Preventing VPN leaks on Android

If you connect to the internet through a public WiFi hotspot, or at school or at work, the metadata and contents of your online communications can be intercepted and viewed (or altered) by the network operator or another malicious party on the network. If you connect from an Australian residential address or personal mobile device, the Australian Government will be storing your metadata from 13 Oct 2015. One of the ways to protect your privacy is to send all of your internet traffic through a Virtual Private Network.

TorGuard (not to be confused with Tor, which is unrelated) is one of many paid VPN service providers who claim to protect your privacy for a small fee. I don’t know if it’s the best option – it’s just the one I chose to use. You can find a list of other providers here: Which VPN Services Take Your Anonymity Seriously?

The first step is signing up for a TorGuard VPN service (use voucher code TGLifetime50 to get half off a 1 year subscription), then download the Torguard App. Choose a country and enter your VPN username and password.


Status: Connected


Now verify that your internet traffic is going through the VPN by opening a browser and visiting IPLeak.


Unfortunately there is nothing stopping your apps from accessing the internet directly when your VPN is not connected. A lot of personal data can leak out when you join a new network but have not yet connected the VPN. You can stop these leaks by installing a firewall and configuring it to block access to the internet except through the VPN.

For this to work you will need root access on your Android device. If you don’t know what that means, or if you cannot root your device, you will not be able to use a firewall.

Download AFWall+ (also available from F-Droid). In the AFWall+ settings you will need to enable VPN Control.


The 4 columns of tick boxes in the next screenshot will allow each program to access different types of network:

  • Internet over WiFi
  • Internet over Cellular
  • Internet over Roaming Cellular
  • Internet over VPN


You must allow TorGuard to access the internet over WiFi and Cellular, otherwise you will not be able to connect to your VPN! I have allowed certain other apps to connect over WiFi and Cellular because I know they already use encryption and do not leak sensitive metadata (RedPhone, TextSecure, ChatSecure, K-9 Mail). For everything else, only tick the box to enable internet over VPN. Remember to enable the firewall when you are done. You can test this by attempting to load a web page while your VPN is disconnected – it should fail to load until after you connect to the VPN.