Making magic with the network stack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

751 lines
42 KiB

  1. NetGuard
  2. ========
  3. Please scroll down if you want to ask a question, request a feature, or report a bug.
  4. [Deutsche Übersetzung](https://raw.githubusercontent.com/M66B/NetGuard/master/FAQ-de.txt)
  5. Frequently Asked Questions (FAQ)
  6. --------------------------------
  7. <a name="faq0"></a>
  8. **(0) How do I use NetGuard?**
  9. * Enable the NetGuard firewall using the switch in NetGuard's action bar
  10. * Allow (greenish\*) or deny (reddish\*) Wi-Fi or mobile internet access using the icons next to an application name in NetGuard's applications list
  11. You can use *Settings > Defaults* to change from block/blacklist mode (disable *Block Wi-Fi* and *Block mobile*, and then block unwanted applications in NetGuard's applications list) to allow/whitelist mode (enable *Block Wi-Fi* and *Block mobile*, and then allow desired applications in NetGuard's applications list).
  12. \* Depending on the theme you use, the icons may be:
  13. * Allowed (internet access permitted): greenish (teal) / blue / purple / gray
  14. * Blocked (internet access denied): reddish (salmon) / orange / yellow / amber
  15. <a name="faq1"></a>
  16. **(1) Can NetGuard completely protect my privacy?**
  17. No - nothing can completely protect your privacy.
  18. NetGuard will do its best, but it is limited by the fact it must use the Android VPN service.
  19. This is the trade-off required to make a firewall which does not require root access.
  20. The firewall can only start when Android "allows" it to start,
  21. so it will not offer protection during early boot-up (although you can disable your network before rebooting).
  22. Also, the Android VPN service needs to be restarted to apply new rules when connectivity has changed or when the screen is being turned on or off.
  23. It will, however, be much better than nothing.
  24. In the advanced options you can enable *Seamless VPN handover on reload* to prevent traffic from leaking when the Android VPN service is being restarted.
  25. However, this does not work properly on all Android versions/variants causing NetGuard to hang and block all connections.
  26. On Android N and later NetGuard can be configured as [Always-On VPN](https://developer.android.com/guide/topics/connectivity/vpn#always-on).
  27. On Android O **do not** enable the sub option '*Block connections without VPN*', see [question 51](#user-content-faq51)) for more information on this.
  28. To protect yourself more, remember to disable Wi-Fi and mobile data before rebooting,
  29. and only enable them on reboot, after the firewall service has started (and the key icon is visible in the status bar).
  30. Thanks @[pulser](https://github.com/pulser/)
  31. <a name="faq2"></a>
  32. **(2) Can I use another VPN application while using NetGuard**
  33. If the VPN application is using the [VPN service](http://developer.android.com/reference/android/net/VpnService.html),
  34. then no, because NetGuard needs to use this service. Android allows only one application at a time to use this service.
  35. NetGuard is a firewall application, so there is no intention to add VPN support.
  36. However, NetGuard supports a [SOCKS5 proxy](https://en.wikipedia.org/wiki/SOCKS) to chain VPN applications.
  37. You can find one possible community contributed solution [here](https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-combo/).
  38. <a name="faq3"></a>
  39. **(3) Can I use NetGuard on any Android version?**
  40. No, the minimum required Android version is 5.1 (<a href= "https://developer.android.com/about/versions/lollipop">Lollipop</a>)
  41. <a name="faq4"></a>
  42. **(4) Will NetGuard use extra battery power?**
  43. By default NetGuard will hardly use any battery power.
  44. All settings resulting in extra battery usage, like IP filtering and logging, have a warning.
  45. If NetGuard uses a lot of battery power, please double check your settings.
  46. The battery usage when IP filtering is enabled depends on the quality of your Android VPN service implementation and the efficiency of the processor of your device.
  47. Generally the battery usage on older devices might be unacceptable, yet hardly noticeable on modern devices with an efficient processor.
  48. The network speed graph notification will use extra battery power.
  49. This is why the notification is shown only when the screen is on.
  50. You can decrease the update frequency using the settings to reduce the battery usage.
  51. Note that Android often incorrectly contribute battery usage of other apps to NetGuard,
  52. because the network traffic of other apps is flowing through NetGuard.
  53. This means that it might look like NetGuard is using a lot of battery power,
  54. but that in fact the total battery usage of all apps is still the same.
  55. <a name="faq6"></a>
  56. **(6) Will NetGuard send my internet traffic to an external (VPN) server?**
  57. No, depending on the mode of operation basically one of two things will happen with your internet traffic:
  58. * When IP filtering is disabled, blocked internet traffic will be routed into the local VPN service, which will operate as a sinkhole (in effect dropping all blocked traffic)
  59. * When IP filtering is enabled, both blocked and allowed internet traffic will be routed into the local VPN service and only allowed traffic will be forwarded to the intended destination (and not to a VPN server)
  60. The [Android VPN service](http://developer.android.com/reference/android/net/VpnService.html) is being used to locally route all internet traffic to NetGuard so no root is required to build this firewall application.
  61. NetGuard, unlike all other no-root firewalls applications, is 100% open source, so when you are in doubt you can check [the source code](https://github.com/M66B/NetGuard/) yourself.
  62. <a name="faq7"></a>
  63. **(7) Why are applications without internet permission shown?**
  64. Internet permission can be granted with each application update without user consent.
  65. By showing all applications, NetGuard allows you to control internet access even *before* such an update occurs.
  66. <a name="faq8"></a>
  67. **(8) What do I need to enable for the Google Play™ store app to work?**
  68. You need 3 packages (applications) enabled (use search in NetGuard to find them quickly):
  69. * com.android.vending (Play store)
  70. * com.google.android.gms (Play services)
  71. * com.android.providers.downloads (Download manager)
  72. Since the Google Play™ store app has a tendency to check for updates or even download them all by itself (even if no account is associated),
  73. one can keep it in check by enabling "*Allow when screen is on*" for all 3 of these packages.
  74. Click on the down arrow on the left side of an application name and check that option,
  75. but leave the network icons set to red (hence blocked). The little human icon will appear for those packages.
  76. Note that NetGuard does *not* require any Google service to be installed.
  77. <a name="faq9"></a>
  78. **(9) Why is the VPN service being restarted?**
  79. The VPN service will be restarted when you turn the screen on or off and when connectivity changes (Wi-Fi, mobile)
  80. to apply the rules with the conditions *'Allow when screen is on'* and *'Block when roaming'*.
  81. See [here](http://forum.xda-developers.com/showpost.php?p=65723629&postcount=1788) for more details.
  82. <a name="faq10"></a>
  83. **(10) Will you provide a Tasker plug-in?**
  84. No, because if Tasker is allowed to disable NetGuard, any application can disable NetGuard.
  85. Allowing a security application to be disabled by other applications is not a good idea.
  86. <a name="faq13"></a>
  87. **(13) How can I remove the ongoing NetGuard entry in the notification screen?**
  88. * Long click the NetGuard notification
  89. * Tap the 'i' icon
  90. * Depending on your device and/or ROM manufacturer's software customizations, you can be directed to either:
  91. * the **App Info** screen and you can uncheck '*Show notifications*' and agree to the next dialog
  92. * the **App Notifications** screen and you can toggle the '*Block*' slider to on
  93. Note that, whether or not you get a dialog warning to agree upon,
  94. this operation will also disable any information or warning notifications from NetGuard,
  95. such as the new application installed notification.
  96. To read about the need for the notification in the first place, see [question 24](#user-content-faq24).
  97. Some Android versions display an additional notification, which might include a key icon.
  98. This notification, unfortunately, cannot be removed.
  99. <a name="faq14"></a>
  100. **(14) Why can't I select OK to approve the VPN connection request?**
  101. There might be another (invisible) application on top of the VPN connection request dialog.
  102. Some known (screen dimming) applications which can cause this are *Lux Brightness*, *Night Mode*, and *Twilight*.
  103. To avoid this problem, at least temporarily, close all applications and/or services which may be running in the background.
  104. <a name="faq15"></a>
  105. **(15) Are F-Droid builds supported?**
  106. F-Droid builds are not supported because I have no control over if and when the F-Droid version of NetGuard will be updated,
  107. so I cannot guarantee timely updates, for example if there is a critical or security issue.
  108. Because F-Droid builds and GitHub releases are signed differently, an F-Droid build needs to be uninstalled first to be able to update to a GitHub release.
  109. <a name="faq16"></a>
  110. **(16) Why are some applications shown dimmed?**
  111. Disabled applications and applications without internet permission are shown dimmed.
  112. <a name="faq17"></a>
  113. **(17) Why is NetGuard using so much memory?**
  114. It isn't. NetGuard doesn't allocate any memory, except a little for displaying the user interface elements and for buffering traffic.
  115. It appears, on some Android variants, that the Google Play™ store app connection uses almost 150 MB. It is needed for in-app donations,
  116. and is incorrectly attributed to NetGuard instead to the Google Play™ store app.
  117. <a name="faq18"></a>
  118. **(18) Why can't I find NetGuard in the Google Play™ store app?**
  119. NetGuard requires at least Android 5.1, so it is not available in the Google Play™ store app on devices running prior Android versions.
  120. <a name="faq19"></a>
  121. **(19) Why does application XYZ still have internet access?**
  122. If you block internet access for an application, there is no way around it.
  123. However, applications could access the internet through other (system) applications/components.
  124. For example, Google Play services receives incoming push messages and ads for most applications, including WhatsApp and Facebook messenger.
  125. You can prevent this by blocking internet access for the other application/component as well.
  126. You can block system applications and components, like Google Play services, by enabling the advanced NetGuard option *Manage system apps*.
  127. This can best be diagnosed by checking the global access log (three dot menu, *Show log*).
  128. Note that some applications keep trying to access the internet, which is done by sending a connection request packet.
  129. This packet goes into the VPN sinkhole when internet access for the application is blocked.
  130. This packet consists of less than 100 bytes and is counted by Android as outgoing traffic
  131. and will be visible in the speed graph notification as well.
  132. <a name="faq20"></a>
  133. **(20) Can I Greenify/hibernate NetGuard?**
  134. No. [Greenifying](https://play.google.com/store/apps/details?id=com.oasisfeng.greenify)
  135. or otherwise hibernating NetGuard will result in rules not being applied
  136. when connectivity changes from Wi-Fi/mobile, screen on/off, and roaming/not roaming.
  137. <a name="faq21"></a>
  138. **(21) Does doze mode affect NetGuard?**
  139. I am not sure, because the [doze mode documentation](http://developer.android.com/training/monitoring-device-state/doze-standby.html)
  140. is not clear if the [Android VPN service](http://developer.android.com/reference/android/net/VpnService.html) will be affected.
  141. To be sure, you can disable battery optimizations for NetGuard manually like this:
  142. ```
  143. Android settings > Battery > three dot menu > Battery optimizations > Dropdown > All apps > NetGuard > Don't optimize > Done
  144. ```
  145. The procedure to accomplish this can vary between devices.
  146. Disabling doze mode for NetGuard cannot be done from within NetGuard
  147. because, according to Google, NetGuard is [not an application type allowed to do this](http://developer.android.com/training/monitoring-device-state/doze-standby.html#whitelisting-cases).
  148. <a name="faq22"></a>
  149. **(22) Can I tether (use the Android hotspot) / use Wi-Fi calling while using NetGuard?**
  150. Yes, but you'll need to enable subnet routing and tethering in the NetGuard network settings.
  151. Whether or not it works depends on your Android version
  152. because some Android versions have a bug preventing tethering and the VPN service working together.
  153. Some devices hibernate Wi-Fi, preventing tethering from working when the screen is off.
  154. This behavior can be disabled in the Android enhanced/advanced Wi-Fi settings.
  155. <a name="faq24"></a>
  156. **(24) Can you remove the notification from the status bar?**
  157. Android can kill background services at any time.
  158. This can only be prevented by turning a background service into a foreground service.
  159. Android requires an ongoing notification for all foreground services
  160. to make you aware of potential battery usage (see [question 4](#user-content-faq4)).
  161. So, the notification cannot be removed without causing instability.
  162. However, the notification is being marked as low priority,
  163. which should result in moving it to the bottom of the list.
  164. The key icon and/or the VPN running notification,
  165. which is shown by Android and not by NetGuard, unfortunately, cannot be removed.
  166. The [Google documentation](http://developer.android.com/reference/android/net/VpnService.html) states:
  167. *"A system-managed notification is shown during the lifetime of a VPN connection"*.
  168. Android 8 Oreo and later display a notification "*... running in the background*" listing all apps running in the background.
  169. You can't disable this notification, but you can remove the icon from the status bar like this:
  170. * Open Settings > Apps & notifications > App info
  171. * Open settings (three dots); Select "Show system"
  172. * Select "Android System"
  173. * Select "App notifications"
  174. * Select "Apps running in background"
  175. * Select "Importance" and select "Low"
  176. <a name="faq25"></a>
  177. **(25) Can you add a 'Select All' function?**
  178. There is no need for a 'Select All' function
  179. because you can switch from block (blacklist) to allow (whitelist) mode using Netguard's settings.
  180. See also [question 0](#user-content-faq0).
  181. <a name="faq27"></a>
  182. **(27) How do I read the blocked traffic log?**
  183. The columns have the following meanings:
  184. 1. Time (tap on a log entry to see the date)
  185. 1. Application icon (tap on a log entry to see the application name)
  186. 1. Application UID
  187. 1. Wi-Fi / mobile connection, green=allowed, red=blocked
  188. 1. Interactive state (screen on or off)
  189. 1. Protocol (see below) and packet flags (see below)
  190. 1. Source and destination port (tap on a log entry to lookup a destination port)
  191. 1. Source and destination IPv4 or IPv6 address (tap on a log entry to lookup a destination IP address)
  192. 1. Organization name owning the IP address (needs to be enabled via the menu)
  193. Protocols:
  194. * HOPO ([IPv6 Hop-by-Hop Option](https://en.m.wikipedia.org/wiki/IPv6_packet#Hop-by-hop_options_and_destination_options))
  195. * ICMP
  196. * IGMP
  197. * ESP (IPSec)
  198. * TCP
  199. * UDP
  200. * Number = one of the protocols in [this list](https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)
  201. * 4 = IPv4
  202. * 6 = IPv6
  203. Packet flags:
  204. * S = SYN
  205. * A = ACK
  206. * P = PSH
  207. * F = FIN
  208. * R = RST
  209. For a detailed explanation see [here](https://en.wikipedia.org/wiki/Transmission_Control_Protocol).
  210. Only TCP, UDP, and ICMP ping traffic can be routed through the Android VPN service.
  211. All other traffic will be dropped and will be shown as blocked in the global traffic log.
  212. This is almost never a problem on an Android device.
  213. <a name="faq28"></a>
  214. **(28) Why is Google connectivity services allowed internet access by default?**
  215. The Google connectivity services system application checks if the current network is really connected to the internet.
  216. This is probably accomplished by briefly connecting to some Google server.
  217. If this is not the case, there will be an '!' in the Wi-Fi or mobile icon in the system status bar.
  218. Recent Android versions seem not to switch connectivity from mobile to Wi-Fi when the Wi-Fi network is not really connected,
  219. even though there is a connection to the Wi-Fi network (or the other way around). On Android 6.0 and later you might get a notification asking you if you want to keep this connection on or not.
  220. To prevent a bad user experience, NetGuard includes a predefined rule to default allow the Google connectivity services.
  221. You can find all predefined rules [here](https://github.com/M66B/NetGuard/blob/master/app/src/main/res/xml/predefined.xml).
  222. You can override predefined rules.
  223. <a name="faq29"></a>
  224. **(29) Why do I get 'The item you requested is not available for purchase'?**
  225. You can only purchase pro features when you have installed NetGuard from the Google Play store.
  226. <a name="faq30"></a>
  227. **(30) Can I also run AFWall+ on the same device?**
  228. Unless you are just testing NetGuard, there is no current reason to use them both, since they cover the same function (firewall),
  229. although with different base needs (AFWall+ needs a rooted device) and ways of doing their thing (AFWall+ uses iptables whereas NetGuard uses a VPN).
  230. Also you need to keep per application access rules _always_ in sync between AFWall+ and NetGuard,
  231. else the application will not be able to access the network,
  232. hence bringing another level of complexity when setting and assuring everything work as expected.
  233. Some pointers on how to set up AFWall+ to be used simultaneously with NetGuard:
  234. * if not using filtering in NetGuard, applications _need_ direct internet access (Wi-Fi and/or mobile) in AFWall+
  235. * if using filtering, NetGuard will _need_ internet access (Wi-Fi and/or mobile) in AFWall+
  236. * if using filtering, when you un/reinstall NetGuard, remember to re-allow NetGuard in AFWall+
  237. * if using filtering, applications _need_ VPN internet access (check the box to show that option in AFWall+ settings)
  238. This question was community contributed. There is no support on using NetGuard and AFWall+ together.
  239. <a name="faq31"></a>
  240. **(31) Why can some applications be configured as a group only?**
  241. For many purposes, including network access, Android groups applications on UID and not on package/application name.
  242. Especially system applications often have the same UID, despite having a different package and application name; these are set up like this by the ROM manufacturer at build time.
  243. These applications can only be allowed/blocked access to the internet as a group.
  244. <a name="faq32"></a>
  245. **(32) Why is the battery/network usage of NetGuard so high?**
  246. This is because Android counts battery and network usage which is normally counted for other applications
  247. against NetGuard in IP filtering mode. The total battery usage is slightly higher when IP filtering mode is enabled.
  248. IP filtering mode is always enabled on Android versions prior to 5.0, and optionally enabled on later Android versions.
  249. <a name="faq33"></a>
  250. **(33) Can you add profiles?**
  251. Profiles are inconvenient because they need to be operated manually.
  252. Conditions like '*When screen is on*' are, on the other hand, convenient because they work automatically.
  253. Therefore profiles will not be added, but you are welcome to propose new conditions;
  254. however, they need to be generally usable to be included.
  255. As a workaround you can use the export/import function to apply specific settings in specific circumstances.
  256. Alternatively, you can use lockdown mode as a profile.
  257. <a name="faq34"></a>
  258. **(34) Can you add a condition 'when on foreground' or 'when active'?**
  259. Recent Android versions do not allow an application to query if other applications are in the foreground/background or active/inactive
  260. without holding an [additional privacy violating permission](https://developer.android.com/reference/android/Manifest.permission.html#PACKAGE_USAGE_STATS)
  261. and at the expense of extra battery usage (because periodic polling is required).
  262. As a result, this cannot be added without significant disadvantages, like [this one](http://www.xda-developers.com/working-as-intended-an-exploration-into-androids-accessibility-lag/).
  263. You can use the condition '*when screen is on*' instead.
  264. <a name="faq35"></a>
  265. **(35) Why does the VPN not start?**
  266. NetGuard "asks" Android to start the local VPN service,
  267. but some Android versions contain a bug which prevents the VPN from starting (automatically).
  268. Sometimes this is caused by updating NetGuard.
  269. Unfortunately this cannot be fixed by NetGuard.
  270. You can try to restart your device and/or revoke the VPN permissions from NetGuard using the Android settings.
  271. Sometimes it helps to uninstall and install NetGuard again (be sure to export your settings first!).
  272. <a name="faq36"></a>
  273. **(36) Can you add PIN or password protection?**
  274. Since turning off the VPN service using the Android settings cannot be prevented,
  275. there is little use in adding PIN or password protection.
  276. <a name="faq37"></a>
  277. **(37) Why are the pro features so expensive?**
  278. The right question is "*why are there so many taxes and fees*":
  279. * VAT: 25% (depending on your country)
  280. * Google fee: 30%
  281. * Income tax: 50%
  282. So, what is left for the developer is just a fraction of what you pay.
  283. Despite NetGuard being *really* a lot of work, only some of the convenience and advanced features need to be purchased,
  284. which means that NetGuard is basically free to use
  285. and that you don't need to pay anything to reduce your data usage, increase battery life, and increase your privacy.
  286. Also note that most free applications will appear not to be sustainable in the end, whereas NetGuard is properly maintained and supported,
  287. and that free applications may have a catch, like sending privacy sensitive information to the internet.
  288. See [here](http://forum.xda-developers.com/showpost.php?p=67892427&postcount=3030) for some more information.
  289. <a name="faq38"></a>
  290. **(38) Why did NetGuard stop running?**
  291. First of all, please make sure you disabled battery optimizations for NetGuard in the Android settings.
  292. On most devices, NetGuard will keep running in the background with its foreground service.
  293. On some devices (in particular some Samsung models), where there are lots of applications competing for memory, Android may still stop NetGuard as a last resort.
  294. Some Android versions, in particular of Huawei (see [here](https://www.forbes.com/sites/bensin/2016/07/04/push-notifications-not-coming-through-to-your-huawei-phone-heres-how-to-fix-it/) for a fix) or Xiaomi (see [here](https://www.forbes.com/sites/bensin/2016/11/17/how-to-fix-push-notifications-on-xiaomis-miui-8-for-real/) for a fix) stop apps and services too aggressively.
  295. Unfortunately this cannot be fixed by NetGuard, and can be considered a shortcoming of the device and/or as a bug in Android.
  296. As a matter of fact lots of apps suffer from this, see the website [Don't kill my app!](https://dontkillmyapp.com/) for more information and solutions.
  297. You can workaround this problem by enabling the watchdog in the NetGuard advanced options to check every 10-15 minutes.
  298. <a name="faq39"></a>
  299. **(39) How does a VPN based firewall differ from a iptables based firewall?**
  300. See this [Stack Exchange question](http://android.stackexchange.com/questions/152087/any-security-difference-between-root-based-firewall-afwall-and-non-root-based).
  301. <a name="faq40"></a>
  302. **(40) Can you add schedules?**
  303. Besides not being trivial to add, schedules - in my opinion - are not a good idea, since time is not a good rule condition.
  304. A rule condition like *When screen is on* is a better and more straightforward condition.
  305. Therefore schedules will not be added, but you are welcome to propose other new conditions.
  306. <a name="faq41"></a>
  307. **(41) Can you add wildcards / address/port ranges?**
  308. Wildcards to allow/block addresses and address/port ranges would have a significant performance and usability impact and therefore will not be added.
  309. Wildcards rules and address/port ranges would need to be checked for each and every connection attempt.
  310. Since NetGuard blocks, unlike any other no-root firewall, domain names instead of IP addresses there is hardly a need for wildcards.
  311. <a name="faq42"></a>
  312. **(42) Why is permission ... needed?**
  313. * INTERNET ('*Full network access*'): to forward allowed (filtered) traffic to the internet
  314. * ACCESS_NETWORK_STATE ('*View network connections*'): to check if the device is connected to the internet through Wi-Fi
  315. * READ_PHONE_STATE ('*Device ID & call information*'): to detect mobile network changes, see [here](http://forum.xda-developers.com/showpost.php?p=64107371&postcount=489) for more details
  316. * ACCESS_WIFI_STATE ('*Wi-Fi connection information*'): to detect Wi-Fi network changes
  317. * RECEIVE_BOOT_COMPLETED ('*Run at startup*'): to start the firewall when booting the device
  318. * WAKE_LOCK ('*Prevent device from sleeping*'): to reliably reload rules in the background on connectivity changes
  319. * VIBRATE: to provide vibration feedback on widget tap
  320. * FOREGROUND_SERVICE ('foreground service'): to run a foreground service on Android 9 Pie and later
  321. * QUERY_ALL_PACKAGES: to list all apps on Android 11 and later
  322. * BILLING: to use in-app billing
  323. <a name="faq43"></a>
  324. **(43) I get 'This app is causing your device to run slowly'**
  325. This message is displayed by the *Smart Manager*,
  326. but actually it is the 'Smart' Manager application itself which is causing delays and lags.
  327. Some links:
  328. * [Smart Manager complaining about LastPass](https://www.reddit.com/r/GalaxyS6/comments/3htu2y/smart_manager_cmoplaining_about_lastpass/)
  329. * [Disable Smart Manager?](http://forums.androidcentral.com/samsung-galaxy-s4/595483-disable-smart-manager.html)
  330. <a name="faq44"></a>
  331. **(44) I don't get notifications on access**
  332. To prevent a high number of status bar notifications, notify on access is done only once per domain name per application.
  333. Access to domain names shown in the application access log (drill down in the NetGuard application settings) will not be notified again,
  334. even if you just enabled notify on access.
  335. To get notified for all domain names again, you can clear the application access log using the trashcan icon.
  336. If you want to clear all applications logs, you can export and import your settings.
  337. Another reason why you don't get notifications could be an applied "Power Saving Mode" for example on Samsung devices. Even if you do not restrict CPU frequency in this mode.
  338. <a name="faq45"></a>
  339. **(45) Does NetGuard handle incoming connections?**
  340. The Android VPN service handles outgoing connections only (from applications to the internet), so incoming connections are normally left alone.
  341. If you want to run a server application on Android, then be aware that using port numbers below 1024 require root permissions
  342. and that some Android versions contain routing bugs, causing inbound traffic incorrectly being routed into the VPN.
  343. <a name="faq46"></a>
  344. **(46) Can I get a refund?**
  345. If a purchased pro feature doesn't work [as described](https://www.netguard.me/)
  346. and this isn't caused by a problem in the free features
  347. and I cannot fix the problem in a timely manner, you can get a refund.
  348. In all other cases there is no refund possible.
  349. In no circumstances there can be a refund for any problem related to the free features,
  350. since there wasn't paid anything for them and because they can be evaluated without any limitation.
  351. I take my responsibility as seller to deliver what has been promised
  352. and I expect that you take responsibility for informing yourself of what you are buying.
  353. <a name="faq48"></a>
  354. **(48) Why are some domain names blocked while they are set to be allowed?**
  355. NetGuard blocks traffic based on the IP addresses an application is trying to connect to.
  356. If more than one domain name is on the same IP, they cannot be distinguished.
  357. If you set different rules for 2 domains which resolve to the same IP, both will be blocked.
  358. Thanks @[pulser](https://github.com/pulser/)
  359. Another potential problem is that Android doesn't honor the DNS TTL value and applies its own caching rules.
  360. This could result in NetGuard too early or too late purging a DNS record from its own cache,
  361. resulting in not recognizing an IP address or recognizing a wrong IP address.
  362. You can try to workaround this by changing the DNS TTL value setting of NetGuard.
  363. This value is used as a minimum DNS TTL value in an attempt to mimick the behavior of Android.
  364. NetGuard will also block traffic while restarting the Android VPN service to apply new rules,
  365. for example when connectivity changes or when the screen is turned on or off.
  366. <a name="faq49"></a>
  367. **(49) Does NetGuard encrypt my internet traffic / hide my IP address?**
  368. NetGuard is a firewall application that filters internet traffic on your device (see also [this question](#user-content-faq6)),
  369. so it is not meant to - and does not - encrypt your internet traffic or hide your IP address.
  370. <a name="faq50"></a>
  371. **(50) Will NetGuard automatically start on boot?**
  372. Yes, NetGuard will automatically be started on boot if you powered off your device with NetGuard enabled and NetGuard is not installed on external storage.
  373. Some devices, for example OnePlus and Mi devices, can prevent certain apps from auto-starting after reboot.
  374. This can be disabled in the Android settings.
  375. <a name="faq51"></a>
  376. **(51) Why does NetGuard block all internet traffic?!**
  377. Make sure you have put NetGuard on the doze exception list (Android 6 Marshmallow or later)
  378. and that Android allows NetGuard to use the internet in the background (see also [this question](#user-content-faq21)).
  379. Make sure you are not running NetGuard in allow (whitelist) mode (check the NetGuard default settings).
  380. Make sure you didn't enable the Always-On VPN sub option '*Block connections without VPN*' (Android 8 Oreo or later).
  381. This will block resolving domain names too (is it a bug or feature?).
  382. Some internet providers block all DNS requests except via their own DNS servers.
  383. So, if you configured custom DNS servers, try to undo this.
  384. Some Android versions, including LineageOS and /e/ for some devices, contain a bug resulting in all internet traffic being blocked.
  385. Mostly, you can workaround this bug by enabling filtering in NetGuard's *Advanced options*.
  386. If this doesn't solve the issue, the problem can unfortunately not be fixed or worked around by NetGuard.
  387. Please [see here](https://forum.xda-developers.com/t/app-6-0-netguard-no-root-firewall.3233012/post-84457527) for a fix.
  388. <a name="faq52"></a>
  389. **(52) What is lockdown mode?**
  390. In lockdown mode, all traffic for all applictions will be blocked,
  391. except for applications with the condition *'Allow in lockdown mode'* enabled.
  392. You can use this mode to limit battery usage or network usage,
  393. for example, when your battery is almost empty or when your data allotment is almost exhausted.
  394. Note that Lockdown mode applies only if the corresponding option is also set in "Network options"
  395. (one for Wi-Fi mode, one for Mobile data), allowing to have lockdown in only one of the two network modes
  396. and not in the other (eg. Lock down if mobile data are active, but not if Wi-Fi is currently used).
  397. Note also that system applications will only be blocked in this mode
  398. when managing system applications is enabled in the advanced settings.
  399. You can enable/disable lockdown mode in the main menu, using a widget, or using a settings tile (Android 7 Nougat or later).
  400. <a name="faq53"></a>
  401. **(53) The translation in my language is missing / incorrect / incomplete**
  402. You can contribute translations [here](https://crowdin.com/project/netguard) (registration is free).
  403. If your language is missing, please contact me to have it added.
  404. <a name="faq54"></a>
  405. **(54) How to tunnel all TCP connections through the Tor network?**
  406. Tor with NetGuard is only supported in the [XDA NetGuard forum](http://forum.xda-developers.com/showthread.php?t=3233012).
  407. There is no personal support on Tor with NetGuard, because I don't use Tor myself.
  408. First, install [Orbot](market://details?id=org.torproject.android), the Android client for Tor,
  409. run it, press _Start_, while it connects open its _Settings_ and make sure it's setup to auto-start
  410. on device start.
  411. In NetGuard's _Network options_ enable _Subnet routing_ and in _Advanced options_ toggle on
  412. _Use SOCKS5 proxy_ with address 127.0.0.1 and port as 9050 (this is the default port, if you changed
  413. this in Orbot make the adjustment here also).
  414. This should be enough, if testing fails (eg. no connection at all) you can open the app details
  415. for Orbot, uncheck _Apply rules and conditions_ and retry.
  416. How to test: open Firefox (or another non-proxy enabled browser) to the address https://ipleak.net/
  417. and you should see a different IP address from your regular one, and below in the _Tor Exit Node_
  418. field something else besides _Unknown_.
  419. **Be aware** that all the other Tor caveats (https://www.torproject.org/docs/faq.html.en) still apply,
  420. like having the Tor network unreacheable, your activity actively monitored/targeted in your country,
  421. online services (eg. Gmail, Google Play store) failing to login or being forced to solve endless capchas
  422. when accessing sites that use Cloudflare's CDN services.
  423. <a name="faq55"></a>
  424. **(55) Why does NetGuard connect to Amazon / ipinfo.io / 216.239.34.21?**
  425. NetGuard connects to Amazon / [ipinfo.io](https://ipinfo.io/) to show the names and organizations for IP addresses.
  426. If you don't want this, just disable showing names and organizations using the three dot menu in the global log view.
  427. <a name="faq56"></a>
  428. **(56) Why does NetGuard allow all internet traffic?!**
  429. NetGuard can block each and every application, even system applications and components.
  430. NetGuard, by default, allows all traffic to prevent hard to find problems. You need to selectively block traffic yourself by tapping on the mobile or Wi-Fi icons.
  431. Be aware that NetGuard will allow traffic to an application when the screen is on and the condition *'when screen on'* is enabled.
  432. <a name="faq57"></a>
  433. **(57) Why does NetGuard use so much data?**
  434. Basically, NetGuard doesn't use data itself.
  435. However, many Android versions incorrectly account data of other applications flowing through NetGuard to NetGuard instead of to the applications.
  436. The data usage of other applications will be zero with NetGuard enabled in this case.
  437. The total data usage of your device will be the same with and without NetGuard.
  438. <a name="faq58"></a>
  439. **(58) Why does loading the application list take a long time?**
  440. The application list is provided by Android, so the loading speed depends mostly on the power of your device and on the efficiency of your Android version.
  441. For example shortage of memory could lead to increased loading times, because memory needs to be freed, for example by pausing other applications.
  442. In some circumstances, restricting system apps and system components is known to cause the application list to load slowly or not at all. The exact circumstances are unknown.
  443. <a name="faq59"></a>
  444. **(59) Can you help me restore my purchase?**
  445. Google manages all purchases, so as a developer I have no control over purchases.
  446. So, the only thing I can do, is give some advice:
  447. * Make sure you have an active internet connection
  448. * Make sure you didn't block Google Play store / Play services
  449. * Make sure you are logged in with the right Google account and that there is nothing wrong with your Google account
  450. * Make sure you installed NetGuard via the right Google account if you configured multiple Google accounts on your device
  451. * Open the Play store app and wait at least a minute to give it time to synchronize with the Google servers
  452. * Open NetGuard and navigate to the pro features screen; NetGuard will check the purchases again
  453. You can also try to clear the cache of the Play store app via the Android apps settings.
  454. Note that:
  455. * Purchases are stored in the Google cloud and cannot get lost
  456. * There is no time limit on purchases, so they cannot expire
  457. * Google does not expose details (name, e-mail, etc) about buyers to developers
  458. * An app like NetGuard cannot select which Google account to use
  459. * It may take a while until the Play store app has synchronized a purchase to another device
  460. * Play Store purchases cannot be used without the Play Store, which is also not allowed by Play Store rules
  461. If you cannot solve the problem with the purchase, you will have to contact Google about it.
  462. <a name="faq60"></a>
  463. **(60) Why does IP (Wi-Fi) calling/SMS/MMS not work?**
  464. Please see the [compatibility section](https://github.com/M66B/NetGuard/#compatibility) about this
  465. (you might need to request the desktop version to see this section if you are using a mobile device).
  466. <a name="faq61"></a>
  467. **(61) Help, NetGuard crashed!**
  468. NetGuard rarely crashes ("unexpectedly stopped"), but if it crashed (which is something different than being stopped by Android, see [this FAQ](#user-content-faq38)),
  469. then it is mostly caused by bugs in your Android version
  470. (either in the [Android VPN service](https://developer.android.com/reference/android/net/VpnService.html) implementation or in the [Android Linux kernel](https://developer.android.com/guide/platform/index.html#linux-kernel)).
  471. I am happy to check what the cause of a crash is and I will fix it whenever possible, but I need a logcat captured from your PC with the crash log for this.
  472. Since logcats are mostly quite large, I will need the exact time of the crash as well.
  473. If you don't know how to capture a logcat from your PC, please use your favorite search engine to find one of the numerous guides.
  474. <a name="faq62"></a>
  475. **(62) How can I solve 'There was a problem parsing the package' ?**
  476. Likely causes are that the downloaded APK file is damaged (which could be caused by a virus scanner)
  477. or that you are trying to install NetGuard on a not supported Android version.
  478. <a name="faq63"></a>
  479. **(63) Why is all DNS traffic allowed?**
  480. NetGuard blocks unlike any other Android firewall on real domain names.
  481. For this a list of domain names and IP address needs to be built.
  482. For this purpose, NetGuard allows all DNS traffic, even if the domain name is listed in the hosts file.
  483. However, this doesn't mean traffic to the resolved IP address is allowed.
  484. If you don't trust the system (Google's) or your provider's DNS servers, you can set alternative DNS servers in the advanced settings.
  485. Be sure to enter and confirm the addresses and to set two DNS server addresses.
  486. If you enter just one DNS server address, it will be used in addition to the default DNS server addresses.
  487. <a name="faq64"></a>
  488. **(64) Can you add DNS over TLS/HTTP?**
  489. If you mean to intercept [DNS over HTTP](https://en.wikipedia.org/wiki/DNS_over_HTTPS) (DoH)
  490. or [DNS over TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) (DoT) requests to resolve domain names,
  491. this is not possible because DoH/DoT traffic is encrypted, which is the whole point of DoH/DoT.
  492. Please [see here](https://github.com/Ch4t4r/Nebulo/blob/master/docs/NONVPNMODE.md) about how you can use DoH/DoT with NetGuard anyway.
  493. <br />
  494. <a name="faq65"></a>
  495. **(65) Why can NetGuard not block itself?**
  496. First of all, if NetGuard could block itself, you should trust that NetGuard really blocks itself,
  497. which is basically the same as trusting that NetGuard doesn't connect to the internet when not needed.
  498. Note that NetGuard needs to connect to the internet to forward traffic of other apps to the internet and to lookup information on IP addresses,
  499. see also [this FAQ](#user-content-faq55).
  500. NetGuard could block itself in older versions,
  501. but this required calling [VpnService.protect](https://developer.android.com/reference/android/net/VpnService.html#protect(int)) for each and every connection.
  502. Since there are lots of connections of lots of apps in a typical Android environment,
  503. this resulted in wasting battery power and in crashes on some Android versions with bugs in this function.
  504. So, because blocking NetGuard with itself didn't added anything useful
  505. and to save on battery power and to prevent crashes blocking NetGuard with itself was removed.
  506. <br />
  507. <a name="faq66"></a>
  508. **(66) Why is a blocked app still accessing the internet?**
  509. Blocked apps cannot access the internet. There are no exceptions to this.
  510. All app and system traffic flows through the [Android VPN service](https://developer.android.com/guide/topics/connectivity/vpn),
  511. which is a *must* for companies with high security requirements.
  512. This also means that all apps will be treated in the same way
  513. and that the global access log (*Show log* in the three-dots overflow menu) will show all traffic.
  514. However:
  515. * Apps can show locally cached content
  516. * Incoming (push) messages are received by the system component Google Play services and not apps, especially when the app is in the background or when the screen is turned off
  517. * Similarly, advertisements are mostly received by the system component Google Play services
  518. * Downloads are often performed by the download manager and not apps
  519. If you like to block Google Play services or the download manager, you'll need to enable managing system apps in the advanced settings.
  520. If you like to make sure that push messages will always be received, you can disable *Apply rules and conditions* for Google Play services.
  521. To be clear: in most cases **you cannot block ads by blocking apps**.
  522. However, you can block ads for all apps with NetGuard, please see [here](https://github.com/M66B/NetGuard/blob/master/ADBLOCKING.md) about how to.
  523. <br />
  524. <a name="faq67"></a>
  525. **(67) Who is 'nobody'?**
  526. ["nobody" is the conventional name of a user account](https://en.wikipedia.org/wiki/Nobody_(username))
  527. which owns no files, is in no privileged groups, and has no abilities except those which every other user has.
  528. <br />
  529. **NetGuard is supported for phones and tablets only, so not for other device types like televisions or vehicles.**
  530. **If you didn't find the answer to your question, you can ask your questions [in this forum](http://forum.xda-developers.com/showthread.php?t=3233012) or contact me by using [this contact form](https://contact.faircode.eu/)**.