@dalias @leftpaddotpy who said VPN server on Android cannot filter out ads or unwanted traffic? I think iptables should be able to filter based on userid or pid. I admit it would be great for flatpaks also. Name resolution usually does not have user or pid information for each request, it would have to use Unix socket instead of IP+port domain. So it would be difficult to apply ACL on those. But having alternative DNS cache on non-default address would be simple.