AdguardForAndroid icon indicating copy to clipboard operation
AdguardForAndroid copied to clipboard
verified publisher icon AdguardTeam

Support "Allow apps to bypass VPN" functionality

Open WorldOfEphemeral opened this issue 7 months ago • 6 comments

Issue Details

Current Behavior:​​

  • AdGuard’s VPN routing is solely controlled by app package names.

  • No option exists for apps to dynamically bypass the VPN, even if they support it (e.g., for latency-sensitive or battery-critical traffic).

Problems This Solves:​

  1. Google FCM Push Notifications:​​ Bypassing the VPN for FCM reduces battery drain and improves reliability while retaining ad/tracking filtering for other traffic.

  2. ​​Game Streaming/P2P Apps:​​ Enables stable low-latency connections without requiring users to disable the VPN entirely.

Documentation References

Proposed solution

​​Implementation:

  • Call VpnService.Builder.allowBypass() when establishing the VPN interface.

User Control:

  • Add a toggle in AdGuard’s settings (e.g., "Allow apps to bypass VPN").
  • Default: ​​Disabled​​ (maintains current behavior unless explicitly enabled).

​​Backward Compatibility:

  • No impact on existing per-app routing rules (package-name-based filtering remains intact).

Alternative solution

No response

WorldOfEphemeral avatar May 21 '25 01:05 WorldOfEphemeral

Google FCM Push Notifications ​​Game Streaming/P2P Apps

Is there any confirmation that these actually bypass VPN when it's possible? As far as I understand this needs to be supported by the app.

Second question: how can we be sure that Google does not use it for ads & tracking servers?

ameshkov avatar May 23 '25 14:05 ameshkov

Google FCM Push Notifications ​​Game Streaming/P2P Apps

Is there any confirmation that these actually bypass VPN when it's possible? As far as I understand this needs to be supported by the app.

Second question: how can we be sure that Google does not use it for ads & tracking servers?

@ameshkov

The first question:

If the VPN supports bypassing, the FCM status will indicate that it is bypassable. Reference URL: VPN interactions and bypassability of FCM Screenshot example of FCM status:

The second question:

Based on real-world observation, only FCM appears to make use of the VPN bypass capability at this time. I have not seen evidence that Google uses this mechanism for ads or tracking-related traffic. To give users control and maintain privacy, I recommend adding a setting in AdGuard (e.g., "Allow apps to bypass VPN"). This toggle should be disabled by default, ensuring no change to existing behavior unless explicitly enabled by the user.

I sincerely appreciate your work on AdGuard and hope you will consider supporting this feature in a future update. Thank you!

WorldOfEphemeral avatar May 23 '25 14:05 WorldOfEphemeral

Tbh, if that's true that FCM is the only service that uses it, I would even think about making it a default true setting, but we should be ready to very quickly change it to false if anyone starts abusing it.

ameshkov avatar May 23 '25 14:05 ameshkov

Tbh, if that's true that FCM is the only service that uses it, I would even think about making it a default true setting, but we should be ready to very quickly change it to false if anyone starts abusing it.

While it's true that if the VPN interface allows bypassing, any app theoretically could bypass it, in practice I haven't observed abuse by ad or logging-related traffic so far. For reference, AdAway currently enables allowBypass() by default to improve compatibility: AdAway VPN Bypass Default Enable So yes, adding a toggle with default ON is reasonable.

WorldOfEphemeral avatar May 23 '25 15:05 WorldOfEphemeral

Makes sense, thank you for your help! We'll implement it in one of the future versions.

ameshkov avatar May 23 '25 15:05 ameshkov

I think I really need this Feature, because I use "Block connections without VPN" and I need all the apps to go through the AdGuard "local VPN"; but not get filtered or "touched" by AdGuard itself: is this a solution for my situation? When I exclude a app, port or IP address through lower level settings, the app's connection is not possible: it loses the ability to connect to the internet. Except the setting "bypass QUIC": this fixes most of my apps problems without needing to disable AdGuard or the local VPN "Block connections without VPN".

Note: without "Block connections without VPN", while AdGuard is restarting protection for some reason, all ads pop up in apps and browsers for a while (and this scares me and my mom when they have loud noises or music); and sometimes they stay connected after the protection comes back up, mostly because the protection prevents ads with DNS filtering and maybe the apps and browsers have DNS cache enabled or something like that. Not being negative or anything, but at this point I would disable AdGuard, enable the private DNS with HaGeZi normal filtering and use Brave Browser and Firefox Mobile (with extensions) to have a ad-free phone. But logically I'd miss a lot of features AdGuard has: I'm just saying there are some other solutions and workarounds, but I'd prefer to use AdGuard always.

Arthur-Kenichi-Condino avatar Oct 04 '25 22:10 Arthur-Kenichi-Condino