Apps are still getting routed through AdGuard in automatic proxy mode despite being excluded

[resiehnnes]

Please answer the following questions for yourself before submitting an issue

• [X] Filters were updated before reproducing an issue
• [X] I checked the knowledge base and found no answer
• [X] I checked to make sure that this issue has not already been filed

AdGuard version

4.6 Nightly 12

Environment

• OS version: Android 14
• Device: Xiaomi 14 Ultra

HTTPS filtering

• [X] yes, I do

Root access

• [X] yes, I have it

Integration with AdGuard VPN

• [ ] yes, I do

Routing mode

Automatic proxy

Ad Blocking

AdGuard Base filter, AdGuard Mobile Ads filter

Privacy

AdGuard Tracking Protection filter, AdGuard URL Tracking filter

Social

AdGuard Social Media filter

Annoyances

AdGuard Annoyances filter, AdGuard Cookie Notices filter, AdGuard Popups filter, AdGuard Mobile App Banners filter, AdGuard Other Annoyances filter, AdGuard Widgets filter

Security

Online Malicious URL Blocklist

Language-specific

No response

Other

No response

Which DNS server do you use?

Custom DNS

DNS protocol

DNS-over-HTTPS

Custom DNS

https://dns.decloudus.com/dns-query

What Stealth Mode options do you have enabled?

Block trackers, Remove tracking parameters from URLs, Hide your search queries, Ask websits not to track you, Self-destruction of third-party cookies, Self-destruction of first-party cookies, Block ETag and If-None-Match headers, Block the third-party Authorization header, Disable WebRTC, Block Push API, Block Location API, Hide your Referrer from third-parties, Hide your User Agent, Hide your IP address, Remove X-client-Data header from HTTP request, Protect against DPI

Issue Details

Steps to reproduce:

1. Enable Automatic proxy as routing mode in Settings -> Filtering -> Network
2. Exclude desired app from AdGuard routing in App managment
3. Check if it still gets blocked by your custom DNS provider

Expected Behavior

No response

Actual Behavior

I am using AdGuard + Mullvad VPN app + DeCloudUs DNS as Custom DNS in AdGuard settings. The latter one is meant to block lots of google related domains but I do have certain apps which I would like to keep excluded from AdGuard, for instance I use Aurora Store (FOSS alternative to Google Play Store) which obviously does connect to certain google domains to work properly, but despite it is excluded from AdGuard filtering it still gets blocked and refuses to work. I tested few other apps and got same problem. I also tried to add com.aurora.store package name to Excluded apps list in Low-level settings without success.

Is it a bug, misunderstanding or are there some workarounds which I can't figure out?

Screenshots

Screenshot 1

Additional Information

Going back to Local VPN routing mode and excluding app from AdGuard filtering works as intended.

[maxikuzmin]

@resiehnnes I checked this on my device but the problem is not recurring. Could you please repeat the steps and take a screenshot of Recent activity? Did I understand correctly that this is recurring for you with all apps?

Could you please record debug logs?

• Enable debug logging:

Settings -> General -> Advanced -> Logging level -> Debug

• Reproduce steps, then remember the exact time when it happened

• Collect logs:

Settings -> General -> Advanced -> Export logs and system info

• Sent this file to devteam@adguard.com:

mention the 5392 number in the subject specify the exact time when the issue occurred

[resiehnnes]

@maxikuzmin I made a video with all the steps shown and described below:

Notes: AdGuard was closed (protection - disabled, debug - enabled) Mullvad was running, VPN - enabled.

1. Opening AdGuard
2. Show that Automatic proxy is enabled
3. Show selected DNS server (https://dns.decloudus.com/dns-query)
4. Show excluded app (com.aurora.store) from AdGuard filtering
5. Show Recent Activity
6. Enable AdGuard protection
7. Opening Mullvad and showing it is connected and running
8. Opening Aurora Store and showing it is failing to establish connection.
9. Opening AdGuard and showing Recent Activity where you can see it shows Aurora Store is present in the log (where it shouldn't)

✅ Debug logs are sent

https://github.com/user-attachments/assets/06a6102a-0736-4a57-bedd-d0e2971b02f3

Did I understand correctly that this is recurring for you with all apps?

I have two apps which are always excluded from AdGuard filtering to not get blocked by custom DNS, and both have same problem.

[resiehnnes]

@maxikuzmin Any progress on this issue? Can you reproduce it on your device?

[maxikuzmin]

@resiehnnes thank you, I got your logs. We need some time to review

[maxikuzmin]

@resiehnnes I tried repeating steps following your instructions, but I don't have any requests in Recent activity from Aurora store. Could you open the request and show me what inside the request? You can attach a screenshot here or send it to email as well

[resiehnnes]

@maxikuzmin I sent an email with screenshots.

I tried repeating steps following your instructions, but I don't have any requests in Recent activity from Aurora store.

So it means aurora store bypasses AdGuard's filtering (properly excluded) and loads just fine on your device? I just realized that any app which is excluded from AdGuard's filtering is still being routed through AdGuard, guess we can leave Aurora Store and Custom DNS aside then and focus on this:

"Automatic Proxy" mode breaks "Route traffic through AdGuard", meaning that apps which are excluded from AdGuard's filtering are still being routed through AdGuard.

[maxikuzmin]

@resiehnnes is the problem recurring if you're not connected to a location in the VPN app?

[resiehnnes]

@maxikuzmin Yes, problem still there even when I am not connected to VPN and just keep AdGuard in "Automatic Proxy" mode

[maxikuzmin]

@resiehnnes I apologize for this long discussion. I found out the information regarding this topic: In AdGuard in Automatic proxy mode, there is no option to exclude DNS filtering. So this is normal behavior even if you disable Route traffic.

In VPN mode, applications are excluded from Local VPN by system means, and the system resolver knows which applications are allowed in VPN and which are not, and lets them either into Local VPN or past it. DNS queries technically always come from the system resolver, not the application. In root proxy mode there is no such exclusion mechanism, and it is only possible to exclude traffic from applications, not their DNS requests (because AdGuard always sees them as requests from the system)

Perhaps it would be better to write about it under Automatic proxy mode in yellow text, we will do it in the next updates. Thank you!

[resiehnnes]

@maxikuzmin Ok I see, thanks for explanation and no worries. A warning to a user would be a nice addition, also it could be added to your "Help" page to clarify this moment.

[maxikuzmin]

@resiehnnes thanks for your observation. I think it will be useful for other users