Netguard porting for SFOS, proposal and opportunity


Sailfish OS is oriented towards privacy but there is not a way to block and inspect the data traffic as supposed a GNU/Linux system is capable to do. In fact, the interest in the topic exists and some people also tried to workaround to this lack.


NetGuard seems an appropriate solution and with its pro version is also capable of advanced features like configurable firewalling and traffic inspection plus it does this task without the need of being root, in Android.

It does not work on Sailfish OS but its code is public and maintained because the last commit is 2 days old, in the moment I am writing.

Usability, capabilities and source code are three requirement not easy to find togheter and for this reason I got interested in this Android app.

This app is very good rated by users with more than 5 million downloads.

Finally, it is immediately available also on a market supported by Sailfish OS, even if this is market is not presented in the Jolla Market.


My proposal is to make a port for Sailfish OS. Unfortunately, I am a total newbie about Android system and therefore it is out my knowledge to establish the difficult of this aim. A quick investigation brings me to consider it a challenging task and this will clearly explain why no one have tried before.

The main reason because NetGuard cannot work with Sailfish OS is about the interaction with the system which is expect to happen trought the Android Framework and its libraries. Instead, Sailfish OS would use iptables which by itself it is not aware about Android applications.

A quick look at its code:

Confirmed me that NetGuard is not just a GUI on top of a network appliance like iptables but the graphic user interface and the business logic are fused togheter in such a way separate them to let the GUI working on two different platforms is not a viable approach.


Considering the main feature of allowing and denying the internet connection to the Android apps, this can be achieved creating a local VPN - technically speaking two different VPNs: one for the WLAN and another one for the mobile networking - and discerning those app that can see the VPN as default route from those are forbiden to make traffic on it. Iptable and tcpdump will complete the almost all the others features or even better than that.

The main problem could be for the native layer to deal with Android apps because there is Alien Dalvik in the between of them. Moreover, Alien Dalvik is an indipendent project / software respect SFOS and for this reason we cannot suppose that some peculiar features will remain stable for a long time.

Also this approach does not seem viable under my point of view which is biased by a specific ignorance about Android and Alien Dalvik internal functioning.


The main question remains: how much GApps and Alien Dalvik can simulate an Android system in front of an app like NetGuard? Enough to fulfil the basic features, almost all the feature and does not crash / freeze for those are left behind?

The GApps ARM64 super is about 1Gb compressed by zip. The burden in term of foot print is quite important. On the other hand, GApps would allow many many other Andorid apps to work smoothly. Therefore, I have considered the aroma flavour (about 1.4Gb zip compressed) because it offer also a GUI to deal with Android apps.


GApps is not easy to install on Sailfish OS but it seems a much more viable approach for porting NetGuard on SFOS than others. Benefits of a stable and reliable GApps deployment on SFOS will be much greater than simply make the NetGuard available on SFOS smartphones.

The main question at this point changes and became: which obstacles and shortcomings have prevented GApps to find its way into Sailfish OS?


I’ve wanted netguard for a long time. There is a linux tool I keep wondering about trying to get running called opensnitch, it more or less is the same thing, but for linux.

i figure if we can get the backend of that running we can then just build a native GUI for it.

Just thought I’d mention how I’ve been thinking about it.

native apps could be denied internet via firejail profiles they already have.

for android apps we need a homegrown solution

1 Like

One of the things netguard on android allows is denying based on if it’s running on mobile data vs wifi. This is something I often use for downloading offline maps, podcasts, etc. where I don’t won’t to accidentally use my mobile data.

Firejail doesn’t have fine grain control which would allow for that, it also isn’t easy to toggle internet on and off for apps which need it occasionally but not usually.

1 Like

Possibly, SailJail has fixed such lack of granularity.

Please, let us know about.