Traffic pattern detection when using freedom outbound

Expected behavior

When using direct routing rules, the destination services should not detect using X-RAY, since all traffic from a client to the service is going directly.

Actual behavior

Despite correct routing rules (if connected directly to the service IP, they respond with an error and show client's IP), some service can detect that the client an active VPN profile.

Affected websites:

gosuslugi.ru
YandexGO app

Reproduction method

Create a new profile (I used Vless+Reality but it doesn't really matter)

Create the following rule:

        {
            "domain": [
                "regexp:.*$"
            ],
            "outboundTag": "direct"
        }

Try to open gosuslugi.ru or use `YandexGo app". The services will not be available.

Log information

``` 09-21 10:03:59.630 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:03:59.630 I/GoLog (17324): from tcp:127.0.0.1:57086 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:03:59.790 I/GoLog (17324): Not Using Prepared: tcp,gllto1.glpals.com:80 09-21 10:03:59.791 I/GoLog (17324): from tcp:127.0.0.1:57098 accepted tcp:104.18.2.90:80 [socks -> direct] 09-21 10:03:59.792 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:03:59.792 I/GoLog (17324): from tcp:127.0.0.1:57114 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:03:59.802 I/GoLog (17324): Not Using Prepared: tcp,104.18.3.90:80 09-21 10:03:59.802 I/GoLog (17324): from tcp:127.0.0.1:57070 accepted tcp:104.18.3.90:80 [socks -> direct] 09-21 10:03:59.802 I/GoLog (17324): from tcp:127.0.0.1:57058 accepted tcp:3.219.146.176:7275 [socks -> direct] 09-21 10:03:59.802 I/GoLog (17324): Not Using Prepared: tcp,3.219.146.176:7275 09-21 10:03:59.846 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:03:59.846 I/GoLog (17324): from tcp:127.0.0.1:57118 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:03:59.903 I/GoLog (17324): from tcp:127.0.0.1:57124 accepted tcp:157.240.201.63:443 [socks -> proxy] 09-21 10:04:00.025 I/GoLog (17324): Using Prepared: 178.130.40.231 09-21 10:04:00.382 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:00.383 I/GoLog (17324): from tcp:127.0.0.1:57140 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:00.867 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:00.867 I/GoLog (17324): from tcp:127.0.0.1:57154 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:01.136 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:04:01.137 I/GoLog (17324): from tcp:127.0.0.1:57156 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:04:01.366 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:01.366 I/GoLog (17324): from tcp:127.0.0.1:57162 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:01.602 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:04:01.603 I/GoLog (17324): from tcp:127.0.0.1:57166 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:04:01.853 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:01.853 I/GoLog (17324): from tcp:127.0.0.1:57182 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:02.444 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:04:02.444 I/GoLog (17324): from tcp:127.0.0.1:57186 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:04:02.444 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:04:02.444 I/GoLog (17324): from tcp:127.0.0.1:57202 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:04:02.520 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:02.520 I/GoLog (17324): from tcp:127.0.0.1:57210 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:03.111 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:03.111 I/GoLog (17324): from tcp:127.0.0.1:57218 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:03.650 I/GoLog (17324): Not Using Prepared: tcp,www.gosuslugi.ru:443 09-21 10:04:03.651 I/GoLog (17324): from tcp:127.0.0.1:57228 accepted tcp:213.59.253.7:443 [socks -> direct] 09-21 10:04:09.277 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:04:09.277 I/GoLog (17324): from tcp:127.0.0.1:48406 accepted tcp:15.197.130.39:443 [socks -> direct] 09-21 10:04:09.456 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.50:443 09-21 10:04:09.456 I/GoLog (17324): from tcp:127.0.0.1:48426 accepted tcp:149.154.167.50:443 [socks -> direct] 09-21 10:04:09.456 I/GoLog (17324): from tcp:127.0.0.1:48416 accepted tcp:149.154.167.50:443 [socks -> direct] 09-21 10:04:09.456 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.50:443 09-21 10:04:09.477 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.50:5222 09-21 10:04:09.477 I/GoLog (17324): from tcp:127.0.0.1:48434 accepted tcp:149.154.167.50:5222 [socks -> direct] 09-21 10:04:09.492 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.50:443 09-21 10:04:09.492 I/GoLog (17324): from tcp:127.0.0.1:48444 accepted tcp:149.154.167.50:443 [socks -> direct] 09-21 10:04:09.511 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.41:443 09-21 10:04:09.511 I/GoLog (17324): from tcp:127.0.0.1:48452 accepted tcp:149.154.167.41:443 [socks -> direct] 09-21 10:04:10.030 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.35:443 09-21 10:04:10.030 I/GoLog (17324): from tcp:127.0.0.1:48466 accepted tcp:149.154.167.35:443 [socks -> direct] 09-21 10:04:10.822 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.255:443 09-21 10:04:10.823 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.255:443 09-21 10:04:10.823 I/GoLog (17324): from tcp:127.0.0.1:48476 accepted tcp:149.154.167.255:443 [socks -> direct] 09-21 10:04:10.823 I/GoLog (17324): from tcp:127.0.0.1:48482 accepted tcp:149.154.167.255:443 [socks -> direct] 09-21 10:04:10.883 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.222:443 09-21 10:04:10.883 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.222:443 09-21 10:04:10.884 I/GoLog (17324): from tcp:127.0.0.1:48496 accepted tcp:149.154.167.222:443 [socks -> direct] 09-21 10:04:10.884 I/GoLog (17324): from tcp:127.0.0.1:48506 accepted tcp:149.154.167.222:443 [socks -> direct] 09-21 10:04:11.060 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.222:443 09-21 10:04:11.060 I/GoLog (17324): from tcp:127.0.0.1:48510 accepted tcp:149.154.167.222:443 [socks -> direct] 09-21 10:04:11.562 I/GoLog (17324): Not Using Prepared: tcp,tc.mobile.yandex.net:443 09-21 10:04:11.563 I/GoLog (17324): from tcp:127.0.0.1:48522 accepted tcp:3.33.253.45:443 [socks -> direct] 09-21 10:04:12.176 I/GoLog (17324): Not Using Prepared: tcp,91.105.192.100:443 09-21 10:04:12.176 I/GoLog (17324): from tcp:127.0.0.1:48526 accepted tcp:91.105.192.100:443 [socks -> direct] 09-21 10:04:13.901 I/GoLog (17324): Not Using Prepared: tcp,149.154.167.41:443 09-21 10:04:13.901 I/GoLog (17324): from tcp:127.0.0.1:48540 accepted tcp:149.154.167.41:443 [socks -> direct] 09-21 10:04:21.920 I/GoLog (17324): Not Using Prepared: tcp,gu-st.ru:443 09-21 10:04:21.920 I/GoLog (17324): from tcp:127.0.0.1:35112 accepted tcp:46.235.188.241:443 [socks -> direct] 09-21 10:04:21.929 I/GoLog (17324): from tcp:127.0.0.1:35120 accepted tcp:1.1.1.1:853 [socks -> proxy] 09-21 10:04:22.044 I/GoLog (17324): Using Prepared: 178.130.40.231 09-21 10:04:23.094 I/GoLog (17324): fdConn unix.Connect err, Close Fd: 138 Err: connection timed out 09-21 10:04:23.095 I/GoLog (17324): fdConn unix.Connect err, Close Fd: 143 Err: connection timed out 09-21 10:04:23.095 I/GoLog (17324): fdConn unix.Connect err, Close Fd: 151 Err: connection timed out 09-21 10:04:23.095 I/GoLog (17324): fdConn unix.Connect err, Close Fd: 144 Err: connection timed out 09-21 10:04:23.095 I/GoLog (17324): fdConn unix.Connect err, Close Fd: 146 Err: connection timed out ```

Environment information

Android 10 on Samsung.

2dust / v2rayNG