AdGuard's anti-DPI protection breaks domain name exclusions

[ammnt]

Hello,

macOS 12.3, AdGuard VPN 1.2.1.192 release - exclusions only work when added as IP: https://www.youtube.com/watch?v=l79DouWbtfQ&hd=1

The verbose logs is here: adguard_logs_20220330060357.zip

Thank you.

[maxikuzmin]

Thank you! This issue is in progress and will be fixed in future updates

[sxgunchenko]

@ammnt are you able to reproduce it (a) with the latest nightly and (b) in other browser?

[ammnt]

@ammnt are you able to reproduce it (a) with the latest nightly and (b) in other browser?

Yes, it looks like routing only works with IP in exclusions.

[sxgunchenko]

Could you please reproduce it again with curl and send the logs?

Run the following command in Terminal: curl -I https://www.tko-inform.ru

In case it reproduces, the terminal will hang for some time and then report an error. Otherwise, it will print HTTP/1.1 200 OK....

One more question: do you have the AdGuard adblocker or another app which can affect the network traffic? If so, could you please turn them off and check again?

[ammnt]

@sxgunchenko & @harry-b, so what I have now:

1. Curl connects successfully after adding a domain to exclusions:

2. Browsers still do not connect after that, and even after curl has successfully connected and received a response.

3. Even the browser I didn't use during this session.

4. Now the VPN application is stuck when you try to open this site in browsers after adding to the exceptions. This problem is both on the latest stable version and on nightly.

5. The logs before stuck is here: adguard_logs_20220505063919.zip

and after that:

report.txt adguard_logs_20220505064204.zip

Yes, I also have AdGuard for Mac 2.8.1.1140 release (CL-1.9.62, DNS-1.7.22). Please take a look.

Thank you.

[sxgunchenko]

I also have AdGuard for Mac

So, does turning it off fix the site?

Thanks for the stuck report, I'll take a look.

[ammnt]

@sxgunchenko, yes. It works when AdGuard adblocker is stopped, turned off and this domain (not IP) added in exclusions list of AdGuard VPN. No need to add this domain as IP in this case. Please check and confirm. Thank you.

[sxgunchenko]

Should be fixed in the first nightly with VpnLibs 0.10

[ammnt]

@sxgunchenko and @ameshkov, unfortunately it is not fixed now. I still have this error after last update of AG VPN for Mac.

[sxgunchenko]

@ammnt Do you mean v2.0.1.291? If so, could you please reproduce it with the debug logging level and send the logs?

[ammnt]

@ammnt Do you mean v2.0.1.291? If so, could you please reproduce it with the debug logging level and send the logs?

I mean 2.0.0.279 - the last stable version. But verbose logs has been sent right now anyway😀Please take a look!

[cryptopatik22]

@sxgunchenko the user provided us with the logs. Here they are: adguard_logs_20221228043305.zip

[cryptopatik22]

Also, here is a video with the issue replication: https://youtu.be/SlSe_AU3bxA

[sxgunchenko]

I mean 2.0.0.279 - the last stable version

Ok, that one is also suitable. I'll take a look, thank you.

[sxgunchenko]

It seems like the VPN cannot find the domain name in your traffic, that's why excluding the domain does not work. The strange thing is that the issue does not reproduce on my side.

@ammnt to get to the bottom of the issue, could you please do the following: 1) turn off AdGuard VPN app and turn on AdGuard app (since it does not reproduce without the running adblocker) 2) set up Wireshark to capture TLS traffic (like here) or alternatively tcpdump (by running the following command in terminal tcpdump -ni "$(route -n get default | grep interface | awk '{print $2}')" "tcp port 443" -w <path/to/file> replacing <path/to/file> to the desired path (e.g. ~/mydump.pcap)) 3) visit myip.ru just like you did before 4) stop capturing (in case of tcpdump, just terminate it) and send the dump to the devteam

[ammnt]

@sxgunchenko, I sent the dumps yesterday. Please confirm🙂Thank you!

[sxgunchenko]

Yup, I have already looked at them. Unfortunately, I don't see any reason why VpnLibs can't find the domain name in your traffic. It seems like some additional logging is needed. It will come in one of the following updates.

A few more questions: 1) Does it reproduce on any site or just on some sites? 2) Is Stealthmode enabled in AdGuard? If so, could you please disable it and check again?

[ammnt]

Yup, I have already looked at them. Unfortunately, I don't see any reason why VpnLibs can't find the domain name in your traffic. It seems like some additional logging is needed. It will come in one of the following updates.

A few more questions:

1. Does it reproduce on any site or just on some sites?
2. Is Stealthmode enabled in AdGuard? If so, could you please disable it and check again?

1. I think this can be reproduced on some site and not is 100 % cases
2. I found what the problem was and sent you the logs just now. You was right - protect DPI option breaks VPN exclusion function🥳

[ammnt]

Any news? I have some problems with VPN connection now if the Anti-DPI is enabled🤔