Android (and maybe every OS): Firewall is bypassed by VPN!?

Have you ever wondered why while having a VPN app to use a service that you happily paid and trust, and in combination with a firewall app like AFWall+ , aaand since you are paranoid enough you also go to the app settings to block WiFi/Mobile connection for those you don’t want to use internet for…
… and still those app go to the internet?

On AFWall and on the usage report you see the apps are using 0 bytes, yes, but if you use a VPN they take advantage of the encrypted tunnel from the VPN app and bypass every damn rule you set upfront.

I discovered this now… after years of using this strategy in my phone, convinced I was using a nice privacy-aware tactic, I get shocked by this. You can try yourself. Turn ON and OFF the VPN and firewall in various combinations and see that the firewall restrictions are applied only of you don’t use any VPN.

For me, what matters most are not IP leaking but the sensitive informations your apps leak which maybe you don’t theme want to go outside your phone.

Question: Could there be a valid solution to use your paid VPN service and still successfully apply firewall rules?

If not, that’s the end of VPN world for me. No freaking point to mask your IP but then let every app sends all your internal informations to external servers. I would then switch to Tor only or some other network.

Yes that’s how VPNs work. It’s pretty basic IT-Security knowledge, noone is trying to trick you. You need to have the firewall setup so it controls traffic in/out of the VPN . Since it essentially creates a direct connection between your device and the VPN server, your endpoint is no longer the device itself, it’s the VPN server.

On AFWall+ you have a column for VPN. If you enable WiFi/Mobile data for your VPN app and then enable VPN traffic for the apps you use, apps without a check mark won’t connect to the internet. This works on whitelist mode.

Firewalls don’t work to keep software running on your computer for getting out to the net. There’s always a way around it beside a VM with no network connection.

Inter process communications allows apps to work around restrictions on all platforms beside iOS. It’s possible there’s a way around it on iOS too. I couldn’t figure it out, but it’s been a year or two since I tried.

It worked in that way. I just wished that by default the firewall would not let all’ the app use VPN if I don’t specify so.

AfWall can do both, white and black lists. So use White lists and only allow the apps you want access to have it. That is what I do. Also, it is easier to manage.