AFWall+ (Android Firewall+) is an open-source, iptables-based firewall for Android. It requires a rooted Android 5+ device and can be retrieved from F-Droid, GitHub, or Google Play Store.
AFWall+ 3.0.0 introduced support for Tor. In this tutorial, we show you how you can configure your device to use this feature.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
AFWall+ 3.0.0 allows you to redirect all of your device’s network traffic through Tor using Orbot. The VPN mode of Orbot isn’t required anymore. The advantage is that you can use Tor and a VPN connection at the same time. Previously, this wasn’t possible since Android only allows one active VPN connection at a time.
Unfortunately, using Tor via AFWall+ isn’t as intuitive as usual. If you don’t use Orbot so far, stay calm since we introduce this app now.
Installation and preparation
If you want a permanent Tor connection, you can enable Orbot at startup. After enabling it, restart your Android device. Keep in mind that background connections quickly drain your device’s battery.
Afterward, download and install “AFWall+” (F-Droid) or “AFWall+ (Android Firewall +)” (Google Play Store). Alternatively, you can get the apk files on GitHub.
Moreover, we recommend “OpenVPN for Android” to manage your VPN connection. This app is available on F-Droid or Google Play Store, too.
There are two different possibilities to configure VPN and Tor:
- Configuration 1: The Tor connection is tunneled through your VPN connection. The VPN server must support tunneling.
- Configuration 2: You use Tor and VPN simultaneously. For instance, if you’re connected with your home network and your VPN server doesn’t support tunneling through your traffic.
Open AFWall+ and its menu (three dots in the top right corner). Select preferences. Enable controls for VPN and Tor (see screenshot below).
Go back to the main menu (as shown in the screenshot below).
In the main menu of AFWall+, you can manage permissions of your apps:
- Configuration 1, as mentioned above: Check WiFi, mobile data, and VPN. Since an active VPN connection drains your battery faster, you probably only enable it if necessary. If you always use a VPN, it is sufficient only to check VPN (uncheck all other checkboxes).
- Configuration 2, as mentioned above: Check WiFi and mobile data. It is necessary to configure OpenVPN for Android, too. We will show you the required steps below.
Apps with built-in Tor support
Some apps come with built-in Tor support, e.g., F-Droid, dandelion*, Tusky, and Tor Browser. Only check the “Tor” checkbox.
Apps without built-in Tor support
Other apps may not have native support for Tor; however, you can tunnel their traffic through Tor. Check the “Tor” checkbox and either “WiFi” or “mobile data.” If the smartphone is connected with WiFi resp. your mobile data connection, all network traffic of these apps is tunneled through Tor.
Configure remaining apps as needed. For instance, if an app should only be allowed to connect to the internet via a VPN, only check the “VPN” checkbox.
Don’t forget to enable “OpenVPN for Android” rules.
OpenVPN for Android
Open OpenVPN for Android on your device. You can import configuration files using the “+” button. Normally, OpenVPN tunnels all network traffic through Android’s single VPN slot. If you want to run a VPN and Tor at the same time, you must change the configuration:
- Switch to edit mode by selecting the pencil icon.
- Select “allowed apps” and enable “VPN is used only for selected apps.”
- Check all apps that should be allowed to connect to the internet via VPN.
This complicated setup can quickly lead to misconfiguration. If you observe strange behavior of apps that use your internet connection, you should use AFWall+’s logging capabilities. AFWall+ can show a notification when it denies apps to connect to the internet. This notification contains the name of the app and the IP address of the remote device. Using these notifications is helpful for troubleshooting.
To enable these notifications, go to preferences in AFWall+ and then to menu preferences log. Enable “Turn on log service” as well as “Enable show toasts.”
Follow us on Mastodon:
- AFWall+ on GitHubexternal link
- AFWall+ Wikiexternal link
- F-Droidexternal link
- GuardianProject's F-Droid repositoryexternal link
- Orbotexternal link