When using NetGuard firewall app, I can't access any Internet at all

DnniRY

I have smart light bulbs that connect via WiFi (not Bluetooth). I have to use this app called "Wiz Connected" to control them. It needs local network access.

However, I don't see any reason why this app should need to connect to the Cloud (public Internet). As I understand, GrapheneOS does not allow me to allow local network access (local IP addresses) but block public Internet access.

But I think that Netguard has this functionality (it has the options for it), so I installed it via F-Droid. It sets up a VPN.

The problem that I have is that when I have Netguard installed and set as VPN, I cannot access any Internet whatsoever, regardless of how I configure Netguard (the first thing I tried was to whitelist everything but explicitly deny the light bulb app; then later I tried to allow everything through, to no avail). For example, when I navigate to google.com in the browser, I get an error about being unable to find the IP address for google.com. But I never blocked anything besides the light bulb app. Everything goes back to normal when I "forget" the VPN in the system settings and disable the Netguard app.

I first tried it with the network permission for Netguard denied. I wasn't sure if VPN-type firewall requires network permission since the filtering works locally on the phone. Then I also tried it with the permission allowed. So I tried it both ways. (I also gave Netguard unrestricted battery usage, as advised by the app.)

I don't understand why it doesn't work. If GrapheneOS supports VPN, then it should work in theory? It is baffling.

Has anyone else been able to get NetGuard working? Or another VPN-type firewall app? Or is there another solution for "allow local network access but block public Internet access" for an app?

GrapheneOS

DnniRY NetGuard doesn't support Android's leak blocking so it can't be used without having leaks. It's a NetGuard issue and isn't GrapheneOS specific. They document the limitation.

RethinkDNS is compatible with leak blocking and all around better, although it's still far from perfect. RethinkDNS supports using a WireGuard VPN or multiple chained WireGuard VPNs instead of having to choose between the filtering or a VPN. NetGuard tries to support forwarding via SOCKS but it's problematic since it lacks authentication for where it's forwarding and not much supports it in practice.

Onlyfun

DnniRY i got netguard working as expected, as well as rethink dns. for use case you described you need to turn on subnet routing in netguard settings network. and i think GrapheneOS is right about the leaks with netguard, lan devices are reachable even with block connections without vpn on.

regarding offline smart light, checkout pautix. i haven't seen them sell bulbs,but they sell bad ass led strips, with a controller that works with app banlanx(aurora store), allows offline operation via bluetooth. and maybe via wifi, not sure currently trying to setup.

https://www.amazon.com/gp/aw/d/B0D7ZTYTFH?psc=1&ref=ppx_pop_mob_b_asin_title

DnniRY

GrapheneOS

Thanks for the explanation. It ended up being a moot issue because the Wiz Connected doesn't work without public Internet for some reason (I had temporarily blocked it on my router, which rendered the app non-functional). But I'll keep RethinkDNS in mind in case I need that functionality in the future for another app.

Count123

GrapheneOS

I use Netguard 2.332 (F-Droid version) on GOS in the owner profile and in the private space. In both cases "block connections without vpn" is active. I am experiencing no issues. According to this thread my netguard/vpn settings should block all internet traffic. Could you please help me to understand this?

DeletedUser87

DnniRY it's not "some reason". From the search results:

Smart lighting set up on your Wi-Fi network. Our plug-and-play WiZ lights connect to the cloud to provide the best ambience to see, read and live.

I'm afraid you bought cloud controlled lights. It may be possible to have an offline solution via HomeAssistant (would need some research on that), but I generally recommend researching smart home gadgets before buying. Everything in my home can be used offline.

DnniRY

DeletedUser87

Actually the reason I bought them (Phillips wiz lights) is because I learned from the Internet that you can control them from a Linux computer over local network by sending UDP packets. For example, you can type:

echo '{"id":1,"method":"setPilot","params":{"temp":3100,"dimming":100}}' | nc -u -w 1 LOCAL_IP_ADDR_OF_YOUR_LIGHT 38899 | jq

to set the color temp. to 3100 and the brightness to 100%. You can do this after un-installing the app and blocking the bulbs from the Internet using your router. I plan to make some bash scripts to control them.

However, it is true that in order to get the lights into your local network, you have to use the proprietary app. At least, I was never able to find a FOSS solution for the initial setup, which is too bad.

DeletedUser87

DnniRY that would be (don't know about UDP packets) possible for Hue as well. I run my whole lighting via Hue Bridge, internet access cut off. Integrates beautifully in Home Assistant and doesn't need anything special to be controlled via the GNOME extension "Hue Lights". It would only need an active account if you wanted to control it via their own app.