Socks5 mode every some minutes drops active network connections outside the dedicated port and clears dns cache.

[deNoor]

Prerequisites

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Issue Details

• AdGuard VPN version:
  • v1.2 (release)
• VPN mode:
  • SOCKS5
• VPN settings:
  • All ON:
    • Kill switch
    • Auto Update
    • Launch at Startup
    • Auto-connect on launch
    • DNS servers (system default)
    • QUIC mode
    • Subnet exclusions (app default)
• Operating system and version:
  • Windows 10
• Other network-level software:
  • Windows Defender
  • Cloudflare WARP in DNS only mode.

Expected Behavior

VPN is listening for SOCKS5 port without interfering with any other application.

Actual Behavior

After update to 1.2 I have brief disconnects from local network with all active connections dropped. The dropped connections are not redirected to proxy (e.g. Remote Desktop connections to other PCs in local network, internet radio, direct file transfer, voice chat session) and are not expected to experience any impact from Adguard VPN.
Adguard service log contains entries "Start uninstalling driver via 'C:\Program Files (x86)\AdGuardVpn\Adguard.Vpn.Tools.exe' tool" lines at the time of disconnects.
Log entry are repeated often:
23.03.2022 23:18:44
23.03.2022 23:18:55
23.03.2022 23:19:05
23.03.2022 23:44:03
24.03.2022 02:01:56
24.03.2022 02:02:21
24.03.2022 02:27:19

The result says:
"Uninstalling driver has been completed successfully with the result:
[...]
Executing Adguard.Core.Tools with the args /drv_uninstall has been completed
"
But it will repeat the procedure again soon.

More details

I also tried to execute manually
"C:\Program Files (x86)\AdGuardVpn\Adguard.Vpn.Tools.exe" /drv_uninstall waitForExit=True timeout=120000 elevate=True
and got disconnected from one of two active Remote Desktop sessions. I don't think it's a coincidence, but not every execution causes disconnects and not all connections are dropped which makes me not 100% sure and took 4 days to investigate. :)
Before update to 1.2 my RD sessions where reliably active for week+ in wired local network (from restart to restart). I'll continue testing with AG VPN service uninstalled to make sure it causes the issue.

Questions

1. What are these driver uninstallation attempts? I can see them at v1.1.1 startup too.
2. The service also executes ipconfig /flushdns after driver uninstallation attempt which is not acceptable for me. I don't want random dns flushes and any influence from Adguard VPN on local DNS cache. How can I disable these?
3. SOCKS5 mode is expected to do anything else like plain dns queries (53) interception, filtering, any behavior like unexpected non-redirected connections drop if Kill Switch option is active? Doesn't it just deal with explicitly redirected data to a specified port ignoring non-redirected connections? Can AG in socks5 be configured to not touch anything outside this port?

[deNoor]

Well, deleting AG VPN fixed the issue. I'm back to stable network including local: for 9 hours not a single connection has been terminated unexpectedly.
Also tried v1.1.1 — works fine. Loop performs location ping and saving VPN account data without interrupting connections or clearing dns.

Not sure why AG VPN v1.2 sabotages network.

[adbuker]

@deNoor, thank you for reply and sorry for the delay with the answer. Could you please update to the 1.2.2 version we released on March 31 and try to repro the issue again?

[deNoor]

v1.2.2 settings:
socks5 mode
general exclusion mode
kill switch off
DNS: quic://[...].d.adguard-dns.com
Use QUIC on

Cloudflare WARP is present and active in dns only mode.

I used 1.2.2 for 3 days, but with Adguard.Vpn.Tools.exe renamed to prevent it being called from AG service. (Log says 'completed successfully' + 'cannot execute due to absence of the file' :D).
The service still executes uninstall + flushdns on every reconnect to server and initial startup. It's doing fine without Tools.exe though. I didn't have network interruptions with this setup.

I also tried to call tools.exe uninstall + flushdns on my own (scripted) every minute for some hours and I got no network interruptions.

I had some issues with "connection_reset" errors while trying to access some pages in Chrome (api.veryawesomeprivacy.org as described in this issue) only with Adguard DNS. Those issues were fixed by stopping Adguard VPN service, but didn't happen again after PC reboot with VPN service active. So I'm not sure about impact from AG VPN client.

I'll try using v1.2.2 in normal way, with Tools.exe available for service to call.

[deNoor]

Also C:\Windows\System32\drivers\adgvpnnetworkwfpdrv.sys is always running which makes Adguard.Vpn.Tools.exe /drv_uninstall by the service even more confusing.
Even if I unload the driver to make .sys file easily deletable, the tool still doesn't delete it.

[deNoor]

I got no connection dropped for 15 hours with v1.2.2. Tools.exe was available (not renamed) and adgvpnnetworkwfpdrv.sys was running.

But if I start switching VPN servers (locations) on my own or something else (server side disconnect) causes server switch I still get all active connections interrupted. I mean all connections, even those NOT redirected to local socks5 proxy.
Unloaded adgvpnnetworkwfpdrv.sys and renamed Tools.exe does not protect from interrupts.

[adbuker]

@deNoor, hello!
Let's divide all the problems you faced into the separate "threads" in order to avoid the mess

1. "connection reset' with AdGuard DNS.
   Could you please enable trace logs, repro the issue (it's better to avoid any actions which don't related to the issue for the purposes of logs' "cleanless" ) and then stop the AdGuard VPN via tray menu
2. Driver isn't uninstalled even after invoking Adguard.Vpn.Tools.exe /drv_uninstall command
   Could you please start the AdGuardVPN (after the stopping on the previous step), switch the location (which in turn leads to invoking the driver uninstall command), wait approximately for a minute and and then stop the AdGuard VPN via tray menu. Then please check whether the file C:\Windows\System32\drivers\adgvpnnetworkwfpdrv.sys exists, and what the result of the command sc query adgvpnnetworkwfpdrv, launched in command line, is.

After the steps described above please grab the logs from %programdata%/adguardvpn/logs and send them to the devteam@adguard.com with the reference to this github issue in the message title. We'll drill into them and find the clue.

3. Interrupting connections once switching locations
   Unfortunately, AdGuardVPN cannot determine which applications exactly redirects their own connections to the local socks5 proxy by design. In other words it's impossible to differ application which is tuned to redirect connections, but doesn't make any connection and application which isn't tuned to redirect connections at all. In that meaning, we interrupt all the connections for all applications except "split-tunneling" list in both modes - driver and the socks one. So to solve your problem with the interrupted connections you can add such application to the "split tunneling" list (settings->split tunneling).

I hope I answered your questions, if not - feel free to bother me.

[deNoor]

1. Connection reset.

Can't reproduce anymore. :) Not sure if I updated from 1.1.1 to 1.2.2 without reboot or some other actions caused guaranteed "connection reset". When the issue was fixed for me by stopping AG VPN client I also deleted it and rebooted to verify. I haven't faced this issue since reinstallation of AG VPN client v1.2.2. It seems we should treat it as non-reproducible for now.
(By Adguard DNS I meant server addresses being set in home router or chrome DoH settings, without AG filtering application for windows installed. So no way to enable debug logs in AG filtering app. :P).

2. Driver is not uninstalled.

• Prerequisites:
  Driver will not be installed if AG VPN app was switched to socks5 mode before the first connection in regular VPN mode. To get the driver after fresh installation of AG VPN client a user should connect to any location at least once with default settings (which are regular VPN mode).
• Now adgvpnnetworkwfpdrv.sys is copied to system32, registered with "System Start" start type and started. This makes the driver always running and not deletable without stopping it first. Switching to socks5 mode does not delete the driver. AG VPN deletes it only as a part of full app uninstallation process.
• Before start: the driver is running, AgVPN service is stopped, AgUI process does not exist. All previous logs are deleted.
• Logged actions: AgVPN client start by clicking shortcut in Start Menu, location switch, AgVPN client exit from UI tray menu.
• Results:
  adgvpnnetworkwfpdrv.sys is still in C:\Windows\System32\drivers
  adgvpnnetworkwfpdrv.sys is still registered in windows registry
  adgvpnnetworkwfpdrv.sys is still running
  (logs sent via email)
  sc query adgvpnnetworkwfpdrv

SERVICE_NAME: adgvpnnetworkwfpdrv
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

3. Interrupting all connections in socks5 mode.

I'm not sure why you even need to actively detect all applications and guess which one was set to communicate to local port and which one ignores it on purpose. A user is responsible to connect (and reconnect) its apps to local port where socks5 proxy is listening. Why AgVPN client in socks5 mode even cares about something outside the dedicated port?
I expected that AgVPN process passively listens for connections on the specified port, packs them into VPN tunnel and sends to the selected location server. On location switch client drops only the active connections flying to the previous location and starts sending to a new location.
I don't see a reason to drop even local connection to the socks5 port, only [Ag process - Ag remote server] connections look eligible for interrupt. Can AgVPN interrupt connection only established by its own process?

I don't think that you need to forcibly flush dns also. :) Or at least please provide an option to disable any DNS intervention from AG VPN client (like it was before v1.2?).

If split-tunneling is the only reasonable option, could you implement split-tunneling option to exclude all applications globally then? Because it would be really hard to add every process. :D At the moment only an app picked from the predefined list can be added, so windows Remote Desktop (mstsc.exe) cannot be added.
Will socks5 mode work for those apps which are set to bypass vpn in split tunneling?
What if I use a separate app to intercept other apps connections and redirect to AG socks5 proxy? Will it break all your attempts to track whether an app originally initiated a connection is added to split tunneling list?

[deNoor]

Just tested. Unfortunately, an app added to "split-tunneling" is NOT protected from connection interruption on location switch in socks5 mode. (The app used direct connection and was not redirected to local socks5 proxy obviously.)
I got it on video if needed. ;)

How to test:

• switch to socks5 mode
• add Google Chrome to split tunneling.
• open endless network stream in Chrome. E.g. http://79.120.39.202:8002/darkelectro which is single endless audio/aac stream (warning, loud music).
• switch location and see the connection interrupted. Several location switches might be required.

Without AgVPN client intervention this stream never ends on stable connection (at least for many hours).

Also checked that in v1.2.2 an app added to "split-tunneling" can be redirected to local socks5 proxy without any issues. So if split tunnelling with option "All Apps to bypass vpn" actually will stop dropping active connections in the future releases this can be a working solution for me.

[adbuker]

First of all, thanks for the detailed answer. Yes indeed we should enhance behavior for the socks5 mode (in part of dropping connections) and for flushing DNS cache. This feature will be released further

[adbuker]

Just tested. Unfortunately, an app added to "split-tunneling" is NOT protected from connection interruption on location switch in socks5 mode. (The app used direct connection and was not redirected to local socks5 proxy obviously.) I got it on video if needed. ;)

How to test:

• switch to socks5 mode
• add Google Chrome to split tunneling.
• open endless network stream in Chrome. E.g. http://79.120.39.202:8002/darkelectro which is single endless audio/aac stream (warning, loud music).
• switch location and see the connection interrupted. Several location switches might be required.

Without AgVPN client intervention this stream never ends on stable connection (at least for many hours).

Also checked that in v1.2.2 an app added to "split-tunneling" can be redirected to local socks5 proxy without any issues. So if split tunnelling with option "All Apps to bypass vpn" actually will stop dropping active connections in the future releases this can be a working solution for me.

thanks, seems to be a bug, we'll check