Make AdGuard's VPN connection shared with ChromeOS

[Eugene-Savenko]

AdGuard local VPN not functioning properly on Chromebook; with ChromeOS m76 (released this past week) the local VPN of AdGuard stopped being shared with ChromeOS. The VPN used by an OpenVPN client is shared with ChromeOS just fine. The AdGuard VPN only works within the Android environment while previously it could be shared systemwide and block ads on both Android and ChromeOS.

Added by @ameshkov:

Investigation results and the temporary solution: https://github.com/AdguardTeam/AdguardForAndroid/issues/3008#issuecomment-568906177

Possible solution: do not exclude system apps (uid=1000) on ChromeOS

In any case, the filtering will be limited as all ChromeOS apps will look like "system apps" to AdGuard, therefore it won't be able to filter HTTPS there.

Original issue details

Issue Details

• AdGuard version: 3.2.130
• Filtering mode: VPN
• Operating system and version: ChromeOS m76
• Root access: n/a

Expected Behavior

AdGuard should work for both Android and ChromeOS apps

Actual Behavior

AdGuard VPN works only for Android environment installed into ChromeOS

Additional Information

Logs here: 2288209

[Skawtnyc]

Some extra information that may help. The Adguard local VPN worked fine with ChromeOS when the Android implementation was Nougat (7.1.1). However, recent updates of ChromeOS have updated the version of Android to Pie (9.0). This may have affected the way the Adguard local VPN is recognized by the system. It functions within the Android environment, but the ability of ChromeOS to direct all network traffic over the ARC VPN does not see it as a viable VPN. If I install OpenVPN for Android, the VPN connection provided by it IS seen by ChromeOS and used properly,

[ameshkov]

Well, we really need to get a ChromeOS device here to test this.

[Skawtnyc]

Any recent Chromebook will do, as long as Android Pie is running on it. Here's the release table to help: https://cros-updates-serving.appspot.com/

I also have an Acer Chromebook Tab 10 which is the same build as my Asus tablet (scarlet) I'd be willing to donate. It's not in great shape (Acer quality) but it still works and I can get it updated to the latest stable version of the OS for you.

[ameshkov]

@TheHasagi was able to set up it on some old laptop.

@TheHasagi any news on the issue? Were you able to reproduce it?

[TheHasagi]

@Skawtnyc

Can you tell me exactly with what version you can share the VPN and with what version you can not?

[Skawtnyc]

The VPN was shareable with ChromeOS 75, but stopped being shareable with 76. The reason for this is very likely because 75 contained Android 7.1.1 (Nougat) and 76 jumped to Android 9.0 (Pie).

[ameshkov]

@Skawtnyc could you please try updating AdGuard to the latest stable build? (v3.2)

Unlike the previous version, it now targets SDK level 29 (Pie). I wonder if it helps.

[Skawtnyc]

I updated to 3.2.135, but it's still not sharing the VPN.

[ameshkov]

Could you please show a few screesnots of how it is, and how it is supposed to work?

I'll try to inspect ChromeOS code, maybe I'll understand what's the reason

[Skawtnyc]

I also did a full uninstall of the app and installed the new apk from scratch so it would recreate the local VPN. Still no good. Something about the VPN itself isn't being shared if other VPN clients work, and the AdGuard VPN still works for Android apps.

[ameshkov]

Actually, I have another idea which we could test. I'll try to prepare a test build for you later today

[Skawtnyc]

As you can see from the first image in attaching, there is a tiny key to the left of the wifi signal in the lower right corner. Also, the VPN icon is lit. In the second image, you can see that the VPN shows a live connection to OpenVPN. This is the OpenVPN client for Android functioning as expected.

[Skawtnyc]

I'll be happy to test whatever you have for me. Thanks!

[ameshkov]

@Skawtnyc could you please try this build? https://uploads.adguard.com/up04_ao69r_adguard-3.2.136-nightly.apk

[Skawtnyc]

Sorry, unfortunately no change from the previous build. It works for Android, but not ChromeOS.

[Skawtnyc]

Just checking in to see if there has been any progress. I'm still happy to test anything you want. The VPN still works fine in Android under ChromeOS v77/78, but still isn't shared.

[ameshkov]

Waiting for a test Pixelbook.

Unfortunately, there's no other way to test this issue on our side, side-loading is problematic on other devices.

[Skawtnyc]

I can test this on both a Scarlet device (Acer Chromebook Tab) and a Pixel Slate, so I can cover both 32-bit ARM and 64-bit Intel.

-- Scott

On Wed, Oct 23, 2019, 7:49 AM Andrey Meshkov [email protected] wrote:

Waiting for a test Pixelbook.

Unfortunately, there's no other way to test this issue on our side, side-loading is problematic on other devices.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardForAndroid/issues/3008?email_source=notifications&email_token=AKLJLYB7JUCBQZ7WIQ3XJ4LQQA22VA5CNFSM4IMRSY7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECBDVPY#issuecomment-545405631, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKLJLYCY535ECDXU5BQOCQ3QQA22VANCNFSM4IMRSY7A .

[Skawtnyc]

Oh, and according to Google Android will be switching to no-developer mode sideloading with v80 of ChromeOS.

-- Scott

On Wed, Oct 23, 2019, 10:02 PM Scott Raymond [email protected] wrote:

I can test this on both a Scarlet device (Acer Chromebook Tab) and a Pixel Slate, so I can cover both 32-bit ARM and 64-bit Intel.

-- Scott

On Wed, Oct 23, 2019, 7:49 AM Andrey Meshkov [email protected] wrote:

Waiting for a test Pixelbook.

Unfortunately, there's no other way to test this issue on our side, side-loading is problematic on other devices.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardForAndroid/issues/3008?email_source=notifications&email_token=AKLJLYB7JUCBQZ7WIQ3XJ4LQQA22VA5CNFSM4IMRSY7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECBDVPY#issuecomment-545405631, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKLJLYCY535ECDXU5BQOCQ3QQA22VANCNFSM4IMRSY7A .

[ameshkov]

@Skawtnyc the problem here is that we cannot install ChromeOS on a simple laptop, the only option is "ChromiumOS" which does not seem to support Android apps good enough.

So what we need is a cheap ChromeOS device to test & debug.

[Skawtnyc]

I can give you my old Acer Chromebook Tab 10 for free if you cover the shipping.

-- Scott

On Thu, Oct 24, 2019, 7:50 AM Andrey Meshkov [email protected] wrote:

@Skawtnyc https://github.com/Skawtnyc the problem here is that we cannot install ChromeOS on a simple laptop, the only option is "ChromiumOS" which does not seem to support Android apps good enough.

So what we need is a cheap ChromeOS device to test & debug.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardForAndroid/issues/3008?email_source=notifications&email_token=AKLJLYDJRQZADAHSLQZ7EGDQQGDZPA5CNFSM4IMRSY7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECEX5GQ#issuecomment-545881754, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKLJLYAVA7FXXZYLOYU7MO3QQGDZPANCNFSM4IMRSY7A .

[artemiv4nov]

@Skawtnyc can you test the build above on your Chromebook? Please:

1. Turn on "Record everything" in "Settings" -> "Advanced" -> "Logging level"
2. Reproduce the bug (remember the exact time, please)
3. Send logs to [email protected], additionally writing the bug playback exact time

[Skawtnyc]

There was no file linked in your message.

[artemiv4nov]

@Skawtnyc try the latest nightly build, please.

[Eugene-Savenko]

This one: https://agrd.io/android_nightly

[Skawtnyc]

Using Nightly build 3.3.18, I followed the directions below, from 10:34-10:35am EDT (New York time). I performed a simple test to see if the VPN was shared with ChromeOS by visiting websites known to have ads. I do not believe that the VPN is being shared nor is it communicating with ChromeOS. The log file is attached.

-- Scott

On Sun, Oct 27, 2019, 4:56 AM Artem Ivanov [email protected] wrote:

@Skawtnyc https://github.com/Skawtnyc can you test the build above on your Chromebook? Please:

1. Turn on "Record everything" in "Settings" -> "Advanced" -> "Logging level"
2. Reproduce the bug (remember the exact time, please)
3. Send logs to [email protected], additionally writing the bug playback exact time

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardForAndroid/issues/3008?email_source=notifications&email_token=AKLJLYBQLOHO7B4ER5QGJ2DQQVJR5A5CNFSM4IMRSY7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECKZOVI#issuecomment-546674517, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKLJLYGPPUXSR53UQR7CVEDQQVJR5ANCNFSM4IMRSY7A .

[admitrevskiy]

Intermediate result of studying the issue:

• AG is recognized as VPN in Android OS. You can see it in Android Preferences (Settings -> Google Play Store -> Manage Android Preferences -> Network & Internet -> VPN)
• Chrome OS does not recognize AG as a VPN because we exclude the system UID (1000) from VPN due to this issue
• You can discard this logic by editing pref.excluded.uids in Low-level settings (Settings -> Advanced -> Low-level) but it looks like it breaks the system DNS. You still can use AG DNS to make DNS queries.
• In any case TCP traffic from Chrome OS apps passes by Adguard since it looks like them work in another namespace and we can not find valid connection info in proc/net/tcp(6)

The good news is that Android Apps are still work in Android namespace so we can perform filtering for them and you can use any Android browser for now.

We're looking for a solution

[Skawtnyc]

That's great news. The hardest part is always finding the cause of the problem. Until a solution is found, I'll use Adguard for Android under ChromeOS, and set my wifi networking entries to use Adguard DNS along with Ublock Origin (for element blocking).

[Skawtnyc]

I just tested the low-level setting on my Asus tablet which has developer mode enabled (required for sideloading Adguard). The VPN activated right away, and as expected DNS stopped functioning. I tried enabling DNS filtering in Adguard, thinking that might be a workaround, but it didn't function.

Is it possible to proxy DNS requests to your DNS server while the VPN is active? That might be a viable workaround when the low-level setting is active. Maybe make the process a ChromeOS specific setting where it toggles the low-level setting and DNS proxying at the same time.

[ameshkov]

Is it possible to proxy DNS requests to your DNS server while the VPN is active?

Yeah, it should be possible. I'd suggest trying the latest beta version of AdGuard, though. It intercepts all DNS requests and not only those which originate from root as we were doing in v3.2