RethinkDNS

I'm not affiliated with RethinkDNS in any way, I'm just a technologist and privacy advocate.

🔑 Key Terms

RethinkDNS Overview

• Bypass DNS and Firewall: Bypass the DNS and Firewall for this app, this only works with Rethink's DNS.

• Bypass Universal: Bypass the Universal firewall for this app.

• Exclude: The app is excluded from the dns and firewall, Rethink is unaware of this app.

• Isolate: When an app is isolated, only trusted IPs are allowed. (i.e., IPs or domains you explicitly set trust rules for).

• 🛜(Unmetered Wi-Fi): Wi-Fi settings, either blocked or allowed.

• 📶 (Metered mobile): Mobile data settings, either blocked or allowed.

The DNS mode routes all DNS traffic generated by all apps to any user chosen DNS-over-HTTPS, DNS-over-TLS, DNSCrypt, or Oblivious DNS-over-HTTPS resolver.

Firewalls like Rethink that block both UDP and TCP connections are usually sufficient because nearly all applications rely on these two protocols for their networking and communication. Almost every app communicates over TCP or UDP, so blocking these protocols effectively restricts most network traffic from and to apps, preventing them from connecting without permission.

I will share how I use RethinkDNS, obviously feel free to make changes based on your threat model and needs.

Different versions of the RethinkDNS have different features and capabilities. The best version in my opinion is the F-Droid version.

• F-Droid Download

Getting Started

DNS

Recommended Resolvers:

Throughout this article, I'll be discussing the RethinkDNS Android App. We'll later reference the DNS Blocklist configuring website, which is available at rethinkdns.com/configure.

❗ NOTE: When you switch to an encrypted DNS resolver, you are shifting your trust from your ISP's DNS servers to the third-party DNS provider you choose. Encryption protects your DNS queries from being seen or intercepted by outsiders, like your ISP or network eavesdroppers, which improves privacy. However, the DNS resolver itself still sees all your queries and could potentially log, analyze, or misuse that data.

That said, it's quite common for ISPs to engage in practices that compromise user privacy. Do some research, whats their business model, privacy policy, etc. Unfortunately, with a VPN you are also just shifting the trust. Don't blindly choose a VPN either.

• ISP data-collection

Configure -> DNS -> Other DNS:

• Choose the type of resolver you want, I use DNSCrypt. Once you click you can choose the specific resolver you want such as Quad9. You may notice that it says Failed: using fallback DNS. This is only because we haven't turned it on yet, we will recheck this once we turn it on.

• If you want a relay in a specific country, you can click the Relays tab. For DNSCrypt you are given the choice between the Netherlands, France, Sweden, Los Angeles, and Singapore. You might do this if you were trying to circumvent censorship.

Rules set the following:

• Advanced DNS filtering (experimental): Assign unique IP per DNS request.

• Prompt on blocklist updates: This is for if you use Rethink's custom blocklists.

• Prevent DNS leaks: When enabled, Rethink captures all packets on port 53 and forwards it to a user-set DNS endpoint.

Leave all the Advanced defaults unless you plan on setting up a SOCKS5 proxy, in which case you will want to enable Configure -> DNS -> Never proxy DNS.

F-Droid Specific:

• Split DNS (experimental): Forward DNS queries from proxied apps to the proxy's DNS servers.

• Treat DNS rules as firewall rules (experimental): DNS blocking will be bypassed during resolution; the decision will be made at connection time.

• Set Use fallback DNS as bypass: where it always uses your fallback DNS for bypassed apps, domains and IPs.

• You can also set Use System DNS for undelgated domains which is generally safe to enable and useful if access to local network devices or custom internal domains is needed.

Blocklists:

This is a cool feature, similar to NextDNS if I understand correctly. Since it's a system-wide DNS filter it applys to any app that is run through Rethink, not only your browser, every app.

Blocklists are available when you use Rethink's DNS.

Configure -> DNS -> Rethink DNS:

• Choose between Sky with higher uptime and a stub resolver at cloudflare.com, OR Max which is more private and has its recursive resolver at fly.io.

• Choose between the preconfigured blocklists, OR Click RDNS Plus, EDIT, ADVANCED, Search blocklists: hagezi, Multi Pro++ (HaGeZi), APPLY (RDNS PLUS)

• You can manually Check for an update to the blocklists, which you should because they are updated regularly with new identified threats. You can also enable Prompt on blocklist update.

• hagezi which version should I use?

• oisd

F-Droid & Github Versions

When on the F-Droid and GitHub versions of the Rethink, you can download blocklists from Configure -> DNS -> On-device blocklists, and have them setup for any DNS upstream.

There is a known bug where it sometimes when you click DOWNLOAD BLOCKLISTS it just keeps listening and never receives anything. The GitHub v05.5n was affected by this.

This does work on the F-Droid version.

For example, if you want to use ODoH with the HAGEZI Blocklist you could:

Go to Configure -> DNS -> Other DNS, Choose ODoH with Cloudflare. Start it.

Now in Configure -> DNS -> RULES, tap On-device blocklists, and click the disabled logo, then click DOWNLOAD BLOCKLISTS. Once the download is complete, you can select Configure and select ADVANCED and search for HAGEZI, choose MULTI PRO++ and maybe oisd small, then press APPLY (ON-DEVICE).

Now any app that doesn't bypass Rethink will use your chosen blocklists, denying access to malicious URLs.

The HAGEZI blocklists are respected for being updated frequently. There are different levels with MULTI PRO++ (HAGEZI) being the highest and 4 other lest strict levels.

Network

Settings explained:

• Loopback proxy forwarder apps: Enable when you want all of your devices proxy-related traffic to also flow through Rethinks encrypted tunnel. It ensures apps that proxy DNS/HTTP/SOCKS traffic don't leak outside the VPN.

• Do not route Private IPs: Prevents routing traffic destined for private IP address ranges (like 192.168.x.x, 10.x.x.x) through the tunnel. Instead, this traffic goes directly over the local network or system default route. Most useful when you want devices on your local network (NAS, printers, etc.) to be reachable by apps on your phone without routing the traffic through Rethinks tunnel, improving performance and reliability of local connections but possibly reducing privacy.

• Loopback (experimental): When enabled, this routes RethinkDNS's own internal traffic, such as blocklist downloads, connectivity checks, and DNS queries made by the app itself, back into the encrypted tunnel through the loopback device.

NOTE: The above settings are disabled by default because some are experimental and can easily break functionality. I have found that the settings below give the most functionality without breakage 👇️:

Configure -> Network:

• Set Use all available networks to ON. This enables Wifi and mobile data to be used at the same time by Rethink. (Optional, may use more battery)

• Set your IP version: The default is IPv4, you can choose between IPv6 (experimental) and Auto (experimental).

• Choose fallback DNS: When your user-preferred DNS is not reachable, fallback DNS will used.

  • With the F-Droid version in Configure -> DNS -> ADVANCED. You can enable Use fallback DNS as bypass, which always uses fallback DNS for bypassed apps, domains, and IPs.

• I personally disable Enable network visibility, just keep in mind that some apps may break.

  • "Shutting this off prevents apps from accessing all available networks, stopping them from bypassing Rethinks tunnel". This caused issues with the browser when turned off.(Some audio/video conference apps like Zoom and Meet require this)

Firewall

Configure -> Firewall -> Universal firewall rules and set the following to ON:

• Block all apps when device is locked

• Block when DNS is bypassed

• Block port 80 (insecure HTTP) traffic

You can get more restrictive from here, but it will take some manual intervention to get everything working correctly.

Keep your firewall rules in mind when you're configuring per app settings. If the Universal firewall blocks all apps when the device is locked, do you want this app affected by this or do you want to let it Bypass the Universal firewall?

Turn ON DNS and Firewall

Home 🏠:

• Click the big Start button on the bottom of the screen and leave it set to the default DNS and Firewall (default)

Now that we've started the DNS and Firewall, we can go back to Configure -> DNS and ensure the provider we chose started successfully. You can also experiment with different types of resolvers, make sure to wait for below the chosen resolver to say Connected.

Now, all apps on your device by default allow both Wi-Fi and mobile data access through the RethinkDNS encrypted tunnel. Try some of your most used Apps to see if they function correctly.

RethinkDNS’s firewall blocks or restricts any network traffic that isn’t explicitly allowed. Although by default all apps are allowed network access, some apps require special permissions or bypasses due to their network behavior. Many apps rely on multiple external services, backend APIs, etc. that may be blocked by the firewall.

Apps that Don't work

I will use Reddit as an example, the process is the same for any app. Reddit’s app and website rely on multiple third-party services and external domains beyond just reddit.com itself.

For apps that don't work it's important to ensure that your Android systems Private DNS is set to Automatic.

Home -> Apps:

Search for Reddit, click on it and the Firewall Rules For Reddit will pop up. Since it is already allowed Unmetered and Metered connections and still doesn't work, we can try one setting at a time until it does work and this is the same process for other Apps that aren't working.

• First, you should check your logs and see why it's being blocked. Look at the domains involved and set trust rules for said domains. (start by trusting reddit.com). Check the logs again, add any domains that were blocked related to reddit. If it is unclear why networking still isn't working, you can:

• Bypass Universal, this allows it to bypass any Universal Firewall rules you have set.

• If you're using Rethink's DNS, you can try allowing the app to Bypass DNS & Firewall. Try the app again, does it work? If not:

• You can also Isolate an App, you then have to set up trust | allow rules for domains or IPs over a period of time which can take a while. You can go to Apps and search for the app in question, click on it and at the bottom of the screen you'll see IP Logs, and Domain Logs to help with this.

• Exclude the app. This makes RethinkDNS completely unaware of the app and is often what is required for Reddit. It is my understanding that after you Exclude Reddit for example, your systems Automatic Secure DNS will pick it up.

Other Methods

Rather than watching the logs and setting trust rules over time, you could use tools like nslookup and dig to resolve said domain and reveal IP ranges used.

nslookup reddit.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   reddit.com
Address: 151.101.129.140
Name:   reddit.com
Address: 151.101.193.140
Name:   reddit.com
Address: 151.101.1.140
Name:   reddit.com
Address: 151.101.65.140
Name:   reddit.com
Address: 2a04:4e42::396
Name:   reddit.com
Address: 2a04:4e42:600::396
Name:   reddit.com
Address: 2a04:4e42:200::396
Name:   reddit.com
Address: 2a04:4e42:400::396

Resolving a domain (like reddit.com) using tools like nslookup or dig reveals multiple IPs because large services use multiple servers across CDNs and networks for redundancy and performance.

You can then run whois on one of those IPs (e.g., whois 151.101.129.140) to identify the subnet ranges owned by Reddit's CDN provider (Fastly in this case), which helps when setting up subnet range allow rules in Rethink.

whois 151.101.129.140

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


NetRange:       151.101.0.0 - 151.101.255.255
CIDR:           151.101.0.0/16
NetName:        SKYCA-3
NetHandle:      NET-151-101-0-0-1
Parent:         RIPE-ERX-151 (NET-151-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Fastly, Inc. (SKYCA-3)
RegDate:        2016-02-01
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/151.101.0.0


OrgName:        Fastly, Inc.
OrgId:          SKYCA-3
Address:        PO Box 78266
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2011-09-16
Updated:        2025-03-25
Ref:            https://rdap.arin.net/registry/entity/SKYCA-3


OrgNOCHandle: FNO19-ARIN
OrgNOCName:   Fastly Network Operations
OrgNOCPhone:  +1-415-404-9374
OrgNOCEmail:  noc@fastly.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/FNO19-ARIN

OrgTechHandle: FRA19-ARIN
OrgTechName:   Fastly RIR Administrator
OrgTechPhone:  +1-415-518-9103
OrgTechEmail:  rir-admin@fastly.com
OrgTechRef:    https://rdap.arin.net/registry/entity/FRA19-ARIN

OrgAbuseHandle: ABUSE4771-ARIN
OrgAbuseName:   Abuse Account
OrgAbusePhone:  +1-415-496-9353
OrgAbuseEmail:  abuse@fastly.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE4771-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.

Firefox Encrypted DNS through Rethink

First, make sure you can visit a few sites in Firefox. If you can, then your browser traffic should be routed through the Rethink tunnel, we will check here. If you can't, go to Home -> Apps and search for Firefox, is networking enabled?

RethinkDNS Settings

For the best experience routing your browser traffic through your custom endpoint (e.g., DNSCrypt) on both Wi-Fi and mobile data ensure the following are set:

• Do not turn on Block any app not in use in the Universal firewall. After some Log digging, I found that this causes the browser to fail more often than not.
• Configure -> Network -> Enable network visibility set to ON. I had experimented with turning this off and certain websites wouldn't load when on Wi-Fi and none would load on mobile data. Turning it back on seemed to fix both with no leaks detected.

Double check that in Rethink's Configure -> DNS -> Prevent DNS leaks is ON, as well as the Universal Firewalls Block when DNS is bypassed ON.

Firefox Settings

In Firefox, plug about:config into the URL bar and scroll down to network.ttr.mode and change its value to 3 to prevent leaking DNS queries to the System resolver. Also in about:config scroll down to media.peerconnection.enabled, double-click to set it to false to prevent WebRTC leaks.

• The trade-off is that disabling WebRTC also disables any websites or apps using WebRTC for real-time communication (like video calls or chat functions) from working correctly. Wikipedia WebRTC

In Firefox Settings -> Privacy & Security, set DNS over HTTPS to Default Protection, this enables Firefox to use RethinkDNS's DNSCrypt resolver or whatever you chose.

Checking for DNS Leaks

Go to:

https://dnsleaktest.com

Also crosscheck with:

https://ipleak.net

ipleak.net may show many more servers but as long as they are all related to your resolver (i.e., WoodyNet for Quad9) you are not leaking to your ISP or other third-parties.

For DNSCrypt with Quad9 Security, dnsleaktest found 5 servers all with the ISP WoodyNet indicating success through Quad9. Quad9 relies on Packet Clearing House, that's where the WoodyNet name comes from.

When on mobile data, when going to https://dnsleaktest.com the results may show more servers. As long as they are all the same ISP you're good.

A different solution could be to experiment with more strict RethinkDNS settings and just use the browsers built-in DNS over HTTPS on max protection. Having more strict defaults for Rethink with all of your apps and configuring your browser separate may be a better option, the choice is yours.

When hunting down a solution you can go to Configure -> Logs, then try to visit the site that wouldn't work while watching the logs. You should see Firefox pop up, click it, in the top right of the pop up should be the reason it was blocked.

• PrivacyTests.org, tests different browsers in different privacy categories.

DuckDuckGo

I also tested DuckDuckGo with its stock configuration and dnsleaktest.com showed that DDGs traffic was successfully tunneled through Rethink to Quad9s' servers.

dnsleaktest.com showed all WoodyNet ISPs indicating success.

Chromium Based Browsers (Brave)

For Brave, if you want your DNS routed through Rethink you have to turn Use secure DNS off.

I also had to set Brave to Bypass Universal

NOTE: Brave has been known to have some spyware in the past, though most of it can be opted out of.

More Fine Grained Control & Enhanced Privacy

In this section we will switch from a default allow to a default deny; blocking network access to every app. We will then go through and only enable networking for the apps that we need and trust.

https://brave-browser-apk-release.s3.brave.com/fdroid/repo

https://searx.ankha.ac/search?q=%s

Default Deny

If you read the following GrapheneOS discussion forum written by an RDNS dev:

• GrapheneOS Discussion Forum on Rethink

The post suggests you go to Home -> Apps and right under Showing all apps click on the grayed out 🛜📶 to set a rule to block both Metered and Unmetered connections to all apps by default. This will block both Wi-Fi and mobile data connections to all apps on your device.

The point here is that not every App on your device needs network access all the time or at all in some cases.

Search for the apps you use/trust and:

• start by enabling Wi-Fi 🛜 and mobile-data 📶 as well as Bypass Universal so your required apps aren't blocked right when the screen shuts off or affected by the firewall.

• Next, check your logs and see why it's being blocked. Look at the domains involved and set trust rules for said domains. If it is unclear why networking still isn't working, you can:

• If you're using Rethink's DNS, you can try allowing the app to Bypass DNS & Firewall. Try the app again, does it work? If not:

• You can also Isolate an App, you then have to set up trust | allow rules for domains or IPs over a period of time which can take a while.

• Exclude the app. This makes RethinkDNS completely unaware of the app and is often what is required for Reddit. It is my understanding that after you Exclude an App, your systems Automatic Secure DNS will pick it up.

A few apps that typically need network access on Android:

• Google Play services (com.google.android.gms): push notifications, safety checks, etc.

• Google Play Store (com.android.vending) app updates and downloads

• Android System (usually UID 1000, often android or system): Core OS connectivity checks, NTP time sync, and network management. Blocking can cause "no internet" errors.

• Android System WebView (com.google.android.webview): Renders web contents in apps.

• Download Manager (com.android.providers.downloads): Manages file downloads from apps/browser. Without it, downloads stall.

• Media Storage

• Settings

Tor

Tor itself is a network and software that anonymizes traffic by encrypting it and bouncing it though a series of volunteer-operated relays around the world before reaching the destination. Orbot uses this Tor network to encrypt and anonymize internet traffic for Android apps.

Orbot routes app traffic through Tor but doesn't provide the same kind of traffic isolation and sandboxing that Tor browser offers on desktop. Be aware of the limitations and use Tor Browser on a hardened system or specialized software such as Tails or Whonix when anonymity truly matters.

If you want to learn how Tor works, I suggest reading the following in this order:

1. PrivacyGuides In Praise of Tor

2. PrivacyGuides Tor Overview

3. EFF How to: Use Tor

Tor is at risk, and needs our help. Despite its strength and history, Tor isn't safe from the same attacks oppressive regimes and misinformed legislators direct at encryption and many other privacy-enhancing technologies.--How to Support Tor

Setting up Orbot with a TCP-only Proxy

• Helpful guide, What is Orbot?

TCP-Only Proxies forward all TCP-level connections from selected apps to Orbot.

TCP-Only Proxies work best for Apps that use multiple TCP protocols beyond just basic web browsing (HTTP/HTTPS) like messaging apps (Signal), search apps (DDG), etc. Because it proxies all TCP traffic, it can cause some apps to slow down or break if they expect direct DNS or UDP.

First install Orbot, Open Orbot -> More -> Orbot Settings and turn on Power User Mode. This is important, if you forget this Rethinks auto Orbot will not let you choose between SOCKS and HTTP proxies.

You should also check Allow Background Starts ON.

In Configure -> Proxy -> Setup Orbot:

• Click Add / Remove 0 apps, search for an app that you want to run through Orbot. For simple testing I chose DuckDuckGo with a TCP-only Proxy.

• In Home -> Apps search for Orbot and set Orbot -> Bypass Universal ON

• On the first time starting Orbot through Rethink, you'll have to click the Configure -> Proxy -> Setup Orbot -> Orbot> to Connect as well as grant initial permissions. After you start Orbot successfully, check out Rethinks Home and below the STOP button should say Protected With Tor.

Open DuckDuckGo and go to:

https://dnsleaktest.com
# CrossCheck
https://ipcheck.net

❗ You may see that ipleaktest initially shows a Tor exit relay location such as the Netherlands, once you complete a Standard Test, it still shows WoodyNet ISPs. Since I configured Rethink to use DNSCrypt with Quad9 this is completely expected. This confirms that my DNS traffic is not leaking to my ISP and is properly anonymized through Tor and Quad9. As long as you don't see your actual ISP's servers in the results, your setup is working as intended.

Now you can add more apps that would benefit from anonymity such as FairEmail, RSS feeds, and crypto wallets. I believe for Signal, it requires that you to set up the SOCKS5 proxy to work correctly which is pretty straightforward.

Look into an RSS Feed, they give you complete control of the content you consume, no algorithm involved!

This can also be useful on public Wi-Fi or other insecure networks.

• You can also open Orbot and Choose How to Connect, if you want to hide Tor use.

• If you live in an area where Tor use isn't discriminated against, consider Activating your Orbot Kindness tab so others that are in oppressive regimes can use your device as a bridge. This is a great way to give back!

Setting up a SOCKS5 Proxy

If you have Orbot set up through auto mode, you'll have to disable it.

Open Orbot -> More: Near the bottom of the screen you'll see HTTP: 8118, and SOCKS: 9050, these are the Port numbers. We will compare these to Rethinks defaults. (They match).

Back in Rethink, Configure -> Proxy -> Setup SOCKS5 Proxy.

In the App dropdown choose Orbot.

• Hostname: 127.0.0.1

• Port Number: 9050

• Leave the rest of the defaults and Hit Set

• Go Home, below the STOP button you should see Protected With SOCKS Proxy. Now all of your devices traffic that doesn't bypass Rethink is routed through the SOCKS5 proxy.

• In Configure -> DNS and turn Never proxy DNS ON

• Open your browser and visit https://dnsleaktest.com, your public IP should no longer be your ISPs.

• SOCKS5 alone doesn't encrypt the traffic; it only proxies or routes it. Orbot uses SOCKS5 to let apps route traffic into the Tor network. Once inside the Tor network, the traffic is encrypted in layers.

• There is a misconception that Orbot is a "free VPN". It’s actually part of an anonymity network designed to hide your identity by sending your traffic through multiple servers. And the SOCKS5 proxy that Orbot uses isn’t a VPN either, it simply directs certain app traffic through a proxy server without creating a full encrypted tunnel from your device like a VPN does.

WireGuard/VPN

Keep your goals in mind before paying for a VPN, some allow you to pay with cash anonymously such as Mullvad VPN and a few others. Remember that you are transferring trust, from your ISP to the VPN provider.

Configure -> Proxy -> Setup WireGuard -> +:

With the WireGuard protocol, the provider usually gives you either a QR Code, or a configuration file (e.g., .conf file) which is a plaintext file that contains what is needed. You download that file and Click IMPORT which brings up your phones filesystem.

Alternatively, the CREATE option for advanced users who are setting up their own WireGuard network, typically if you host your own VPN server.

After this is setup you should always verify that your traffic is encrypted (hidden IP) and your DNS queries are protected (no leaks).

You could:

1. First check what your IP address is before enabling WireGuard at whatismyipaddress.com or ipleak.net, take note of your Public IP, ISP, and City/Country this is your real info that the VPN needs to hide.

2. Connect to your Wireguard/VPN server. Choose the server location you want and go back to check again.

3. Check for leaks, go to dnsleaktest.com and run a Standard test. If you don't see your Public IP listed anywhere, you don't have a leak.

Fixing DNS Leaks:

• Use WireGuard in Simple mode.

• Or, use Configure -> DNS -> Split DNS with WireGuard in Advanved + Lockdown mode (if running on Android 12+)

To ensure your DNS requests go through your VPN, check Configure -> Logs -> DNS. Tap on the entries that appear there, which should bring up a bottomsheet with more info about the request and how it was handled. Requests handled by WireGuard are shown with sub-text "resolved x min ago by wg..." --celzero

Proton VPN

This works for ProtonVPN Free as well.

Written by celzero Here

1. On your Android, visit https://account.protonvpn.com/downloads

2. Scroll to WireGuard

• Give it a name

• Select Android

• Enable VPN options as needed.

• Press Create or tap on Download.

3. Open Rethink, goto Configure -> Proxy -> Setup WireGuard

• Tap on the "+" button

• Choose Import

• Select the downloaded configuration file

4. If the import is successful, you should see a new profile prefixed wg added to the list.

5. Tap on that wg entry.

• In the new screen that opens up, tap on Add / Remove applications.

• Select apps that should be part of this particular WireGuard profile.

• Go back.

6. Enable / disable that wg profile as desirable.

• On my phone, when I saved the VPN profile, it automatically added .txt to the end of the file causing the import to fail. I was able to open my phones documents and long hold the file to rename it, afterwards I was able import it.

SIMPLE

When you enable: Configure -> Proxy -> Setup WireGuard - SIMPLE

All connections from all apps, including DNS, will be routed to a single, active WireGuard VPN. Other active WireGuard VPNs, if any, will be stopped.

If you tap SIMPLE, you can see the name of your VPN, check your Logs, and see your Peer connection.(your device that participates in the VPN network)

ADVANCED

Same as above but tap ADVANCED before enabling the toggle. This lets you choose which apps will be routed through the VPN while the rest are routed as usual.

This Mode also lets you enable:

• Lockdown: Selected apps will only be routed through this WireGuard VPN, regardless of whether the VPN is active or disabled.

• Always-on: All connections and apps not routed by other WireGuard VPNs will be routed by this one.

• Mobile only: Use this WireGuard exclusively over mobile data.

After you configure your Advanced settings as needed, enable the toggle.

Always make sure to watch your Logs as well as test with something like <dnsleaktest.com>, you shouldn't see your actual Public IP anywhere. It's advisable to check for WebRTC Leaks as well if you have that enabled.

Troubleshooting VPN issues

There are a few Proxy settings in Configure -> Network -> PROXY, where you can:

• Enable Do not randomize WireGuard listen port: Keep WireGuard listen ports fixed (no randomization) in Advanced mode.

• Enable Endpoint-Independent mapping: When enabled, UDP sockets maintain a fixed address and port for all destinations.

Check your Logs

In Configure -> Proxy -> Setup WireGuard, click on your VPN which will give you access to the LOGS.

Click the top entry, it will bring up the IP address and domain and show your rules the app. You can click the dropdown menu's to set new Universal Firewall rules, as well as block/trust rules for IPs and domains.

Logs

On-device logging is on by default. You can find it in Configure -> Settings. From there, you can set the log level and choose a notification action.

If anyone else uses your phone, it's probably a good idea to enable app lock.

Go to Configure -> Logs, and try to access the app that's not working. You should see said app at the top of the Network Logs, click it. In the top right of the tab, you'll see the reason why it's not working such as: App Blocked, or DNS Bypass.

This DNS Bypass means that the App in question is trying to bypass the Rethink Tunnel and being actively blocked. You can search for said app and try setting IP or Port Trust rules.

You can also go to Home -> Apps and search for the App you need, click on it and at the bottom of the screen you will see IP Logs, and Domain Logs.

Once you click on the log of the app in question, you'll be given 3 drop down options. If you set an app to Bypass DNS and Firewall settings, you will see that in the first dropdown box.

The next drop down is Block,trust this IP for this app where you can set a rule to Block or Trust.

Resources