Is this possible on any modern day phone or tablet? Selfhosting as made me very privacy-consciouss and am concerned about my iphone.
Yes. Firewalls.
With an iPhone, however, you are screwed. Apple won’t let you do what you are looking for.
VPN would still work for iPhone I imagine. Small whitelist of DNS would do 90%+ of the job.
Apple bypasses VPNs for certain system services, or at least has in the past
Also falls back to hardcoded IPs when DNS fails
I killed off ads in the News app by blocking
doh.apple.com. I find it kind of funny that it looks up its DoH server IP using the existing DNS server and that simply returning NXDOMAIN cuts it off.Not sure if they use it for much more than that though (doesn’t seem like it).
True, somewhat… but on the iPhone, many functions that seem like basic things are tied to Apple’s services and cannot easily replaced by selfhosted services. This phone would not work properly anymore.
other than texting and calling idk what else I would use that isnt selfhosted :)
In the other reply, you said something about GPS.
Well, location services aren’t really GPS anymore.
The phone looks at all of it’s radio environment (cell and WiFi and whatnot) and from that it calculates it’s location. GPS may help a little, too, but it’s not important.
It needs Apple’s own databases to do that: collections of all antennas in the world, and their known locations.
Texting uses http over the data channel for MMS.
You can enforce an always-on VPN (for at least ipsec) via an MDM profile. This kind of features isn’t found in the casual user setup options, but there’s plenty of knobs to tune in the enterprise profile configurator.
And yes, you can easily install that profile on your phone after.
Except, apple is bypassing VPN for their own tracking:
https://appleinsider.com/articles/22/10/12/most-apple-apps-on-ios-16-bypass-vpn-connections
https://www.reddit.com/r/apple/comments/yfhmfw/ios_161_allows_certain_apps_to_bypass_vpn/?rdt=60650
On all networks, or just when on your home network?
This is a good question. On your home network, that’s pretty easy. On other networks, setting up a VPN that tunnels to your network seems like it should work.
Oh true! What an obvious answer. I could run it to my home adguard via tailscale. What about gps though…
GPS is kind of a tossup since your cellular provider can just as easily triangulate your position with their towers, and there is no escaping that outside of putting your phone in a faraday cage.
Good point. Wish there was a way to have a device that could only access my selfhosted applications then totally block all other tracking. I did the vpn route just now. Thanks for that tip!
Cell tracking is external to the phone. It’s done by the towers - they know signal strength, and by using known tables of that data, cell providers know pretty accurately where your phone is.
To block this you’d need a device that lacks any cellular technology whatsoever. Wifi only.
And that has the same issues, especially with companies like Comcast/Xfiniti using their cable modems to track all the devices around them, even if you don’t connect to them.
If route all data through VPN and drop the unwanted packages in the firewall at home, you achieve this. But apple is a bitch and ignore VPN (and even DNS) for own domains.
I guess foreign wifi or data. I have a router with adguard at home and work.
Take a look at “Rethink: DNS + firewall + VPN”. It is available through FDroid
Guarantee? You’d have to open it up and disable the cellular radio. The OS can override any settings you make.
More than just the cellular radio.
https://www.theregister.com/2023/04/27/qualcomm_covert_operating_system_claim/
I think this was built into the SOC itself, or the GPS module, but it runs 100% independently of your OS, even on custom firmware.
Maybe I’m being stupid but a trivial way to ensure this is just don’t connect it to the Internet in any way. No SIM card. Cut it off from the Internet after setup, and only connect to a LAN with your chosen services all physically isolated from any internet machines.
Remove the SIM card to ensure it doesn’t communicate with a cellular carrier. Then go into the settings for your specific WiFi network, configure IP address manually, and remove the entry for “Router” to prevent it from talking to the Internet
One thing I want to bring up just so you’re conscious of it is WiFi calling.
I currently use Tailscale and a sophisticated setup to route traffic via commercial VPNs. I also do a ton of DNS ad/tracking blocking which Tailscale wasn’t really designed for (and requires a rat’s nest of routing,
iptablesand the like).I’ve noticed I never receive incoming calls now even while attempting to send traffic to my carrier’s WiFi calling server (it’s just another traditional VPN server at a technical level) through the nearest Tailscale exit node.
All this is to say, if you want WiFi calling to work you should consider this. I believe it’s the same for Android and iPhone.
As for the traditional VPN bit I kind of discovered this a few years ago when using one of those mobile cellular gateways you can plug into your LAN (I lived in a dead zone). When looking up my current carrier’s WiFi calling server (a different carrier) I realized the port matches the same VPN thing they were doing on the cellular gateway, so I think it’s fairly common for wireless carriers to just use a VPN to get you into their backend.
I have an iPhone and a gl.inet gl-e750 portable cell router, and my SIM card stays in the router. I don’t actually restrict my phone the way you’re talking about, but this gives me vpn to my home network without needing the vpn running on each client device. And if I wanted to block connections to big tech company services, I could do that.
deleted by creator
