Block Ads in Apps on Android

My setup does far more than just blocking ads, and works transparent as long as the client is connected through WireGuard (which works seamlessly over LTE and public WiFi).

That being said, I really like how Blokada and DNS66 are available in F-Droid [1] [2], and require minimal technical knowledge to set up. The more [ad blocking], the merrier.

As a backup measure I use Firefox with uBlock. The only machine I don't use uBlock is on Kali because I want to see the website exactly as it is being served.

[1] https://f-droid.org/packages/org.blokada.alarm/

[2] https://f-droid.org/en/packages/org.jak_linux.dns66/

I have a WireGuard VPN at home and experimented with always-on, on my Android phone. Unfortunately, my provider (EE, UK) throttles UDP traffic something rotten, and my normally great experience with 50/50Mb+ is severly limited to between 0 and 10 Mb making my phone almost unusable by normal standards.

Does your LTE provider not throttle this way, or have you found a way around this?

That being said, have you attempted to discuss the issue with them? Have you considered a non-default UDP port? Also, did you compare the usage with OpenVPN? I ran OpenVPN before, the roaming, network speed, and latency is quite terrible.

Interesting. I've not noticed performance issues beyond those expected due to signal quality when using work's VPN over a tethered phone using EE. That VPN is using OpenVPN with a UDP transport. Then again it doesn't get used for anything with high throughput so perhaps they only throttle when it looks like bulk transfers are happening or the effect of the throttle just isn't apparent for my interactive use-cases.

> or have you found a way around this?

If they are throttling UDP for your use case then you could try a TCP based VPN (OpenVPN supports this), though there are potential issues with layering TCP inside TCP particularly on high-latency connections so this is not usually recommended. Might be worth a try to compare/contrast though.

I have a play with mine both ways when I finally get round to adding it to my current phone (mainly to use the network level ad-blocker running at home) and see if I can see a measurable difference with each variant.

Could you explain this a little further - is the Pihole also running on the Synology? Or is secondary DNS the Synology?

Yes

> Or is secondary DNS the Synology?

To be precise,

In LAN, the Synology NAS is the primary DNS (running PiHole on Docker), and the router the secondary. This is to reduce the load on the router. They're both using Quad9's servers on port 853 and using DNSSEC.

In WAN, which is only possible via WireGuard, the router is also the primary and only DNS. This is because I don't think it makes sense to add redundancy and additional latency here. If I'd need additional redundancy here, I'd also need an additional endpoint.

All outgoing DNS traffic going to port 53 (such as Google's) gets not coming from the Synology NAS gets forwarded to the router. Which is very little in my use case.

Also, how has your experience with wire guard been? I've been using my vpn's default client on all my individual devices out of convenience but after looking at the wire guard website I can see the appeal.

My experience with WireGuard has been fantastic. The configuration is straightforward (way less complex than OpenVPN), wg-quick(8) is ace, the macOS and Android UIs work very well. The performance is great (both throughput and latency, even of the userspace ports). You only need very minimal, basic knowledge about networking and public key cryptography.

I got some minor complaints. For example the VPN is gone on Android when the app gets updated, and there's no official Windows client (though I don't use Windows right now). The EdgeOS port is sometimes out-of-date but its made by a 3rd party. And, compared to ZeroTier (where I was coming from) I miss out on a nice website configuration, but I get back a CLI one.

It starts to be really easy to setup all of this so that it just works.

I think the trick to bypass this kind of nonsense is to use port 443/1194/53 so QoS + firewall rules will still allow the VPN to pass through.

Haven't tested it yet, but in my experience non-default ports only make the problem worse. Most filtering/QoS services are pretty dumb and will just match source and destination ports; most firewalls will just plain ignore everything targeted at port 443 because the moment you start messing with HTTPS, you're in for a world of pain. Because WireGuard uses UDP, it's possible to listen on port 443 even if you're already hosting an HTTPS website. Sadly, you won't be able to use QUIC or HTTP3 if you do, but I don't think that's much of an issue these days.

Our solution is simple, we've got two SSIDs, one w/ PH, one without. They route to separate VLANs and each VLAN uses a different gateway+DHCP with pihole or standard DNS. Fixing a website that doesn't work is simple as hopping over on another SSID.

We're using UniFi gear for the wifi, they support 4 SSIDs(8 if you split 2.4/5Ghz) per access point and USG made it trivial to setup multiple gateways(now on pfSense but that's a whole nother discussion).

Should still be possible. Xs4all had port 80 set up so that if you'd SSH to it, you'd get connected to their shell while with a browser (the normal modus operandi) you'd end up on their website. It worked very well in some of the more oppressive regimes where traffic to port 22 was blocked.

I also don't serve HTTP(S) content on my home connection. I only host WireGuard, that's part of the point.

FWIW I've been running pihole for almost a year, aside from the issue with Burrow and some social media redirect links used to track(that I want to block) I've not had any other false positives.

On almost any machine you could have save for ios.

I haven't contacted EE about it or tested other VPNs yet. I want to run WireGuard for various reasons so switching to OpenVPN might confirm they issue but not solve my problems (I don't run the VPN for the reasons in the OP)

To copy and paste another reply I just made:

"I ran some tests with the guys in WireGuard IRC which seemed to confirm that the issue is specifically EE limiting UDP whether by QoS or otherwise."

I'll give OpenVPN a go over TCP once I have a chance to set it up and I might even consider contacting EE for info.

I would mind the fact that it limits my throughout to, at best 12Mb down, but when on WG it typically approaches 0 making my device unusable and I've already ruled out the rest of my network.

I've got nothing against browser blockers, I just prefer something that works in a unified way as a network policy.

For example, I don't think changing networks is a pain in the neck. It's just 3 clicks on my android phone or 2 on Windows 10. This is compared to 3 clicks to turn off a browser based ad blocker.

It takes 3 clicks to disable adblocking for a particular site once ever. Click icon at top of window, click disable, click reload. This takes aprox 2 seconds once ever for each site. If you regularly use 7 sites that are annoying in this fashion you have invested 14 seconds.

By contrast lets discuss switching networks one of which uses dns to filter out ads. If you use one of these 7 sites 3 times per week you will incur a 6 second cost not just to click but to actually authenticate and start receiving data from the new net. That is 468 times in 3 years. This means that while I spent 14 seconds you spent 47 minutes.

This is on top of the 60 minutes you spent figuring out the complex solution that only works on your local network buying hardware, configuring hardware.

On net you will ultimately invest over 400x the time for a worse solution.

Using a solution that relies on a custom vpn is stupid in that it prevents you from using an actual vpn to increase your privacy.

Using custom dns even if there is an easy escape hatch to disable/enable it relatively quickly is STILL a global solution which implicitly requires turning it on and off manually and incurring a small time cost per operation.

In conclusion addressing ads via dns/routers wherein you intend to view some content that requires selectively disabling said feature is a complex and grossly ineffective solution. To avoid ads in apps don't install apps with ads. Browser addons remain the obvious choice. If your mobile platform doesn't allow someone to release such software for your platform use a different mobile platform. Namely ditch IOS for this and other reasons.

Solve fewer non problems.

I've had one false positive across a year of using pi-hole, so this is a non-issue.

If you want to use an adblocker by all means go ahead, just don't go dumping all over everyone else because your usage doesn't line up with other people's.

[1] https://mox.turris.cz/en/overview/

Per browser/adblocker.

> If your mobile platform doesn't allow someone to release such software for your platform use a different mobile platform.

This isn't a feasible solution. Why not use DNS-based adblocking instead? It works for my Android TV...

If you run the server side of the VPN as well as the client, you can test that possibility by trying other known ports (1194 that OpenVPN usually lives on, 433 if that isn't already directed elsewhere on the target address, ...).

https://hacks.mozilla.org/2018/11/firefox-sync-privacy/