Android app whitelist/blacklist feature

Samuel Holland samuel at
Tue Jul 3 20:12:10 CEST 2018

On 07/02/18 21:31, Jason A. Donenfeld wrote:
> On Tue, Jul 3, 2018 at 4:27 AM Eric Kuck <eric at> wrote:
>> I was originally thinking the new fragment would be a per-tunnel thing
>> (set when you create the tunnel or edit it), but you’re right - making it
>> a general setting likely makes a whole lot more sense. I can’t think of
>> any use-cases for different tunnels handling different apps.
> It might actually make most sense to make it a per-tunnel thing. We'd then 
> have to introduce conf key called, "ExemptedApplications=" or something. 
> Samuel - any thoughts on this?

Right, trying to make it a global setting requires either some sort of
out-of-band way to pass the information to wg-quick, or rewriting the
configuration file every time the tunnel is brought up.

Since from netd's point of view, this is a per-network setting anyway, I agree
it makes sense to configure it per-tunnel. ExemptedApplications works as a
configuration key, though I prefer ExcludedApplications--the application isn't
just not required to use the tunnel, it's not allowed to use the tunnel.

In that case, here are my UI suggestions:
- Add a button in the editor that switches to a fragment or pops up a Dialog
similar to a MultiSelectListPreference.
- For consistency, checked means excluded -- everything defaults to unchecked.
- The package names of excluded apps are put in the
com.wireguard.config.Interface, and wg-quick handles package name to uid

How does that sound?


More information about the WireGuard mailing list