Adguard conflicts with Windscribe

[ghost]

Issue Details

• AdGuard version:
  • 3.6.7
  • 4.0 nightly 32
• Filtering mode:
  • HTTP Proxy (Auto)
  • HTTP Proxy (Manual)
• Device:
  • Xiaomi Mi 9T (davinci)
  • Pixel 6 Pro (raven)
• Operating system and version:
  • MIUI 12/Android 11
  • ArrowOS/Android 12
  • Android 12 (on pixel 6)
  • Android 12.1 (on pixel 6)
• Root access:
  • Yes

Expected Behavior

Adguard in HTTP-proxy mode will work correctly with any VPN-applications on the Android system if you have root.

Actual Behavior

If Adguard is active and the HTTP-proxy filtering mode is used (manual or automatic, any port number), Windscribe cannot establish a connection to servers using the wireguard protocol. However, if you disable Adguard, connect to a Windscribe server and then re-enable Adguard, the existing connection will not be broken and both applications will work as expected. Also, if you use the IKEv2 protocol to connect, the connection will be successful even with filtering enabled.

Additional Information

This issue can also be reproduced on a free Windscribe account, which should be enough for Adguard developers to confirm the problem.

[ghost]

By the way, I tried to disable Windscribe filtering in the Adguard firewall settings, but it didn't seem to make any difference.

[ghost]

And no, this is not aggressive advertising of Windscribe for Adguard employees :rofl:

[Chinaski1]

Hello there!

Sorry for the late reply. Please enable AdGuard in HTTP auto-proxy mode and collect the log files

Here's what we need you to do:

1. Collect the debug log as it's explained here;
2. Remember the exact time when the issue was reproduced. We will need it to find the corresponding records in the log file;
3. Send archive to devteam@adguard.com. Mention the Github issue number and the exact time when the issue was reproduced.

[ameshkov]

@sfionov could it be an issue with proxying UDP?

[ameshkov]

@FireFlashie quick question: have you disabled filtering of the Windscribe app in the Apps Management settings?

[ameshkov]

@FireFlashie note that in the root+proxy mode we forcibly block all UDP traffic to port 443 (to prevent QUIC).

Could it be that Windscribe tries to use that port?

[ghost]

@ameshkov Yes, I disabled the "Adguard protection" slider for Windscribe in the settings. Those logs I sent were with the checkbox turned off. It doesn't look like it affects anything in HTTP-proxy mode. Windscribe uses port 443 by default for Wireguard, but in that log I sent on the email request, I also tried to use another port, 1194.

[ameshkov]

Tbh, I have no idea at this point, if AdGuard protection is disabled for Windscribe, AG shouldn't mess with it at all.

Just in case, please do adb shell to your device and show us the output of iptables-save so that we could check what exact iptables rules are applied.

[ghost]

So, after further tests, it became clear that the first attempt to connect with Windscribe is always on port 443. Which, as mentioned above, is blocked by Adguard for some reason. If Windscribe manages to establish the first connection to the servers before the AdGuard local proxy starts, then Windscribe works later on without any problems.

[ameshkov]

The reason for this behaviour in proxy mode is that AdGuard wants to prevent QUIC traffic which it cannot filter at this moment. I am not entirely sure we'll ever be able to do that in proxy mode (in VPN mode we will, though). So the only option is fully prevent UDP to port 443.

[maxikuzmin]

@FireFlashie is there anything else we can do to help?

[maxikuzmin]

@FireFlashie ping