I want to be able to send email, but I don't need my phone sending data back to Blackberry.

    Google Maps or Here maps are good examples also of needing to be able to block certain - but not all - connections. With the firewall I can block analytics and advertising without blocking the necessary mapping content servers.

    The only way to control and monitor this activity is with a Firewall application (Like Netguard or AFwall).
    01-23-18 03:34 PM
  8. chetmanley's Avatar
    I've been experimenting with how to mitigate the DNS leak posed by this setup.

    Inside Netguard advanced settings, under VPN you can set two DNS servers. If left blank, these will default to your wireless provider or ISP, or in the case of hotels where you need to "login", it will default to their DNS.

    One option is to enter 8.8.8.8 for Google's DNS.

    A better option is to use one of these servers: https://www.opennic.org/

    While the DNS is still not being funneled through Tor, it's at least no longer set to your ISP.

    While this has worked perfectly with my wireless carrier and home ISP, it hasn't worked when on a particular Hotel wifi where you need to "login" after connecting. It forced the Hotel's ISP DNS and I couldn't override it.

    Cheers
    03-04-18 03:40 PM
  9. chetmanley's Avatar
    For anyone who has tried this and noticed that about every 30 seconds, your 4G data drops off even though you have a strong signal, I think I discovered the cause.

    For some reason this never happens when on Wifi (loosing data connection).

    To fix it, under Netguard - Settings- Advanced

    Enter the same DNS Server twice - don't try using two different servers. I was running two different servers from OpenNIC and whenever I was on 4G, it would drop the data for 30 seconds at a time.

    It also did this when running default DNS servers as provided by your ISP (if it provides two different ones to Netguard).


    UPDATE: This problem continued on my device despite the new DNS settings. I've discovered its actually related to the setting under Advanced -> Manage system apps

    I've found that if all the system applications are blocked, then after some period of time (hours, maybe a day) then the issue will arise where the phone will lose data when on 4G.

    But as soon as system applications are unblocked, the problem is solved. You can then reblock them and it will work for another few hours/days... still trying to nail down the culprit.

    I've found this also happens more or less often on different sim cards / networks.
    Last edited by chetmanley; 04-06-18 at 08:43 PM.
    03-22-18 07:02 PM
  10. enthused's Avatar
    Thank chetmanley, for all the research and sharing your info, and the details on mitigating the DNS leakage.

    As a first step I installed Netguard (on a BlackBerry KeyOne). I notice it's regularly throwing a funny error:

    "Netguard could not start automatically. This is likely because of a bug in your Android version."

    It is strange because Netguard actually is running. There was an initial problem with Blockada seemingly causing it to shut down, but I whitelisted Netguard and that problem resolved. The "could not start" error occurs even if Blockada is not running.

    Any ideas?
    03-31-18 07:25 AM
  11. chetmanley's Avatar
    Hi, @enthused

    Blockada and Netguard both use the VPN service. So you can't run them both simultaneously.

    Netguard comes with Adblocking capability so no need to use Blockada.

    I've never seen that error message before. Maybe try reinstalling Netguard.
    04-03-18 09:27 AM
  12. chetmanley's Avatar
    For anyone who has tried this and noticed that about every 30 seconds, your 4G data drops off even though you have a strong signal, I think I discovered the cause.

    For some reason this never happens when on Wifi (loosing data connection).

    To fix it, under Netguard - Settings- Advanced

    Enter the same DNS Server twice - don't try using two different servers. I was running two different servers from OpenNIC and whenever I was on 4G, it would drop the data for 30 seconds at a time.

    It also did this when running default DNS servers as provided by your ISP (if it provides two different ones to Netguard).


    UPDATE: This problem continued on my device despite the new DNS settings. I've discovered its actually related to the setting under Advanced -> Manage system apps

    I've found that if all the system applications are blocked, then after some period of time (hours, maybe a day) then the issue will arise where the phone will lose data when on 4G.

    But as soon as system applications are unblocked, the problem is solved. You can then reblock them and it will work for another few hours/days... still trying to nail down the culprit.

    I've found this also happens more or less often on different sim cards / networks.
    I've narrowed it down to the collection of system apps the fall under the group 1001.

    On the keyone, this includes ApnSetterService,BbryTelephonyProvider, com.qti.qualcomm.datastatusnotification etc.

    Unfortunately I can't narrow down exactly which app is causing the issue because they are grouped together by android, but the only connection any of them appear to be making is to www.google.com/80 every few hours or so.

    Not sure why blocking these apps causing the data to drop off in 20-30 second spurts, but as long as you permit internet access to these apps, the problem is solved.

    Feel free to block them all when on wifi, it has no affect on your data access on wifi.

    UPDATE: This is no longer an issue. This connection can be blocked without problem.
    Last edited by chetmanley; 05-12-19 at 01:21 AM.
    04-16-18 04:57 PM
  13. chetmanley's Avatar
    I've come up with a technique that can be used if cloudfare is preventing you from accessing a site while on Netguard+Tor.

    I've installed and configured a second firefox browser (In this case Fennec F-droid) with the same about:config and privacy addons as my standard firefox.

    I don't include this second browser in the Netguard filters, so this way it wont connect via Tor, which causes the cloudfare captchya or out right blocking on some sites (google or foxnews for example)

    But, I still want this connection to be obscured via something like a VPN without sacrificing the rest of the system by turning off Netguard.

    To accomplish this, see if your vpn provider makes a firefox addon which allows for connecting your browser and dns directly to the vpn server via proxy.

    One example is NordVPN and it works on android firefox.

    So now I have two firefox browsers. One that connects via tor and netguard which works 95% of the time, and one that only connects via VPN proxy that I can use for those stubborn cloudfare sites (ie crackberry)
    Last edited by chetmanley; 08-05-18 at 04:40 PM.
    jope28 likes this.
    08-05-18 01:43 PM
  14. chetmanley's Avatar
    I've narrowed it down to the collection of system apps the fall under the group 1001.

    On the keyone, this includes ApnSetterService,BbryTelephonyProvider, com.qti.qualcomm.datastatusnotification etc.

    Unfortunately I can't narrow down exactly which app is causing the issue because they are grouped together by android, but the only connection any of them appear to be making is to www.google.com/80 every few hours or so.

    Not sure why blocking these apps causing the data to drop off in 20-30 second spurts, but as long as you permit internet access to these apps, the problem is solved.

    Feel free to block them all when on wifi, it has no affect on your data access on wifi.
    As an update to this:

    Something has changed in both the Keyone on Oreo and the Key2. I've noticed they've stopped trying to ping www.google.com/80 and as a result, I no longer have connection issues on my devices when blocking System app connections on cellular.
    01-10-19 06:31 PM

Similar Threads

  1. Replies: 10
    Last Post: 01-12-18, 03:22 PM
  2. Saving photos to SD card
    By Denver Kole in forum Ask a Question
    Replies: 13
    Last Post: 01-11-18, 01:18 PM
  3. PPSE to S8 to Keyone
    By Oiram Asojonih in forum BlackBerry KEYone
    Replies: 5
    Last Post: 01-10-18, 02:39 PM
  4. cant restore my whatsapp backup from blackberry10 to a blackberry KEY one
    By illmind in forum General BlackBerry Discussion
    Replies: 1
    Last Post: 01-10-18, 12:26 PM
  5. where to repair keyone camera?
    By highoctane74 in forum BlackBerry KEYone
    Replies: 1
    Last Post: 01-10-18, 10:25 AM
LINK TO POST COPIED TO CLIPBOARD