i have been using mullvad vpn along side next-dns for a while but i started to look into firewall apps and it seems i should use rethink. 
I don’t have a clue how rethink works because i have never used/run a firewall app, so can i run them together, is it one or the other or should i stay with what i’m using right now
Most firewall apps work by dns blocking in conjunction with a vpn and usually do not allow your own vpn/dns configuration.
Interesting question, though. Maybe one here has an alternative or a work around
Am curious. 
The first question is is NextDNS capabilities enough for you? Do you only need blocking of certain domains? Or are you satisfied with using only a few popular blocklists that NextDNS offers? Take a minute to answer yourself that.
If this isn’t enough for you and you also need to restrict certain apps from accessing Internet than you do need a local firewall.
Seeing that you’re asking about RethinkDNS i am assuming that you have an Android device.
You can’t run both Mullvad app and RethinkDNS app simultaneously because Android allows only one VPN slot that both apps need to work.
However, you might be able to use only RethinkDNS with a Mullvad server Wireguard exit node and also NextDNS as, well, DNS configured inside it.
Mullvad allows you to configure this, you can download a config file of a desired server or show it as QR code on your account page at Log in | Mullvad VPN. You then need to import it into RethinkDNS by scanning the QR code or importing the config file.
DNS setup is easier. You just need your NextDNS DNS-over-HTTPS personal link like https://dns.nextdns.io/abcdef.
Please let me know if you need a more thorough guide.
I’ll try adding the mullvad config to rethink
And yes nextdns is plenty for me
I think I got it but if you could let me know how to run mullvad through rethink
Plus other good things to know about rethink I should know
So what does it mean then? If NextDNS is plenty for you then why do you need a local firewall?
I mean, don’t get me wrong, i just want you to properly understand and explain (to yourself, primarily, and to us) what it is that you need and how certain instruments can help you with that.
In meaning it works (as just a dns server)
Plus the firewall, I want to see connections and block ones happening in the background
Also I just want to run a firewall
Hi there (as stated in another reply): Since two months ago, Rethink can egress via WireGuard of any VPN provider of your choice (ex).
Not OP, but here’s a reason; DNS based content-blockers are powerless if apps implement their own DNS (WhatsApp, Instagram, Telegram are few of the popular ones that do so; and I suspect many spyware SDKs have already switched to doing so). A local (on-device) firewall can detect and block such DNS requests. With Rethink, one can prevent adhoc DNS requests with:
Prevent DNS leaks option in Configure → DNS → Advanced (enabled by default on F-Droid builds).Block when DNS is bypassed option in Configure → Firewall → Universal firewall rulesSo you DO want to control what is going on in the background, and a firewall really is what you need.
It’s a lot easier with a per app based firewall.
As good of a reason as any, no problem. As i said, the main thing is that you understand what you want and why, and you seem to do so.
Were you able to get a config file from Mullvad account page? If so, instructions under spoiler:
Get the config file on your phone, then open RethinkDNS app, press “Proxy”, then “Setup Wireguard”, then press the plus icon at the bottom and press “Import”. Find your config file, choose it and voila, you have added your Mullvad Wireguard exit node for RethinkDNS.
Now you need to choose apps that you want to tunnel, just tap on a newly added node and then press “Add / Remove Applications (0 apps)”. You can just select all, but if you have some apps that require access to your local network then you might want to exclude them. Tap “Okay” to save your apps settings.
What’s left is to toggle this profile on and you’re done.
That’s it for the VPN, now the DNS:
Open RethinkDNS app, press"DNS", then “OtherDNS” (the arrow on the right), then press “DoH” tab. Basically you can just choose whatever is already in there or in any other tab, but if you want to configure your NextDNS as your DNS then you need to have copied your NextDNS personal https link like https://dns.nextdns.io/abcdef, then you need to tap the plus icon at the bottom, paste your link in the “Resolver URL” field (don’t forget to erase the “https://” at the beginning before pasting) and choose a name for your profile, anything like “NextDNS” will suffice. Hit “Add” and checkmark your new profile if it wasn’t already checked.
Go back one screen and tap “Other DNS” (the left part of the field, to enable it). That’s it.
After that on the same screen i enable all settings except for icons in DNS logs. You also can download and set up a bunch of blocklists, but if you’re gonna be using NextDNS you’ll probably be setting up blocking in there, so you can skip local blocklists.
Keep in mind that if you’re using NextDNS profile, RethinkDNS chooses closest to you NextDNS server, not closest to your exit point.
Now is the time to set up firewall and which apps are allowed internet connection:
Return to the main screen, tap “Apps” and choose for every app if it should have access to cellular or Wi-Fi. Be free to play with the apps that you know and have installed yourself, but be very careful with system apps. There might be a whole bunch of strange and unknown names, but you never know which one is essential to have internet connection and will break some functionality if you restrict them. Toggle them a few at a time and then thoroughly test if anything broke.
Some folks can spend hours fiddling with this just ending up frustrated and not knowing what is it that broke this time.
Now if everything is set up correctly, just hit “Start” on the main screen, this will connect the app to the VPN slot, you need to agree. Don’t forget to set it as Always-on in device VPN settings. Aaaaand you’ve got yourself a VPNed firewall.
You might end up not being able to connect to the internet, and that’s another story, i’m not gonna dive into troubleshooting now. I’ll just say that the most probable culprit is either DNS or firewall rules.
Working on this, just right now. It is super complicated, but we’ll make this happen (:
(btw, appreciate the thorough reply; we do a really poor job of documenting Rethink… but we barely have any users anyway, so I guess it doesn’t matter much).
Oooooh, don’t belittle yourself, your project is bound to succeed and get popular. I believe you should work a bit on documentation, or you’re risking to end up with a smaller user base than you deserve 
I can’t donate to the project, literally not able, but i’m trying to do my part this way.
I’m having so problems with the setup i’m using but
videos from newpipe aren’t loading and I’m unable to send or receive chats from snapchat
As a temporary measure, and if you’re comfortable doing so: You can opt to not include these problematic apps in the WireGuard tunnel.
Other than that, check the Network Logs in the app. Tap on entries for Snapchat and NewPipe. In the bottomsheet that shows up; see if you find anything interesting:
If there are no entires in the Network Log, see if you find any Snapchat or NewPipe / YouTube related domains blocked appear in DNS Logs.
Otherwise, check if your underlying network has connectivity to IPv4+IPv6 (if WireGuard is setup to connect to IPv4 or IPv6). You may have to change Choose IP version in Configure → Network to Auto in that case (its IPv4-only, by default).
i just excluded both of the apps for now, ill look into why they weren’t working later👍
@Juice7in Btw, after you have configured all the apps that you want to tunnel through Wireguard proxy, every app that you install afterwards and want to tunnel you have to add manually every time.
And since you’re using Mullvad, you can add to Rethink more than one Mullvad Wireguard server, just create a config file or QR code for every desired server and repeat all importing steps (including checking all the apps for tunneling).
@ignoramous Would be nice to have a blacklist mode that would only require to exclude apps from tunneling and all newly installed apps then would automatically get tunneled. Official Wireguard app supports that. Classic whitelist mode if fine for proxy and many exit points, but gets slightly problematic if you want to tunnel everything.
As in, you had to “exclude” them from the Rethink altogether, or remove them from the WireGuard tunnel you set up?
Plan to ship this behaviour in the upcoming version or two:
I excluded them from rethink in all
I think I missed this part, what does tunneling a app do
Tunneling means making them connect to the internet via your VPN server. This step lets you choose which apps to tunnel. If you don’t choose any apps to tunnel then none of them connect to the internet via VPN server, they do it directly, basically bypassing VPN.
This means the VPN wasn’t the problem because before when I had the problem no apps were selected