Per-App Network and Tracker Firewall for Android That Doesn't Eat the Single VPN Slot

android app venture scale •• multiple requests

Privacy-conscious users want NetGuard-style per-app firewall behavior on Android but cannot use it because it monopolizes the OS-level VPN slot, which they need for actual VPN use (Mullvad, ProtonVPN, etc.). The demand is for a firewall that operates via a different mechanism — Shizuku ADB, eBPF on rooted devices, or Always-on local socket policies — so users can run VPN + per-app firewall simultaneously. April 2026 has multiple HN/Reddit threads asking for exactly this.

builder note

Rethink DNS is your real competitor; the wedge is 'WireGuard + per-UID firewall in one slot, with on-device DNS rewriting that catches IP-direct traffic.' Don't try to be open source first — privacy-pro users will pay $30 once for this if it just works.

landscape (4 existing solutions)

The category is constrained by Android's single-VPN-slot architecture. Solving it cleanly requires either a Shizuku/ADB-driven UID firewall, a rooted eBPF approach, or a clever VPN-chaining trick — and no one ships a polished, paid version for normies.

NetGuard Uses Android VPN service; can't run alongside another VPN, which is the whole point for privacy users.

TrackerControl Same VPN-slot constraint; tracker-focused, not full firewall semantics.

AFWall+ Requires root; abandoned-ish maintenance and breaks on newer Android versions.

Rethink DNS + Firewall Closest thing — combines DNS + firewall + WireGuard — but DNS-based blocking still misses IP-direct traffic and conflicts in some carrier IPsec scenarios.

sources (2)

hn https://news.ycombinator.com/item?id=41931035 "NetGuard – rootless Android outbound per-app OSS firewall, like LittleSnitch" 2026-04-21

other https://discuss.privacyguides.net/t/what-is-the-best-firewal... "What is the best firewall app for android (without losing my VPN)" 2026-04-12

privacyfirewallandroidvpnshizuku