TrustTunnel: AdGuard VPN protocol goes open-source(adguard-vpn.com)

79 pointsby kumrayu10 hours ago10 comments

mrbluecoat2 hours ago
Very cool! Thanks for supporting open source (unlike a half-hearted attempt, like ExpressVPN's Lightway). Quick question: the website animated gif has no arrows from the website to the VPN server. Am I missing something?
Update: just followed the quickstart and worked great; speed is virtually line speed - impressive!
stefanha4 hours ago
Link to the protocol specification: https://github.com/TrustTunnel/TrustTunnel/blob/master/PROTO...
It's a thin HTTP/2 and HTTP/3 tunneling protocol for TCP, UDP, and ICMP traffic.
It should be easy to write an independent implementation based on this specification provided you already have an HTTP/2 or HTTP/3 library. Pretty neat!
almaight10 minutes ago
Does it support the mwss protocol?
reader927418 minutes ago
How does this compare to Obscura
- mrbluecoat9 minutes ago
  Obscura is WireGuard-over-QUIC, not a new protocol.
  https://obscura.net/#faq-technical
11 minutes ago
undefined
ameshkov5 hours ago
Hi, I’m one of the people working on this.
One clarification that may not be obvious: open-sourcing this isn’t primarily about signaling or auditability. If that were the goal, a standalone protocol spec or a minimal reference repo would have been enough.
Instead, we’re deliberately shipping full client and server implementations because the end goal is for this to become an independent, vendor-neutral project, not something tied to AdGuard.
We want it to be usable by any VPN or proxy stack and, over time, to serve as a common baseline for stealthy transports — similar to the role xray/vless play today.
Happy to answer questions or clarify design choices.
- rfv67233 hours ago
  Does your team have Chinese memebers?
  GFW has been able to filter SNI to block https traffic for a few years now.
  - gruezan hour ago
    >GFW has been able to filter SNI to block https traffic for a few years now.
    SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks).
    rfv6723an hour ago
    > because any commercial VPN is going to be blocked by IP, no need for SNI.
    Proxy server can hide behind CDN like Cloudflare via websocket tunnel.
    This is why GFW develops SNI filter, Cloudflare is too big to block.
    gruez6 minutes ago
    >Proxy server can hide behind CDN like Cloudflare via websocket tunnel.
    cloudflare doesn't support domain fronting so any SNI spoofing won't work.
- vitorsr5 hours ago
  Thanks for all impressive work on AdGuard.
  Any particular reason to adopt Rust for this project instead of Go as many of your other products?
  Because I think since you have quite extensive Go codebase I would imagine you had to rewrite possibly a significant amount of code.
  - rcoder3 hours ago
    Likewise interested in the authoritative answer, but: if I needed to write a decent chunk of code that had to run as close to wire/CPU limits as possible and run across popular mobile and desktop platforms I would 100% reach for Rust.
    Go has a lot of strengths, but embedding performance-critical code as a shared library in a mobile app isn't among them.
denkmoon4 hours ago
What makes this worth using over something like vless? Work blocked my gatcha game so I've had to set up a xray/vless/xhttp/tls proxy and it works flawlessly. Gets through the corp firewall unscathed at full bandwidth and no appreciable increase in latency.
- subscribed3 hours ago
  Could you please drop names/links to the magic sauce if there's anything more than the names mentioned?
  I need to open ssh myself and for now I decided on tunnelling over http/3 terminated somewhere in aws/gcp/cf, but maybe your method is better.
  - dfadsadsfan hour ago
    Just use Amnezia VPN - it can masquerade as https.
zx80805 hours ago
I'm surprised that the browser extension to block ads has a proprietary vpn-like protocol. WTF?
- ameshkov5 hours ago
  One interesting thing I’ve noticed is that AdGuard means different things in different parts of the world. In some places, people know us primarily as an ad blocker, in others we’re best known for our DNS service and in some regions AdGuard is associated almost exclusively with our VPN. The reality is that AdGuard makes several different products, not just one.
  - 0x1ch3 hours ago
    I'm an American. I knew about the VPN service, but mostly associate your brand with the DNS services and lists you provide (thank you!).
- jabroni_salad5 hours ago
  One of my first experiences with adguard was using it to block ads on an unrooted phone. It pipes your connection through a local vpn to do it.
huflungdung3 hours ago
[dead]
sillyfluke7 hours ago
It would be also nice if they could hold their implicit promise of having the AdGuard extension working on Safari iOS, it's broken for me even when I reinstal it. Anyone else have the same problem?
- ameshkov5 hours ago
  This is not a common issue tbh. What sometimes may happen is that after an iOS update the content blockers in Safari becomes corrupted and the only thing that fixes it is not just a reinstall, but uninstall + reboot + reinstall after that. If even this doesn’t help please contact me at “am at adguard.com”, I will try to help.
  - sillyfluke5 hours ago
    Thanks for the suggestion! I'll definitely try the uninstall-reboot-reinstall flow. I was about to switch browsers on all the elderly devices.