Jump to content

http/3 traffic scanning issue with WireGuard protocol, ProtonVpn


Go to solution Solved by Marcos,

Recommended Posts

I have a problem with ProtonVpn using the WireGuard protocol, I'm on ESS Premium v17.1.9, I can confirm that http/3 traffic scanning interfere with ProtonVPN WireGuard service, causing 0xC00000E5 error "Access is denied", so the service can't create/launch WireGuard tunnel.

Device SWD\WireGuard{EAB2262D-9AB1-5975-7D92-334D06F4972B} failed to start.

Driver name: oem32.inf
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Service: WireGuard
Lower filters:
Upper filters:
Problem: 0x0
Problem status: 0xC00000E5

I don't want to put my system at risk by disabling http/3 traffic scanning, what are the options in this case?

Edited by molojavy
Misspellings
Link to comment
Share on other sites

  • Administrators

1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics)
2, Start capturing the network communication with Wireshark
3, Reproduce the issue
4, Stop logging and save the Wireshark log.
5, Collect logs with ESET Log Collector
6, Supply us with both ELC and Wireshark logs for perusal.

Link to comment
Share on other sites

13 minutes ago, Marcos said:

1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics)
2, Start capturing the network communication with Wireshark
3, Reproduce the issue
4, Stop logging and save the Wireshark log.
5, Collect logs with ESET Log Collector
6, Supply us with both ESET Log Collector and Wireshark logs for perusal.

Sure, i can provide you with requested logs, tomorrow. I also provide you with the screen capture while reproducing the problem.

Link to comment
Share on other sites

18 hours ago, Marcos said:

1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics)
2, Start capturing the network communication with Wireshark
3, Reproduce the issue
4, Stop logging and save the Wireshark log.
5, Collect logs with ESET Log Collector
6, Supply us with both ESET Log Collector and Wireshark logs for perusal.

I'm a bit confused, which network should I capture with Wireshark if the WireGuard tunnel is failing to start?

Link to comment
Share on other sites

Posted (edited)
18 hours ago, Marcos said:

1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics)
2, Start capturing the network communication with Wireshark
3, Reproduce the issue
4, Stop logging and save the Wireshark log.
5, Collect logs with ESET Log Collector
6, Supply us with both ESET Log Collector and Wireshark logs for perusal.

The suggested sequence of actions cannot be executed because if the http/3 traffic scanning is enabled it's prevents WireGuard Tunnel from starting and, consequently, from being captured in Wireshark. Therefore, steps 2 and 4 are impossible to complete.

Edited by molojavy
Link to comment
Share on other sites

19 hours ago, Marcos said:

1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics)
2, Start capturing the network communication with Wireshark
3, Reproduce the issue
4, Stop logging and save the Wireshark log.
5, Collect logs with ESET Log Collector
6, Supply us with both ESET Log Collector and Wireshark logs for perusal.

 

As previously mentioned, I am unable to provide Wireshark data due to the failure of the WireGuard tunnel to start when http/3 traffic scanning is enabled.

In lieu of Wireshark logs, I am presenting logs from Eset log collector and a video demonstrating the involvement of the http/3 traffic scanning feature in the malfunction of the WireGuard tunnel, specifically the inability to initiate the WireGuard tunnel:

Device SWD\WireGuard{EAB2262D-9AB1-5975-7D92-334D06F4972B} failed to start.

Driver name: oem32.inf
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Service: WireGuard
Lower filters:
Upper filters:
Problem: 0x0
Problem status: 0xC00000E5

essp_logs.zip

Link to comment
Share on other sites

  • Administrators

Are you still having issues today? Have you recently rebooted or turned off/on the machine?

Link to comment
Share on other sites

I'm still having the issue.

Yes, recently I've rebooted my machine, and I've shut it down with cmd...

Link to comment
Share on other sites

  • Administrators

In that case I assume that the issue won't go away after turning off HTTP/3 network traffic filtering. Could you confirm? Did it use to work with v17.0.16?

Link to comment
Share on other sites

The thing is, if i disable http/3 traffic scanning, the WireGuard tunnel is working just fine, as it should.

But i don't want to lower my security standards to have it functioning.

That's why I've asked if there any updates on this matter...

p.s. I can confirm, that it's stopped working on 17.1.9.0

Link to comment
Share on other sites

Besides, I'm not the only person having this issue, so i was thinking that somebody is gonna give me some update after a week...

Link to comment
Share on other sites

  • Administrators
22 minutes ago, molojavy said:

The thing is, if i disable http/3 traffic scanning, the WireGuard tunnel is working just fine, as it should.

When did you test it? It should have no effect on the issue unless you made the test days ago.

Link to comment
Share on other sites

1 minute ago, Marcos said:

When did you test it? It should have no effect on the issue unless you made the test days ago.

I've tested it a couple of minutes ago! And the issue is still present.

My English is not perfect, but if I say, that I'm still having the issue, is it so hard to understand?

And besides, why is it no problem any more?! There was no version update, there is no statement about a fix from Eset.

Link to comment
Share on other sites

Posted (edited)

You've asked me to provide logs, I did it, in addition I've provided you a video.

According to the Eset Forum, the logs are downloaded 0 times.

And after i asked for a update on my matter, i get weird answers with no explanations and assumptions that I've tested this issue a long time ago. 

It's very bad practice to answer your costumers like that...

Edited by molojavy
Link to comment
Share on other sites

  • Administrators

The logs were most likely created at the time when the issue could occur so they are not useful at this point. Hence I asked if you had been experiencing the issue recently (ie. in the last 4-5 days).

Turning on or off HTTP/3 traffic filtering has no effect on network communication currently.

Link to comment
Share on other sites

11 minutes ago, Marcos said:

The logs were most likely created at the time when the issue could occur so they are not useful at this point. Hence I asked if you had been experiencing the issue recently (ie. in the last 4-5 days).

Turning on or off HTTP/3 traffic filtering has no effect on network communication currently.

I've posted the logs on the next day you asked for, it was last Tuesday, and they was useless? Weird thing... 

 

You've asked me about today, and I gave my answer, then you've wrote:

 

"It should have no effect on the issue unless you made the test days ago."

 

Still I'm not having the answer on my matter.

 

Should I consult myself or what?

Link to comment
Share on other sites

Posted (edited)
18 minutes ago, Marcos said:

The logs were most likely created at the time when the issue could occur so they are not useful at this point. Hence I asked if you had been experiencing the issue recently (ie. in the last 4-5 days).

Turning on or off HTTP/3 traffic filtering has no effect on network communication currently.

It's affecting the WireGuard Tunel!!!! Watch the video! And I've tested it today, which means CURRENTLY.

Edited by molojavy
Link to comment
Share on other sites

It appears the HTTP/3 issue is with WireGuard per your prior posting: https://forum.eset.com/topic/40688-heavy-bug-in-version-17190-internet-security/?do=findComment&comment=182878 . Based on this;

Quote

TCP Mode

WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw.

https://www.wireguard.com/known-limitations/

It appears WireGuard is exclusively UDP based as is HTTP/3 QUIC.

Edited by itman
Link to comment
Share on other sites

  • Administrators

A developer would like to check a manually generated dump of ekrn.exe when HTTP/3 checking is enabled in gui.

Please open the advanced setup, navigate to Tools -> Diagnostics. Make sure that "full dump" is selected in the drop-down menu and click "Create". Then provide the dump created in C:\ProgramData\ESET\ESET Security\Diagnostics zipped in an archive.

Link to comment
Share on other sites

11 minutes ago, Marcos said:

A developer would like to check a manually generated dump of ekrn.exe when HTTP/3 checking is enabled in gui.

Please open the advanced setup, navigate to Tools -> Diagnostics. Make sure that "full dump" is selected in the drop-down menu and click "Create". Then provide the dump created in C:\ProgramData\ESET\ESET Security\Diagnostics zipped in an archive.

May I provide it from google drive? The Archive size exceeds the forum limitations.

Link to comment
Share on other sites

  • Administrators
  • Solution

The system has not been restarted in the last 7 days. Restarting it should fix the issue.

Link to comment
Share on other sites

4 minutes ago, Marcos said:

The system has not been restarted in the last 7 days. Restarting it should fix the issue.

That's helped, thank you.

I need to dig in my system, because I've restarted the system today, but the system dump showed that it was 7 days ago...

So there is some bug on my side.

Thanks for your time and assistance.

Link to comment
Share on other sites

51 minutes ago, molojavy said:

I need to dig in my system, because I've restarted the system today, but the system dump showed that it was 7 days ago...

Do you have Win10/11 fast startup enabled?

Link to comment
Share on other sites

Posted (edited)
6 minutes ago, itman said:

Do you have Win10/11 fast startup enabled?

Yes win11 with fast startup, but I've restarted with cmd command...

And now I'm curious, what could go wrong...

But it's another problem for another day and another forum. I assume that the kind people from Eset are tired of my incompetence😂

 

Edited by molojavy
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...