Rethink

A WireGuard client, an OpenSnitch-inspired firewall and network monitor + a pi-hole-inspired DNS over HTTPS, DNS over TLS, DNSCrypt client with blocklists.

In other words, Rethink DNS + Firewall + VPN has three primary modes, VPN, DNS, and Firewall. The VPN (proxifier) mode supports multiple WireGuard upstreams in a split-tunnel configuration. The DNS mode routes all DNS traffic generated by apps to any user-chosen DNS-over-HTTPS / DNS-over-TLS / DNSCrypt resolver, or to WireGuard-configured DNS in a split-tunnel configuration. The Firewall mode lets the user deny internet-access to entire applications based on events like screen-on / screen-off, app-foreground / app-background, unmetered-connection / metered-connection; or based on play-store defined categories like Social, Games, Utility, Productivity; or additionally, based on user-defined domain & IP denylists.

VPN / Proxifier Rethink supports forwarding TCP & UDP over SOCKS5, HTTP CONNECT, and WireGuard tunnels. Split-tunneling further helps run multiple such tunnels at the same time and lets users route different apps over different tunnels. For example, one could route Firefox over SOCKS5 connecting to Tor, Netflix over WireGuard connecting through any popular VPN provider, and Telegram or WhatsApp over censorship-resistant HTTP CONNECT endpoints at the same time.

Firewall The firewall doesn't really care about the connections per se rather what's making those connections. This is different from the traditional firewalls but in-line with Little Snitch, LuLu, Glasswire and others.

Currently, per-app connection mapping is implemented by capturing udp and tcp connections managed by firestack (written in golang) and asking ConnectivityService for the owner, an API available only on Android 10 or higher. procfs (/proc/net/tcp and /proc/net/udp) is read on-demand to track per-app connections like NetGuard or OpenSnitch do, on Android 9 and lower versions.

Network Monitor A network monitor is a per-app report-card of sorts on when connections were made, how many were made, and to where. Tracking UDP / TCP (and DNS on Android 12+) is straight-forward. DNS are trickier to track on Android 11 and below, and so a rough heuristic is used for now, which may not hold good in all cases.

DNS over HTTPS client Almost all of the network related code (firestack), including DNS over HTTPS split-tunnel, is a hard fork of Jigsaw-Code/outline-go-tun2socks written in golang. The UI is vastly different but borrows minimally from Jigsaw-Code/Intra. A split-tunnel traps requests sent to the VPN's DNS endpoint and relays it to a DNS-over-HTTPS / DNS-over-TLS / DNSCrypt / Oblivious DNS-over-HTTPS endpoint of the user's choosing, logging the end-to-end latency, time of request, the DNS request query itself, and its answer.

The Rethink DNS Resolver A malware and ad-blocking DNS over HTTPS resolver at https://sky.rethinkdns.com/rs (deployed to 300+ locations world-wide via Cloudflare Workers) is the default DNS endpoint on the app, though the user is free to change that. A configurable DNS resolver that lets users add or remove denylists and allowlists, add rewrites, analyse DNS requests is launching late 2026. Right now, a free-to-use DNS over HTTPS endpoint with custom blocklists can be setup here: rethinkdns.com/configure.

The resolver, sponsored by FLOSS/fund, is deployed to Fly.io at max.rethinkdns.com, and Deno Deploy at rdns.deno.dev too, apart from the default deployment on Cloudflare Workers. The resolver is open source software: serverless-dns.

The Rethink Proxy Network RPN is a multi-party relay, with connections hopping over serverless proxy (hosted on Cloudflare Workers) exiting through Windscribe. Users would be able to self-host the first hop or use the ones run by us. At launch in Dec 2025, this service would cost $3/month for unlimited bandwidth.

The proxy is open source software: serverless-proxy.