Enforce internet access through Tor

Block unwanted internet access system-wide, and force other traffic through Tor. Of course, one can add exceptions to allow specific applications to access the internet directly.

Previously I achieved this through Orwall, but that is no longer maintained and has several open bugs that need awkward manual work-arounds. The following approach seems to work better for me, pending clarification of this issue.

Android 8.1

AFWall+

  • Preferences > Rules/Connectivitey > LAN control [check]

  • Preferences > Rules/Connectivitey > VPN control [check]

  • Mode: Allow selected

  • Applications rules:

    LAN WiFi Data VPN Application Reason why it shouldn't go through Tor
    . . . Y Any app  
    Y Y Y Y Orbot Ofc Orbot itself can't go through Tor
    Y Y Y Y (any other apps you want to bypass Tor)
    . . Y Y (root) Mobile internet, need it before Orbot can even access internet
    . . Y Y Phone Services, (..) Mobile internet, need it before Orbot can even access internet
    . Y Y Y (gps) AGPS, Orbot can't intercept this
    . Y Y Y (ntp) AGPS, Orbot can't intercept this
    Y Y Y Y (tethering) Tethering, Orbot can't intercept this
    Y . . Y VLC Chromecast, don't want to put this through Tor

Orbot

  • Menu > Apps VPN mode [toggle on]
  • Apps > select the apps you want to force through Tor, which should at the very least include:
    • microG Services Core
    • Mozilla UnifiedNlp Backend
    • Mozilla Stumbler
    • Nominatim Geocoder Backend
    • GSM Location Service
    • SatStat