Stopping Leaks with DroidWall when using DroidVPN

Posted on April 10, 2012 @ 3:45 am

As soon as we connect to a WiFi/3G network apps that are set to sync may try to connect to the internet. To keep from having to know in detail what every app is trying to do we will use firewall rules to only allow traffic over the VPN tunnel. That will keep the apps at bay as we connect to DroidVPN server. Normally on a Linux machine we would want to use iptables to create the following rules:

The first rule allows all traffic leaving on the tun0 interface. The second allows all traffic destined for the UDP port that you set DroidVPN to use(You could also check the logs what UDP port did DroidVPN used to connect. And the third drops all other packets. To achieve this on Android we will use an app called DroidWall. Based on iptables it offers app based matching as well as custom rules.

After installing the app launch it and tap Mode: at the top. Select White list (allow selected).

Press Menu >> More >> Set custom script and enter the following rules replacing XXXXX with the port number used by DroidVPN:

To enable or disable the firewall open the DroidWall app and press Menu >> firewall enable/disable. Enable it before connecting to a WiFi/3G network.

Some WiFi networks require you to interact with a Terms of Service page before you can access the internet. If this is the case you will need to use DroidWall and allow the Browser only access through the firewall. Put a check by Browser in DroidWall and press Menu >> Apply rules This will let you surf to a page and get redirected to the ToS page, accept the terms and be forwarded on. After this you can disable the Browser in DroidWall by removing the check marks and pressing Menu >> Apply rules. Keep in mind the website you try to access that causes the redirect and forward will be visible to the network. So pick something that doesn't use identifying cookies and is meaningless.