Hi!
Android 16.
Tor VPN (beta) connection cannot be established with the manual DNS function enabled (server is dns.adguard-dns.com).
When DNS is set to Off, then the connection can be established right away.
Can it be made so one could use Tor VPN with Adguard DNS server?
Thanks.
Hello, thereâs already an open issue on the Tor Projectâs GitLab about this:
Is this the issue youâre having ?
I guess so, but my OS is NothingOS, not GrapheneOS. The issue is dated 2024, and still not solved, which is sadâŚ
Is your expected result so it would just connect with your dns server; so the âexcluded appsâ get routed via the dns server (and some Tor connections for bootstrapping such as bridges); or so it would filter out domains inside your Tor traffic? (ads, etc)
If the last one, then that obviously worsens your privacy and anonymity⌠
It would be perfect if ad-guard DNS could work alongside with the Tor VPN connection, so that ads is removed just like in regular web-surfing without VPN connection.
But Iâd be fine even if DNS is disabled during Tor VPN connection, but, like, automatically, you know?
For now, each time I need to use Tor VPN, I have to go to Android settings, turn off Private DNS and then establish connection; only to turn it back on manually once I finish serfing using VPN.
Sorry if it sounds too simple, Iâm a regular user.
Itâs recommended to disable Private DNS feature (this feature name really should be changed to âEncrypted DNSâ or just âDNS-over-TLSâ to not give users a false sense of privacy) of Android if you need to use TorVPN (or Orbot). Private DNS settings is enforced for both connections outside VPN tunnel and inside VPN tunnel, so even if youâre able to get TorVPN working with Private DNS, you would let this one DNS resolver know every website you visited via Tor, which largely defeats the purpose of Tor.
It is recommended against to use non-Tor DNS resolvers for an extended period. Although it is technically possible to completely replace DNS resolution (not using Tor for DNS resolution at all), this is discouraged. Doing so would grant too much power to a single DNS server. Using a permanent DNS server is discouraged for the same reason as using a permanent Tor exit relay is discouraged.
Added:
Googleâs own documentation:
Caution: Android 9 only! These Private DNS settings have no effect when you use a VPN like Nexus/Pixel Wi-Fi Assistant or Google Fi Enhanced Network VPNs, or third-party VPN or DNS changer apps. Those features and apps override Private DNS and do not send DNS-over-TLS queries to Google Public DNS. Most DNS changers send cleartext queries (a few like Intra use other secure DNS protocols) and VPN apps may not secure queries beyond the VPN server. This is fixed in Android 10.
Emphasis means Private DNS settings on Android 9 will only work when not using a VPN. This has been changed (âfixedâ) since Android 10.
Thank you for all the info!
Up to the extent of my understanding, I canât use Private DNS with Tor VPN, because this threatens security and privacy while Tor VPN is built to provide it.
As a regular user, I have the ad-guard Private DNS server enabled by default to block out ads while web-surfing (I donât really care if the server gets to see what sites I do visit); and I occasionally use VPN to access restricted sites. The need to go to settings and manually turn off the Private DNS before establishing Tor VPN connection (and turn it back on later) really makes Tor VPN a suboptimal solution in my scenario.
Thanks again!
You can try using Orbot. Maybe things are different there. For now itâs a more-developed app than Tor VPN. Tor VPN is in Beta right now and is not really intended for actual use. (especially since it uses Tor-Arti)
If you want to block ads in a browser, then you can do so in the Firefox Android browser by installing a few extensions like Ghostery, uBlock Origin, Privacy Badger.
If you want to block ads system-wide, then you can use a firewall app such as Rethink. There you can download blocklists and configure a proxy to use for proxied apps. (such as running Orbot in proxy mode so apps could use it through Rethink - and the ads would get blocked.)
It technically could and should work, but it seems like itâs not working and itâs not recommended anyway.