iCloud Private Relay is probably incompatible with network filtering

[ameshkov]

This is expected considering how it works, but we should confirm this first. Also, it would definitely break DNS filtering as well. Some people would definitely be crazy about this and I guess the only thing we can suggest them to do is using AG for Safari instead.

Nevertheless, here's what we need to do:

1. Investigate and see if this is confirmed and it does break the filtering of Safari.
2. Check if we can handle this. Could it be that Safari traffic is routed via some local proxy?
3. If we cannot, find a way to detect that iCloud Private Relay is in use. We should notify users and explain what to do in this case.

An additional concern that we should check is intelligent tracking protection. They say that now it hides the users' IP addresses from trackers and this may mean that trackers are routed via this "private relay" automatically. We should check if this is the case.

[ZeroClover]

Apple does not seem to want Private Relay to be used alongside a VPN. macOS network extension is considered a VPN, so it will likely not solve the problem.

[ameshkov]

@ZeroClover well, that would be an okay outcome. The problem is that according to #876 it simply breaks instead of gracefully disabling private relay.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ameshkov]

Bad bot, we need to test it one more time

[tomiams]

I don't think this issue has been resolved. I sent an email with this issue number to apple@adguard.com with the debug logs attached when I had complete loss of internet access which I am assuming is because of a conflict with private relay. Once I quit Adguard the internet access is restored.

[Chinaski1]

1. I did manage to access Private Relay and can confirm that filtering in the Safari browser stops working if AdGuard is used in Network extension mode.
2. Filtering was restored by switching AdGuard to PAC mode.
3. Switching the DNS module on and off had no effect on the behaviour described above, regardless of the configurations and servers used.
4. The collected logs will be attached to an internal task

[Quorum75]

Hi.

I was wondering, how do you test the fact that it's working or not?

On iOS I have Private Relay activated with AG in split tunnel with Windscribe. I know crazy 🙃

The IP is the one from WS and AG activity log still show a full list of requests blocked.

[ameshkov]

@Quorum75 well, it's rather simple: when iCloud Private Relay is active, the traffic in Safari won't be filtered at all. At the same time, it will be filtered in other browsers just okay. The only solution that we found is to make AG use the "default route", this would automatically disable private relay.

On iOS I have Private Relay activated with AG in split tunnel with Windscribe. I know crazy 🙃

In this configuration Private Relay does nothing, it won't work alongside any VPN.

[Quorum75]

@ameshkov OK. But why do I still have requests blocked within AG beside Private Relay?

[ameshkov]

Yes, AG should work just okay.

[Quorum75]

I forgot to mention I don't use AG Pro in extension mode, Safari protection and DNS DoQ filtering are done through AG app.

[Chinaski1]

@tomiams @ZeroClover @Quorum75

We've published a Nightly version in which should be no issues with filtering in the Safari browser when using the Private Relay feature.

Download link: agrd.io/mac_nightly

[ZeroClover]

@tomiams @ZeroClover @Quorum75

We've published a Nightly version in which should be no issues with filtering in the Safari browser when using the Private Relay feature.

Download link: agrd.io/mac_nightly

I have been using the nightly version, but the nightly version released today crashed repeatedly on my macOS 11 / 12 device, and I had to switch back to the stable version.

[ameshkov]

@ZeroClover I see no new crash reports, could you please send one?

[ameshkov]

Anyone? We're almost ready to release this version, but this info about crashes kinda changes everything. Since we cannot reproduce it, we need someone to at least share the crash info with us.

[Quorum75]

@ameshkov No issue on my side. AG MacOS 2.6.0.1027 nightly (CL-1.8.189, DNS-1.6.46) and AG FF or Safari extensions just work fine.

[dave-holland]

It seems like when AdGuard is working in Network Extension mode, iCloud Private Relay doesn't do anything. Is that the expected behavior?

[Chinaski1]

@dave-holland

AdGuard and iCloud Private Relay cannot work at the same time. iCloud Private Relay is disabled automatically when AdGuard is active.

AdGuard cannot block ads when Private Relay is tunnelling traffic, because the Private Relay does it before network connections can be filtered by AdGuard.

It is recommended to use more traditional VPNs when using AdGuard.

[iDjay]

Mail privacy protection is also not working: https://support.apple.com/en-us/HT212797

I guess I'll switch to Adguard for Safari then, it does the job for me :)

[bigplayer-ai]

I uninstalled Adguard for macOS because it is incompatible with iCloud Private Relay. I was disappointed to see this issue marked as closed on the Adguard for macOS repository, but I hope a solution will be available in the future.