Most Android VPN tutorials skip straight to 'download the app and tap connect'. They don't mention that Android's VPN permission model is a security footgun, or that your 'encrypted' traffic might still leak DNS queries, or that the app you trust could be logging everything. I've watched indie developers deploy production infrastructure thinking their Android traffic was private, only to discover their VPN app was running in split-tunnel mode by accident.
Setting up a VPN on Android isn't hard. Setting it up correctly is harder than the guides admit.
Why Android VPN Setup Matters More Than You Think
Android doesn't have a native OS-level VPN like macOS or Windows. Instead, it offers a VPN permission that apps can request. This permission is broad — it lets an app intercept all network traffic — but it's also shallow. Android can't enforce that the app actually uses the VPN to route traffic. It just trusts the app.
That trust gap matters. A malicious or poorly-built VPN client can:
- Route some traffic outside the tunnel (split tunnelling gone wrong)
- Leak your real IP in WebRTC calls
- Cache DNS queries before encryption
- Persist logs to unencrypted storage
The second problem: Android's default DNS resolution. By default, your device asks your ISP's DNS resolver for every domain you visit — before the VPN tunnel is even established. The VPN app can override this, but only if it's configured to do so. Most users never check.
The Setup: System-Wide Tunnelling
I'm assuming you want your entire device traffic routed through the VPN. If you don't, stop here — split tunnelling is a separate conversation.
Step 1: Choose Your VPN Provider (or Build Your Own)
Don't pick a VPN based on marketing. Pick one based on:
- Protocol support: Does it support WireGuard, OpenVPN, or IKEv2? (Not proprietary nonsense.)
- Kill switch: Does the app block all traffic if the VPN drops?
- DNS handling: Can you force DNS through the VPN tunnel?
- Logging claims: Are they independently audited, or just making promises?
For indie developers and technical founders, I'd recommend either:
- Rolling your own with WireGuard on a VPS (DigitalOcean, Linode, Hetzner). This takes 20 minutes and costs £4–8/month.
- Using a privacy-focused provider like Mullvad or IVPN, which publish their apps open-source and don't require account creation.
Don't use free VPNs. They monetise your attention, which usually means selling your data to advertisers or tracking your behaviour.
Step 2: Install the VPN Client
For commercial providers, download the official app from Google Play. For WireGuard, use the official WireGuard app by Jason A. Donenfeld.
Once installed, the app will request the VPN permission. Android will show you a warning:
This app can monitor, modify, and intercept all network traffic
on your device, including encrypted traffic, such as usernames,
passwords, and the content of messages.
This is not a scare tactic. It's accurate. You're giving this app permission to see everything. If you don't trust it, don't install it.
Grant the permission.
Step 3: Configure DNS (Critical)
This is where most guides fail. After connecting to the VPN, open a terminal app (I use Termux) and run:
getprop net.dns1
getprop net.dns2
You should see your VPN provider's DNS servers (e.g., 10.8.0.1 for WireGuard, or 192.0.2.1 for Mullvad). If you see your ISP's resolver (e.g., 8.8.8.8 or your ISP's IP), your DNS is leaking.
To fix this in WireGuard:
- Open the WireGuard app.
- Long-press your connection, tap "Edit".
- Scroll to the "Interface" section.
- In the
Addressfield, add a line like:
DNS = 10.0.0.1, 10.0.0.2
(Replace with your VPN provider's DNS servers.)
- Save and reconnect.
For commercial apps (Mullvad, IVPN), this is usually a toggle in settings. Look for "Custom DNS" or "DNS Leak Protection".
Test again:
getprop net.dns1
Should now show the VPN's resolver.
Step 4: Enable Kill Switch
A kill switch blocks all traffic if the VPN connection drops. This prevents accidental leaks when your phone switches networks (WiFi to mobile, or between WiFi networks).
For WireGuard, the kill switch is built-in — if the tunnel is down, traffic doesn't flow. For commercial apps, look in settings for "Kill Switch" or "Block traffic when VPN is disconnected" and toggle it on.
Test it: disconnect from WiFi. Your device should lose internet connectivity until you reconnect to the VPN. If you stay connected to the internet, the kill switch isn't working.
Step 5: Verify No Leaks
Use a leak-detection tool to confirm your real IP and DNS aren't visible:
- Visit https://ipleak.net in your browser (while connected to the VPN).
- Check that your IP matches your VPN provider's IP range, not your ISP's.
- Check that all DNS servers listed are your VPN's, not your ISP's.
If you see your real IP or ISP's DNS, something is misconfigured. Go back to Step 3.
WireGuard vs. Commercial VPN Clients: The Trade-off
WireGuard is faster and simpler, but requires you to manage a server. Commercial clients are easier but less transparent. Here's how they stack up:
| Factor | WireGuard (Self-Hosted) | Mullvad / IVPN |
|---|---|---|
| Setup time | 20 minutes | 2 minutes |
| Monthly cost | £4–8 (VPS) | £4–6 (subscription) |
| Speed | Faster (lower overhead) | Slightly slower |
| Logging | None (you control it) | Minimal (audited) |
| Kill switch | Built-in | Configurable |
| DNS leak risk | Low (if configured) | Very low (built-in) |
| Transparency | Full (open-source) | High (open-source) |
For a technical founder running their own infrastructure, WireGuard wins. For everyone else, Mullvad.
What I'd Actually Do
If I were setting up a VPN on Android today:
- Deploy WireGuard on a £5/month Hetzner VPS. Takes 15 minutes with their Ansible playbooks. I control the keys, the logs, and the exit IP.
- Install the WireGuard app, import my config, and test DNS resolution before I trust it with anything.
- Enable kill switch and verify no leaks with ipleak.net.
- Rotate my VPS monthly if I'm paranoid, or annually if I'm not.
If I didn't want to manage infrastructure, I'd use Mullvad. It's open-source, doesn't require an account, and publishes independent audits. No subscription lock-in.
What I wouldn't do: download a free VPN, trust the app's default settings, or assume DNS is encrypted just because the VPN is connected. Pairing a VPN with two-factor authentication on your critical accounts is a sensible next layer — the gap between 'VPN installed' and 'VPN actually protecting you' is wider on Android than anywhere else.
Start with the leak test. Everything else follows from there.