Wi-Fi calling issue with AdGuard (and other VPNs) and its solution

[ameshkov]

To the moment, we'd had multiple complaints on Wi-Fi calling being incompatible with AdGuard. In this issue, I'll explain what's going on and how we can solve this.

How it works

Any Wi-Fi network is considered untrusted (compared to the provider's own network) so in order to transfer voice data, your phone must establish a secure encrypted tunnel with the provider's server called ePDG [1].

The tunnel is encrypted and uses IPSec so basically this is another VPN. ePDG server discovery is simple: all ePDG server names look like epdg.epc.mnc%MNC%.mcc%MCC%.pub.3gppnetwork.org where %MNC% is your provider's Mobile Network Code, and %MCC% is its Mobile Country Code. You can find these values of your provider here: http://www.mcc-mnc.com/. Both values are padded with zeros to the length of 3.

Why is there a problem with AdGuard (or other VPNs)

Android cannot establish a tunnel with the ePDG when this connection is routed through a VPN. Presumably, it happens due to a bug in the Android's IPSec client, and we should file a bug report about it. It shows connections as 0.0.0.0->ePDG IP instead of something like 192.168.11.x->ePDG IP (the socket is not bound to a proper local interface), and that's why it can send data to the tunnel, but it cannot receive it.

Example of a temporary solution (manual)

You can figure what your ePDG server is and exclude it from the VPN. In this case, the tunnel connection won't be routed through a VPN, and you won't run into this issue.

In some cases (see #2432) it is not enough to exclude ePDG, and it's necessary to exclude the IPv6 range as well. I don't know why yet.

For instance, for Vodafone UK, MCC is 234, and MNC is either 15 or 91. Knowing this we can figure what IP addresses do ePDG servers have.

We should simply lookup these two domains: epdg.epc.mnc015.mcc234.pub.3gppnetwork.org and epdg.epc.mnc091.mcc234.pub.3gppnetwork.org. Only the first one of them resolves, and the IP addresses are 88.82.11.221 and 88.82.11.208.

Once you have these addresses, do the following:

1. Open AdGuard -> Go to Settings -> Advanced -> Low-level
2. Find pref.ipv4.routes.excluded and tap on it
3. Add two new lines there:

   88.82.11.221/32
   88.82.11.208/32
   

4. ePDG tunnel should now be okay, and Wi-Fi calling should work

AdGuard solution

This section is for devs.

We are yet to figure how to discover the current operator's ePDG server automatically. Once we know it, we can simply add it's IP addresses to the excluded routes. The problem here is that I don't want us to ask for Telephony permission, that'd be too much for such a simple thing.

Another possible solution would be to exclude the UID that establishes the ePDG tunnel. It seems that it's done by /system/bin/eris (uid=1000).

Android bug

I've filed a bug report to Android devs:
https://issuetracker.google.com/issues/124415915

• [1] https://en.wikipedia.org/wiki/System_Architecture_Evolution

[Lurchus]

Thanks ameshkov,

Working with zzebrum I also added the exclusion:

88.82.11.0/24

And that was the first time I was able to get WiFi calling working on Vodafone UK without having to flick in to flight mode and disable AG for a moment to get connected.

Should I leave that in the exceptions along with the 2 other you mention to add:

88.82.11.221/32
88.82.11.208/32

Thanks.

[ameshkov]

@Lurchus 88.82.11.0/24 would do, it is a little bit wider and includes all IP addresses between 88.82.11.0 and 88.82.11.255. This is okay, though.