Can AdGuard VPN be trusted?

The irony is that VPN providers like WindScribe have physical servers in India and Russia, supposedly running them illegally without keeping any logs and I rarely see anybody questioning the reasons why the Russian and Indian governments are ok having those illegal VPN servers running inside their datacentres and not taking them down or questioning how wise that is.

I just don’t feel that it’d be correct for me to talk about decisions of other people. Adding to what I’ve already said, it’s not related to political matters, 15 years is long enough to get tired and wanting to do something new, and crisis time is when people tend to reflect on what they’re doing.

@ameshkov

I am very grateful for your time and answers.

Please answer the following questions:

1. Why is the android application not open source?
2. Your application exposes HTTPS, how can I verify that no malicious activity is taking place? How can I make sure that the certificate is unique, and not just that there are several of them in the program, for example, which are selected at random?
3. How can I get guarantees that no employees based in Russia have access to my information? And how can you guarantee that they won’t make malicious changes to the filters because of their political views?
4. Why did the company officially call the war a “conflict”? Have you heard of an “okhmatdet”?
5. You still have a page on a VK resource 100% controlled by a Russian tame oligarch 100% controlled by the regime. Where is the guarantee that the employees who run this page will not be hacked through traffic spoofing using malicious state certificates of the “NUC”?
6. Alex-302 (one of the employees) has access to filters, for example. I am not trying to accuse the person, but having such access and knowing the dictator’s regime, there is a high probability of some attacks from the punitive regime to compromise filter users (for example, through scriptlets).

Why are we involving Russian citizens? I just don’t see how some of you can’t grasp the fact that all of these horrible things are being done by the government, not ordinary citizens.

Please stop. I am not.

I said that all citizens from there can be used by punitive regime. Not “bad citizens”. That regime don’t care about human lives, so knowing that I can make a guess that any of workers from there can be hacked or forced to do something malicious by regime.

Hi @fikko, thanks for the questions, let me please answer them one by one.

Several reasons for that.

First of all, CoreLibs (the main filtering engine of AdGuard) originally used proprietary code for some parts of network filtering (we licensed a third-party network filtering library with code). Nowadays, it’s reworked a lot, but still, open-sourcing it would violate the license, as our code would still count as a derivative of that library.

Also, right now we’re suing a company that decompiled an old version of AdGuard (prior to the introduction of CoreLibs) and built a clone app on top of it. Open-sourcing the filtering engine (even a part of it) at this point would hurt us in court.

Finally, we deal with AdGuard open-source clones on a regular basis, and it’s sad, but all those licenses are not good protection.

In the desktop apps, there’s a browser assistant extension that can be used to inspect the original website certificate. In the Android app, the original certificate can be examined in Statistics → Recent Activity.

We take all the necessary precautions to validate the server certificates in the same way the browser does. There’s a very detailed article on this in the knowledge base that also suggests several ways to check it.

You can reset the application data and generate a new certificate several hundred times. Every time it will generate a new root cert.

We have no information on the users. You can verify that by inspecting what the app sends to the servers or by examining the privacy policy which we keep up-to-date.

AdGuard filters are open source and all the changes can be examined by anyone.

We called it war on several occasions as well, we even did that in the very blog post you’re referring to.

Yes, and I have firsthand account of it, the lead of AdGuard support team lives in a building next to it.

Running a page does not require using any state certificate or even being in Russia.

Alex is not just one of the employees, he is a lead of the filters maintainers team and one of the most veteran employees (celebrated 10 years last week). Also, he lives in Odessa, Ukraine.

On a side note, I’ve never seen a punitive regime making someone compromise something. Usually, the life is simpler than that: there could be a malicious actor that takes control over accounts or there could be monetary reasons. Having the repo and all the changes public and open for review in my opinion is a good way to control that. But anyways I think we can improve it more, for instance make it mandatory for scriptlet rules to go through a pull request.

Thank you for your answers. It looks more clear now.

But still, your latest AdGuard (for android) promotes AdGuard VPN which lead to ban of AdGuard in my company (sorry for off topic)

It looks really illogical to use CA to filter traffic and use AdGuard VPN simultaneously as you can alter traffic remotely (purely theoretical).

Also, if you claim that you are not going to do anything with personal information, then why didn’t you add built in WireGuard client (like rethinkdns done)?

And last, you claim that your website banned in ru region. But you DNS don’t seem to be banned. This might be a wild guess but… DNS requests visibile to authorities?

Could you please explain the reasoning that was used for that? Does your company ban everything related to VPN services?

The point of having separate apps (ad blocker and VPN) was to make it impossible for the VPN app to see decrypted traffic.

AdGuard Ad Blocker filters the traffic locally (decrypt → filter out tracking → encrypt → send further).

At the same time, AG VPN maintains the tunnel to the remote server and receives the encrypted traffic. AG VPN can be replaced by a different app that’s able to work as a local SOCKS proxy (examples: Orbot, Shadowsocks), find outbound proxy settings in AdGuard to see what I am talking about.

I am not a big fan of WireGuard, that’s why we decided to develop our own protocol. I promised to open source it and we’re working on it already. Will definitely happen later this year.

It’s partly blocked, AdGuard DNS Non-filtering IP addresses are blocked. Most of AdGuard DNS users use encrypted DNS protocols so the queries aren’t visible to anyone. Frankly, I have no idea why ad blocker and DNS are even blocked and the fact that I use it as an argument does not mean I don’t want them to be unblocked.

Thank you for your answers

If I only knew… They told that it is “harmful”. But before 4.x update it wasn’t banned. I mean domain adtidy.

Thanks again! I really appreciate your input to make it clear!

Weird stuff, maybe a false positive of some cloud AV. I don’t see any FPs on virustotal, maybe it’s already fixed?

Just out of curiosity, why are you not a big fan of Wireguard?

It’s probably one of the best you can get in terms of performance and simplicity so for any enterprise VPN it’s great and I wouldn’t look at any alternative.

However, when we’re talking about a consumer VPN service, I don’t want my ISP or any other intermediary to know that I am using a VPN and WG design just does not consider this case. Encapsulating WG into a different proto (TLS, QUIC, whatever) is not a great solution as it leads to a serious slowdown.

In my country there is strong pro-Ukrainian position (I think even more than in Ukraine itself) so maybe because of that. Maybe it is because app allows connection to ADG VPN, but they were not doing anything about it when it allows to use external proxy?

No. They banned adguard main domain too.

Quote:
“Service advertise shady integration with third-party app which allows uncontrolled routing via remote server. To avoid breach access had been restricted.”

UPD: It seems to be easily bypassed using cloudflare DOH.
UPD2: Non DOH DNS also bypasses it. It seems to be blocked on DNS level

SOCKS not encrypted, right? So what the purpose to use Orbot in proxy mode if there is only IP change without encryption? Or I am misunderstanding something?

Well, if the company policy is to prevent routing via remote servers then it’s up to them.

What matters is that it’s a local SOCKS proxy, both Orbot and Shadowsocks are capable of running a proxy on localhost and AdGuard can route traffic through it. When it leaves your device, it’s going through an encrypted tunnel.

On Android building such a “chain” is basically the only way to simultaneously use a VpnService-based network filtering (like AdGuard) and a normal VPN/proxy.

@ameshkov

Hello,

Thanks a lot for your time.

I’d like to ask you if you know a serious VPN that works for Russian citizens ? It seems that ProtonVPN, Mullvad, etc. are banned… and It’s difficult to find one that don’t collect data.

@ameshkov

If you still have time and energy I had two questions about Adguard VPN.

The first question refers to Adguard VPN connection logs, I understand that during the time you are connected to any VPN the user IP must be logged somewhere in the server to be able to interact, but after reading the privacy policy it is not clear to me how long for are those connection logs kept and if is there any countermeasure to stop a third party from accessing or seizing the VPN servers live with those logs.

The second question refers to AdGuard VPN End-User License Agreement, point 4.11 says that you can not use the software if the country you reside in has prohibited the use of VPN software, this rule is a little surprising for a VPN company, is this some kind of copy and paste end user agreement with a mistake or is this written as it should be for some legal reason. And 4.8 mentions that you can not use the VPN to download porn or infringe copyright. 4.9 mentions no minors can´t use the VPN, 4.10 mentions you can´t register your account with a fake name “misrepresent yourself as another person”, etc…

As I recall express and proton worked okay for a while. Generally, there are waves of blockings, then after some time these services come back to life and then they’re blocked again. I doubt that in this circumstances there’s any consumer VPN service (including ours) that can guarantee complete stability.

There’s no technical need to record these logs and by Cyprus laws we don’t have to so. Moreover, we should not record any personal information (like IP address or user ID) without reason. So if the server is seized there’s nothing on it that can be used.

That said, if the server’s traffic is under control of a third party (some govt authority?) and they see what’s going in and out, there’s a theoretical possibility that they can figure out who’s who.

I am not a lawyer but I’ll try to explain in general terms what I learned from our lawyers.

EULA is a way for a software developer to control who’s responsible for what and the user needs to accept that when they start using the software.

Having no restrictions in EULA means that the developer can take (at least partly) the responsibility for any wrongdoings that were done with the help of their software.

To put it simple, no restrictions in eula opens an easy way to sue the developer.

Example: a person from Turkmenistan installs a VPN (as far as I know it’s illegal there), gets fined for that and then they can sue the VPN service for that even though everyone understands that installing a VPN was their choice and their responsibility.

Thanks for your time my friend.

I’m personally using adguard everyday but not through the app, but through DNS settings by writting dns.aguard.com

Is there any disadvantage to set Adguard like this ? As I’m a GrapheneOS user, setting Adguard like this allows me to have Adguard turned on, on all my profiles (don’t need to install the app on each profile).