InviZible icon indicating copy to clipboard operation
InviZible copied to clipboard
verified publisher icon Gedsh

Wiki Documentation DnsCrypt & VPN using Root POSSIBLE

Open dannybigd opened this issue 9 months ago • 2 comments

I wish to offer a recommendation for an additional heading in the Wiki documentation: https://github.com/Gedsh/InviZible/wiki/Using-InviZible-alongside-with-VPN

It is conveniently possible to configure InviZible to run DnsCrypt through a VPN in Root Mode using a proxy server app to link the two together.

I so enthusiastically stumbled upon InviZible (r4sas & Gedsh posted on a dnscrypt-proxy thread - thank you so much!!). I am setting up a download and sharing server on an old android device, and require a VPN; and I also wish to have a custom DNS solution in tandem. InviZible offers a convenient solution (much more convenient than anything else I have found) - - - > and the procedure has yet to be documented!!

Following is a draft start for additional instructions

Using InviZible alongside with VPN

For InviZible in Root mode (DNS tunneled through VPN)

InviZible may be configured in such a manner so as to direct DnsCrypt traffic through your preferred VPN app. As a bonus, devices on your LAN will additionally be able to access this VPN + DnsCrypt service. To do so, you will need:

  • [ ] a VPN app such as WireGuard, OpenVPN, or a specific VPN vendor App, with firewall functionality**;
  • [ ] a proxy app, such as Every Proxy, which enables your VPN connection to be shared internally via http, https, sock4, socks5 (and additionally externally to other connected devices on your LAN)***;
  • [ ] the glorious InviZible App.

** there will be some conflicts between the VPN App firewall and the InviZible App firewall - you must work through these, with recommendations provided here (some trial and error may be pursuant)

*** Every Proxy (as of 15.2.3) works with Android 7.0+ (Nougat); version 8.1 works with Android 6.0 (Marshmallow), and is available online - search for it

Configuring the Apps to cooperate towards the common task

VPN App In the VPN App detailed firewall rules, exclude (disable/bypass) the InviZible Pro App - such that it is not interfered with by the VPN App. Secondly, include (select) the proxy App, such that it is routed via the VPN App. Additionally include (select) all other system and otherwise apps which you wish to have access to the VPN App, and exclude (disable) all apps which you intend to access the internet directly.

Proxy App Turn on (enable) the SOCKS server and configure it with a custom port number (a non default port, so that it doesn't interfere with any other system or network process). As indicated above, make sure that the Proxy App has access to your VPN App via the VPN App firewall rules.

At this stage, devices on your LAN should be able to access this VPN by directing browser (and other application / system wide) traffic to the ip address and port number of your device via the established SOCKS server, using the default VPN service DNS configuration. Next, the InviZible DnsCrypt functionality needs to be routed through this newly established SOCKS proxy, using (as was originally intended) it's external Tor proxy connection option.

InviZible App In the InviZible settings DnsCrypt menu:

  • enable 'Force TCP' (Always use TCP to connect to upstream servers)****
  • enable 'Outbound proxy' (SOCKS proxy)
  • specify the correct custom 'Proxy port' number (as you established in the proxy App) to route all TCP connections to a local Tor inbound Socks5 proxy (Tor doesn't support UDP, so set Force TCP to true as well);

**** if you don't force TCP then some InviZible DnsCrypt traffic will bypass your VPN and enter the internet directly (the king will exit the castle)

And also while you're at it:

  • select 'Ignore System DNS'
  • unselect 'HTTP3' (as this uses UDP);

And lastly:

  • in the separate Fast Settings menu, consider selecting 'Prevent DNS leaks' (if you wish to).

Now, in the separate Firewall menu, enable the firewall and start with the following recommended configuration (hopefully not causing too much of a headache):

Your VPN App should have access to Wifi Your proxy App should have access to LAN + VPN +(Wifi)***** Your browser App may have access to VPN and/or (Wifi)*****

***** when both Wifi and VPN are selected, then the VPN has priority of connection and the Wifi is a fallback; should you wish to implement a MacGyver kill switch to dissuade the naked king from walking out the castle, then make sure Wifi is NOT selected for the proxy App, and so when your excellencies' VPN guardsman is out on break, the sole gate in your highnesses' castle is out of service and out of touch!

Hopefully a little humor isn't unbecoming. The above configuration seems to work on a device running Android Marshmallow 6.0 as determined using trial and error. Try it for yourself and let me know! Automatic App startup on boot to enable this configuration seems to work, although there may be leaks in the process.

A browser on a separate computer connecting to my device via SOCKS proxy is successfully connected to DnsCrypt and the VPN as confirmed by websites testing for ip address location and DNS leaks. Same holds true for the browser on my device, and associated apps.

I am not by any means qualified in matters pertaining to computers. Pursue the above at your own discretion.

dannybigd avatar Apr 30 '25 23:04 dannybigd

Thanks for your guide and kind words! But it's too complicated for the average user. I have no idea how this guide could be transformed so that it would be understandable for the majority of users. InviZible has a very wide range of capabilities, and the most advanced of them are not documented because an expert wouldn't need it and it's useless for the average user.

Gedsh avatar May 01 '25 16:05 Gedsh

I'm more or less an average user. Lots of people use VPNs, and it's not such an ambitious thing to attempt to use DnsCrypt through the VPN (at least the concept). I spent so much time searching the internet attempting to find a solution for this, without any guidance. Perhaps you may place a link somewhere to this (if that helps to index it). Its through sheer luck and persistent search and trial and error that this solution came together for me. Thank you so much for your hard work developing and maintaining this app!

I suspect that there's growing opportunity for repurposing of old android devices. You app offers much in terms of potential, as a home portal of sorts for LAN devices to access DNS, VPN, TOR, I2P via a straight forward local proxy (without having to install all that software on each device - as browsers and operating systems have built in ability to access internet via socks and http(s) proxy - - > which is easy for the average user to use). In theory it's also easy for an average user to purchase a USB to ethernet adapter for their unused phone, install this app, configure it as per a guide, and connect it to their router.

Perhaps a basic home router could be instructed to aim it's DNS inquiries back to an android device running DnsCrypt on the local LAN, in order to pass around DnsCrypt functionality to all devices accessing the internet via that router, without having to purchase and configure a custom router and special router software. I have yet to look into this, however it seems that your app may offer some potential here, or could be expanded to enable this functionality. I am doing my best to search for solutions.

I'd love it if someone else were to figure this out and write down the solution for me to follow :)

dannybigd avatar May 02 '25 09:05 dannybigd