GrapheneOS Network Privacy: DNS, VPN and Firewall Guide

Maximising Network Privacy on GrapheneOS

GrapheneOS ships with more network privacy controls than any other mobile OS. Here's how to use all of them effectively.

Per-App Network Access

GrapheneOS allows you to revoke internet access from any app individually. This is one of its most powerful privacy features.

How to use it:

1. Settings → Apps → [App name] → Permissions

2. Toggle "Network" off for apps that don't need internet access

This is particularly useful for apps like offline games, note-taking apps, and utilities that have no legitimate reason to phone home. An app without network access cannot exfiltrate your data.

DNS over HTTPS (DoH)

Standard DNS queries are sent in plain text, visible to your ISP and anyone monitoring your network traffic. DNS over HTTPS encrypts these queries.

GrapheneOS has DoH built in. Go to Settings → Network & Internet → Private DNS → select "Private DNS provider hostname" and enter your preferred provider:

We recommend Mullvad DNS for most users — it's no-logs, blocks advertising trackers at the DNS level, and is operated by a trusted privacy company.

VPN Setup

A VPN encrypts all traffic between your device and the VPN server, preventing ISP surveillance and protecting traffic on public Wi-Fi.

GrapheneOS handles VPNs properly — there are no VPN leaks, and the VPN connection is properly maintained in the background.

Recommended VPNs:

Mullvad — No-logs policy, regularly audited, accepts cash payments for maximum anonymity. The Mullvad VPN app is available on F-Droid.

ProtonVPN — Swiss-based, strong privacy policy, open source. Free tier available.

Enable always-on VPN:

Settings → Network & Internet → VPN → [your VPN] → Always-on VPN

This ensures all traffic routes through the VPN and no traffic escapes if the VPN disconnects.

MAC Address Randomisation

GrapheneOS enables MAC address randomisation per Wi-Fi network by default. This prevents Wi-Fi tracking — a technique used by retailers and public spaces to track device movement.

Verify this is enabled: Settings → Wi-Fi → [Network] → Privacy → Use randomised MAC

Sensor Access Control

GrapheneOS allows you to disable sensors (accelerometer, gyroscope, magnetometer) for all apps simultaneously.

Quick tile: Add "Sensors" to your quick settings panel. Tap to disable all sensors when not needed.

This prevents apps from using motion sensors for fingerprinting or tracking.

Combining Controls

The most effective network privacy setup combines all of the above:

This combination eliminates the vast majority of network-level tracking vectors.