Virtual private network with firewall
Frequently Asked Questions
Which Android versions are supported?
Android version 5.1 Lollipop or later is required.
The VPN implementation of earlier Android versions is too limited for VPN/Sentry
(this function is required).
The supported architectures are ARM v7a
What encryption is being used?
DHE-RSA-AES128-SHA256, implemented by using the latest version of OpenSSL.
The security certificate is pinned to the certificate authority for security reasons.
Where are the servers located?
For now in France only.
Depending on the interest in VPN/Sentry, servers might be added in Canada and Singapore.
The servers are hosted by OVH and have an internet connection of 100 Mbps.
Bandwidth is available on fair use basis, see for more information the terms of service.
How much battery will be used?
The extra battery usage to forward the internet traffic to/from the servers instead of directly to/from the internet
will be minimal compared to the battery usage needed for the internet traffic itself.
Note that Android will attribute the power used for internet traffic to VPN/Sentry instead of to other apps,
because the internet traffic is handled by VPN/Sentry instead of directly by the apps.
So, although it will look like VPN/Sentry is using a lot battery power,
the total power usage will not significantly be different than before.
Which port will be used?
VPN/Sentry will establish a TCP tunnel connection on port 443 using TLSv1.2.
Using the TCP protocol and port 443 will minimize problems with restrictive firewalls.
There are special measures in place to prevent problems with transporting TCP over TCP.
Which IP protocols are supported?
All IPv4 and
protocols are supported.
How about my privacy?
Will you open source the app?
In practice there are almost no contributions to the source code (other than translations).
On the other hand the software will be cloned, too often compromising the security of people by adding malware.
Most people will have to trust the server anyway, so there is little benefit in open sourcing the app.
Why do some apps share the same rules and conditions?
These apps have different package names,
but share the same unique app identifier
(open the app details to see this information).
The network traffic of these apps is grouped together by uid and therefore these apps share the same rules and conditions.
This is rarely the case for installed apps, but more often for system apps and components.
Why is sometimes an IP address shown?
Sometimes VPN/Sentry shows an IP address instead of a domain name.
This could be caused by:
As soon as the domain name for the IP address become available, the address will be updated.
- Apps connecting directly to an IP address instead of resolving a domain name to an IP address first
- Resolving the domain name before VPN/Sentry was started
- Restarting the server, resulting in the loss of the transient DNS response cache
Is the shown domain name always correct?
VPN/Sentry has a smart algorithm to determine which DNS request belongs to which app.
This will result in almost always showing the correct domain name.
However, showing the correct domain name cannot be guaranteed in all cases,
but the shown domain name will always represent the underlying IP address(es).
Note that one domain name can have multiple IP addresses associated
and that one IP address can be used for multiple domain names.
Why can't I start VPN/Sentry using the switch in the action bar?
If starting VPN/Sentry with the switch in the action bar is not working,
then make sure there isn't another VPN selected as always-on VPN in the Android VPN settings.
Why can't I select OK to approve the VPN connection request?
There might be another (invisible) application on top of the VPN connection request dialog.
Some known (screen dimming) applications which can cause this are Lux Brightness, Night Mode, and Twilight.
To avoid this problem, at least temporarily, close all applications and/or services which may be running in the background.
Which DNS servers are being used?
are routed into the VPN and are handled by the VPN servers themselves.
The local BIND9 DNS servers are configured as caching DNS servers (so no forwarding to other DNS servers)
and DNSSEC validation is enabled.
This means you won't need DNSCrypt or a similar solution to secure your DNS traffic.
Where does local traffic go to?
Local traffic goes where it should go, to the LAN.
Addresses in these ranges are considered to be local:
Only unicast IPv6 addresses (2000::/3) are routed into the VPN. All other IPv6 traffic is considered to be local.
Be aware that apps cannot reach local DNS servers (Android doesn't allow selective routing of DNS traffic).
If needed you can enable the option 'Exclude from VPN' for an app.
How is VPN/Sentry different from NetGuard?
VPN/Sentry sends the traffic of all your apps encrypted to one or more servers,
which take care of filtering (allowing/blocking traffic of apps and/or addresses).
NetGuard doesn't encrypt your traffic and filters on device.
If you trust the servers,
VPN/Sentry will provide more privacy, because your internet traffic is mixed with that of other people,
and will use less battery power than NetGuard, because the servers take care of filtering instead of your device.
Other differences are:
- VPN/Sentry supports rule/condition profiles
- VPN/Sentry supports global rules
- VPN/Sentry supports wildcard rules
- VPN/Sentry supports the conditions 'allow when screen on' and 'block when roaming' for address rules
- VPN/Sentry supports all IP protocols,
including IPsec (needed for IP/Wi-Fi calling),
while NetGuard can only support TCP, UDP and ICMP
- VPN/Sentry supports IP framentation
- VPN/Sentry blocks domain names by connection, so you can see which domain names an app accessed and even allow them
- VPN/Sentry keeps the hosts file updated automatically
- VPN/Sentry does not restart the VPN service on state changes to reduce battery usage and to prevent leaks
- VPN/Sentry has no PCAP export
- VPN/Sentry has no bells and whistles (even no settings) and is therefore simpler to use
- VPN/Sentry can be downloaded via the Google Play store only
How is the European "Roam like at home" handled?
If both the SIM-card country and the network country are one
the Roam like at home countries,
then VPN/Sentry considers the connection automatically as not roaming.
Can I use another VPN app while using VPN/Sentry?
If the VPN app is using the Android VPN service, then no, because VPN/Sentry needs to use this service.
Android allows only one application at a time to use this service.
Will there be an iOS/Window/Linux client/app?
Maybe if there is a lot of interest in VPN/Sentry for Android.
Can I enable the Always-On VPN setting 'Block connections without VPN' ?
Unfortunately not, because enabling this settings will block access to the VPN server too.
I am considering this as a bug in Android.
Can you please add ... ?
You might have a great idea, so you can always suggest new features,
but in general I like to keep VPN/Sentry as simple as possible.
So, don't be disappointed if I say "no". What I won't add in any case is:
- Any setting, unless absolutely necessary
- Other themes/colors
- Showing data usage / network speed
- Showing the last access time, because this would affect battery usage negatively
- Showing if there are global rule in the app details, because this would result in lags
An option to batch enable the app setting 'Bypass VPN'
(see here for why)
- Looking up IP addresses and domain names, because this would depend on third party services and is hardly being used in practice
- Widgets/shortcuts/automation to change the active profile, because this can't be done in a secure way
- Importing a part of exported settings
Is the VPN/Sentry app compatible with other VPN providers?
Both the VPN/Sentry app and the VPN server software were developed from scratch
to make it possible to filter traffic on the VPN server.
Other VPN providers do not offer a firewall and are therefore not compatible with VPN/Sentry.
In which order are rules applied?
The general rule is that more specific rules will be applied before less specific rules to be able to make exceptions.
This means that rules will be applied in this order:
tl;dr; mostly this will result in what you expect that would happen.
- App address rules
- Global address rules
- Wildcard app address rules
- Wildcard global address rules
- Hosts file address rules
- App main rules
- Profile default rules
UDP and TCP DNS traffic is always allowed by a system rule to prevent accidentally blocking of all internet traffic.
Can VPN/Sentry block incoming connections?
Android doesn't accept incoming connections for security reasons by default,
so this question is relevant only if you have root permissions and installed server software on your device.
The server software is responsible for securely (authentication, authorization, etc) handling incoming connections,
which means you should only install server software you trust and that VPN/Sentry cannot really play a role in this.
Android doesn't route incoming traffic into the Android VPN service, so technically VPN/Sentry cannot play a role in this anyway.
Note that Android, to be precise Google Play services, receives push messages by establishing an outgoing connection to the Google servers.
tl;dr; no and there is no reason for this.
Which permissions does VPN/Sentry require and why?
All these permissions are normal permissions, so Android will grant these permissions automatically.
- INTERNET: to forward internet traffic to the VPN servers
- ACCESS_NETWORK_STATE: to monitor internet connectivity to be able to reconnect automatically and to apply the right rules
- RECEIVE_BOOT_COMPLETED: to start VPN/Sentry on device start
- BILLING: to offer a subscription for unlimited data usage
Why do Google, Facebook, etc require me to login again?
When you use VPN/Sentry, your traffic enters the internet at a different place,
because it is not your device that connects to the internet, but the VPN server.
Google, Facebook, etc detect that you are at an unusual place and require you to login again to make sure it is you.
Mostly you only need to do this once. This is nothing to worry about.
Can I use Wi-Fi/USB tethering and Wi-Fi direct?
Yes, you can, but tethered traffic cannot be filtered by VPN/Sentry due to limitations of the Android VPN service.
Can I use a secondary user/work profile?
Yes, you can, but some older Android versions have bugs preventing the Android VPN service from properly working in a secondary profile.
Unfortunately it is not possible to work around these bugs.
What happens after the free data allowance has been used up?
The VPN server will terminate the connection after using up the free daily data allowance,
but the local Android VPN service will be kept running.
This means that the internet traffic will go nowhere (so, no leaking) and seems to be blocked.
There will be a status bar notification indicating that there is no connection with the VPN server
and a status bar notification indicating that the daily usage limit has been reached.
There will be a warning status bar notification after using more than 70 % of the daily limit first.
Is the free data usage limit guaranteed?
No, the free data usage limit may change anytime without prior notice.
The free data usage limit is meant only to evualuate VPN/Sentry.
For permanent usage of VPN/Sentry you should subscribe to the unlimited data usage plan.
Is the unlimited data usage subscription valid for multiple devices?
Yes, the unlimited data usage subscription is valid for all devices logged into the same Google account.
Can I share a subscription with family members?
The Google Play Family library doesn't allow sharing of in-app purchases and subscriptions, so no.
Can I get a refund?
You can always ask, but you'll need a really good reason.
Saying that VPN/Sentry doesn't work or doesn't please you isn't a good reason in any case,
since you had the opportunity to test VPN/Sentry for free first.
How secure is VPN/Sentry?
In general VPNs seem not to be as secure as might be expected.
VPN/Sentry does not fail on any of the points in the referenced article:
VPN/Sentry was developed from scratch, because there didn't exist any VPN solution offering a firewall.
VPN/Sentry only uses OpenSSL to minimize the risk something will be wrong.
If you are in doubt, you are free to test VPN/Sentry and to publish the results.
There are various tool available for this (use your favorite search engine).
- Encryption: VPN/Sentry properly encrypts all traffic, see question 2 for details
- IPv6 traffic: VPN/Sentry routes all traffic into the VPN, including IPv6 traffic and DNS requests
- Malicious code: VPN/Sentry does not and will not contain malicious code
Why can't I login to a Wi-Fi hotspot?
Logging into a Wi-Fi hotspot in the web browser generally works without any problem.
However, some hotspots use a remote address to login
and remote addresses are blocked until a connection to the VPN server has been made.
This results into a problem, because connecting to a remote address is possible only after logging into the Wi-Fi hotspot.
Unfortunately this cannot be fixed without disabling the VPN.
For support you can use this contact form.
Copyright © 2017 M. Bokhorst