Blokada Cloud combined with Blokada 5

Hello,

I installed Blokada Cloud and it is working very good and fast in terms of blocking ads.
But what about the security when using bankapps and so ?
I always used Blokada 5 with the + account.
Is it best to use Blokada Cloud in combination with blokada 5 app with all blockinglists disabled ?

My device : Poco F2 Pro, android 11

Thanks for trying out Blokada Cloud already. Happy to hear it works for you.

Thanks for those questions, I’ll be updating the guide based on those.

  1. Security: Blokada Cloud is an encrypted DNS service, and it is not a VPN. It means that:
  • it’s more secure than using default DNS servers (in most cases), since those are usually unencrypted
  • it’s not a VPN, so it does not encrypt the entirety of your traffic, but only the DNS requests. This means it does not really affect your overall security in either way.
  • It does not have any possibility to get access to your data, except the names of domains your device connects towards. And as described in our privacy policy, this data is not stored at all (unless you activate the monitoring feature, in which case it is stored for the period of time you chose - currently only 24hours is possible).

In theory, it could be seen as safer for the end user than the original Blokada app, as it does not establish any fake VPN on your device - and it means it has no possibility to access any of your data, outside of the DNS requests. In practice, this is also true for the Blokada app, since the way it establishes fake VPN on device allows only to access DNS requests (this can be confirmed in the source code).

  1. You don’t have to have the Blokada 5 app running on the device you have configured Blokada Cloud. The features are equivalent to some extent, and not running the app will save you battery life.

You still need Blokada 5 app if:

  • You need the VPN (real VPN, ie, to change your location and / or encrypt all your traffic for additional security). In this case, Blokada Cloud will cooperate “in the background”. However, you will not see the activity log in the app (only in the dashboard at app.blokada.org).
  • You need to have special configurations for some specific networks (like work WiFi, etc). This is not possible yet in Blokada Cloud.

In general, I recommend to use either Blokada 5, or Blokada Cloud, and not to try to combine them both. If you need the real VPN, you may use the two, but it may get confusing quickly, and we are working on the new app that’s going to make it easier.

I hope it clears out your questions a bit.

4 Likes

Ok, thanks very much for the clear answer.

I will keep on using the app in combination with blokada cloud for a while and see how it works out.
For me it is important that when using bank apps and other financial apps, the traffic is fully encrypted.
(especially when using a mobile network or public wifi)
I will disable all the blocklists in the app and let blokada cloud do the adblocking.

The perfect scenario would be the integration of Blokada Cloud in the Blokada 5 app, where the vpn would be automatically activated depending on wich app is being opened :slight_smile:

1 Like

Yep, I will be working on the combination app as soon as we confirm that the Cloud approach is the better one for the users. Thanks for the useful feedback!

Thanks for all the hard work :+1:

1 Like

Thanks for the great work.

I tested the vpn with Blokada 5.17 beta and Blokada Cloud on Android 11, phone Blloc Zero18:

  1. Blokada 5.17 beta for Android with vpn enabled, and
    it seems that Blokada+ no longer blocks the internet connection when wifi reconnects after a disconnection.

  2. Blokada 5.17 beta app with vpn enabled and all the blocklists disabled while also having the Blokada Cloud set up.
    This approach worked and the performance seems improved (but I not yet tested the battery usage overhead),
    moreover in the app I can change the vpn location on the fly directly from the app (this can be useful in case
    of vpn server not working), I can add app that need to bypass the vpn and
    also I can select the DoH DNS Servers (but it seems that Blokada Cloud makes this selection useless).

  3. The Wireguard app with Blokada vpn profile (generated using Blokada Dashboard), without explicitly specifying
    the private dns of Blokada Cloud.
    Also in this case the performance seems improved.
    Although this approach is recommended, I cannot change vpn location on the fly directly from Wireguard,
    this can be annoying in the case of a non-working vpn host when I need to use a different vpn host.
    But the main problem with this approach is that it is not clear how to specify apps that need
    to bypass the vpn.

So for now I think the most practical and efficient approach on my phone is the number 2 (although I can easily switch to Wireguard vpn):
Blokada 5.17 beta app with vpn enabled and all the blocklists disabled while also having the Blokada Cloud set up.

Using Blokada Dashboard I also generated a new Blokada vpn profile for my MacOS on MacBook Pro for Wireguard app,
assuming the previous profile was not based on Blokada Cloud DNS.

I also noticed that using Wireguard the names of devices are not listed in the activity log of Blokada Cloud.

Thank you

3 Likes

After writing the previous email,
I tried on my phone to switch from “Wireguard with Blokada vpn profile” to “Blokada 5.17 beta app with vpn enabled and all the blocklists disabled while also having the Blokada Cloud set up”.
I thought it was enough to swap vpn from Wireguard to Blokada
and then enable the private dns of Blokada Cloud.
So I had the following problems:
the private dns of Blokada Cloud was not working anymore,
and even using the automatic dns, Blokada 5.17 beta app with vpn enabled now blocks all connections.
Thus I uninstalled Blokada 5.17 beta app,
and decided to use the very efficient approach
based on “Wireguard with Blokada vpn profile”.
Obviously I have to explicitly disable the vpn every time an application requires it (because there is not a list of apps to bypass).

Thanks for the testing and feedback!
This sort of thing is exactly what we’re looking for when we’re in beta.

This is definitely the more powerful way to use Blokada, but also a bit “weird” since Blokada 5 has no knowledge of the Blokada Cloud yet.

There will be native app support that hooks into Blokada Cloud while still having the ability to change your VPN location. We just wanted to launch a beta as quick as possible on the web to make sure the basic feature (blocking ads) is working as expected.

On Android and iOS you will eventually still have this possibility directly in a native app as mentioned above (while also displaying blocklists and activity in the app directly).
As a workaround if you have less than 5 devices, you can simply generate config files for multiple locations that you download on the same device. This way you can connect to a different configuration when you want to change the location.

Even without WireGuard, you can now also install the Apple DNS profile directly from the dashboard. It should be a bit better user experience than on Android since you don’t have to manually copy and paste into the right place. Also DoH should in theory be a little bit faster than DoT due to how HTTP/2 works. By installing this Apple specific profile you will make sure to use Blokada Cloud also when WireGuard is turned off.

This is a known limitation currently, it’s absolutely possible to make this mapping in the future and we have it on the list of things to improve :slight_smile:

2 Likes

Thank you for your reply.

After uninstalling Blokada 5.17 beta from my phone (Android 11, phone Blloc Zero18)
because of the problems described in my previous email,
I resumed the tests,
using the following links to check the dns:
Ad Blocker Test
https://ipleak.net
https://dnsleaktest.com
and the following app to check the internet connection speed:
speedtest:

  • I deactivated the Wireguard vpn and
    updated the network configuration with the private dns of Blokada Cloud:
    it worked (I checked for proper operation using the links above).

  • I reactivated the Wireguard vpn,
    without changing the network configuration, i.e., continuing to use the network configuration
    with the private dns of Blokada Cloud:
    it worked (I checked for proper operation using the links above).

  • I deactivated the Wireguard vpn,
    then, without changing the network configuration, i.e., continuing to use the network configuration with the private dns of Blokada Cloud,
    I reinstalled Blokada 5.17 beta, disabled all the blocklists in the app and generated and activated the Blokada app vpn.
    After a “failed connection error through private dns”, I have deactivated and reactivated the vpn of Blokada app and the connection has been activated.
    Now I have two vpn: one for Wireguard and one for Blokada app, with Blokada Cloud explicitly configured with private dns.

    So I was able to switch from Wireguard to Blokada app without any problems,
    simply by deactivating the vpn of one app and reactivating that of the other.
    Each time I checked for proper operation using the links above and the connection speed.
    I noticed that the connection with Wireguard was about 4 times higher than with the Blokada app.
    Moreover, with both apps, the internet connection no longer hangs when the wifi reconnects after a disconnection (at least for now).

Finally, as you suggested, I installed on MacOS 10.14.6 the Apple DNS profile of Blokada Cloud generated with the dashboard.
it works both with Wireguard enabled and disabled.

About MacOS 10.14.6, after generating with the dashboard the Wireguard profile based on Blokada Cloud and installed it on MacOS 10.14.6, it seems that the connection to internet is definitely faster
(but I have not done specific tests to verify this).
This has been confirmed after the installation of ​the Apple DNS profile of Blokada Cloud generated with the dashboard.

1 Like

I noticed that if I generate a profile for Wireguard using (updating) the same vpn device listed in the dashboard
and already used for Blokada app,
then I can no longer use Blokada app with the same profile listed in the vpn device.
Although both Wireguard and Blokada are used in the same phone.
This I think is the reason of the problems I had when I tried to reuse Blokada app with vpn,
after updating the same device already listed in the dashboard
to generate the profile for Wireguard.

I noticed this because after reinstalling Blokada and restored the account
(as described in my email of 27 September),
I ended up with two identical vpn device names listed in the dashboard both for the same phone:
one for Wireguard and the other for Blokada app.
I removed one and then Wireguard no longer worked.
I regenerated a vpn profile for Wireguard using a new vpn device in the dashboard,
and now both the apps Wireguard and Blokada work,
but I used two “vpn device” configurations for the same device (phone).

1 Like

Sounds like this test was positive overall :slight_smile: thanks.

This is a known limitation, the web interface can’t “update” an existing device. It can only replace it.
Even though the name might be the same, the config itself (and the key used for wireguard) is different.

Whenever you update/replace a device that is listed via the web interface, any existing connection for this device will be dropped.
Reconnecting the Blokada app should create a new device entry automatically, but for the WireGuard app you would need to import the new config file.

2 Likes

I just found out that it is possible to exclude/include apps from WireGuard’s vpn on android.
In the window to edit the configuration of a vpn, just click on the “all applications” button,
which is shown in one of the screenshots on the WireGuard page in the Google store.
I have successfully tested this WireGuard feature with a Blokada-Cloud-based vpn profile.

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.