Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't work when nftables is enabled. #80

Closed
ghost opened this issue Apr 22, 2021 · 8 comments
Closed

Doesn't work when nftables is enabled. #80

ghost opened this issue Apr 22, 2021 · 8 comments

Comments

@ghost
Copy link

ghost commented Apr 22, 2021
edited by ghost
Loading

logs

  2021-04-22T12:42:48.155Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2021-04-22T12:42:48.155Z INFO  vopono::util       > Calling sudo for elevated privileges, current user will be used as default user
 2021-04-22T12:42:48.155Z DEBUG vopono::util       > Args: ["vopono", "-v", "exec", "chromium"]
 2021-04-22T12:42:48.288Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2021-04-22T12:42:48.292Z DEBUG vopono::util       > Existing namespaces: []
 2021-04-22T12:42:48.293Z DEBUG vopono::exec       > vopono config.toml: configuration property "custom_config" not found
 2021-04-22T12:42:48.293Z DEBUG vopono::exec       > vopono config.toml: configuration property "postup" not found
 2021-04-22T12:42:48.293Z DEBUG vopono::exec       > vopono config.toml: configuration property "predown" not found
 2021-04-22T12:42:48.293Z DEBUG vopono::exec       > vopono config.toml: configuration property "user" not found
 2021-04-22T12:42:48.293Z DEBUG vopono::exec       > vopono config.toml: enum Protocol does not have variant constructor OpenVPN
 2021-04-22T12:42:48.293Z DEBUG vopono::network_interface > ip addr
 2021-04-22T12:42:48.297Z DEBUG vopono::exec              > Interface: wlan0
 2021-04-22T12:42:48.297Z INFO  vopono::util              > Chosen config: /home/bc7/.config/vopono/proton/openvpn/netherlands-nl-free.ovpn
 2021-04-22T12:42:48.301Z DEBUG vopono::util              > Existing namespaces: []
 2021-04-22T12:42:48.301Z DEBUG vopono::util              > ip netns add vopono_proton_netherlands-nl-free
 2021-04-22T12:42:48.307Z INFO  vopono::netns             > Created new network namespace: vopono_proton_netherlands-nl-free
 2021-04-22T12:42:48.312Z DEBUG vopono::util              > Existing interfaces:
 2021-04-22T12:42:48.314Z DEBUG vopono::util              > Assigned IPs: []
 2021-04-22T12:42:48.314Z DEBUG vopono::netns             > ip netns exec vopono_proton_netherlands-nl-free ip addr add 127.0.0.1/8 dev lo
 2021-04-22T12:42:48.321Z DEBUG vopono::netns             > ip netns exec vopono_proton_netherlands-nl-free ip link set lo up
 2021-04-22T12:42:48.327Z DEBUG vopono::veth_pair         > NetworkManager detected, adding proton_nether_d to unmanaged devices
 2021-04-22T12:42:48.328Z DEBUG vopono::util              > nmcli connection reload
 2021-04-22T12:42:48.347Z DEBUG vopono::util              > ip link add proton_nether_d type veth peer name proton_nether_s
 2021-04-22T12:42:48.353Z DEBUG vopono::util              > ip link set proton_nether_d up
 2021-04-22T12:42:48.356Z DEBUG vopono::util              > ip link set proton_nether_s netns vopono_proton_netherlands-nl-free up
 2021-04-22T12:42:48.374Z DEBUG vopono::util              > ip addr add 10.200.1.1/24 dev proton_nether_d
 2021-04-22T12:42:48.380Z DEBUG vopono::netns             > ip netns exec vopono_proton_netherlands-nl-free ip addr add 10.200.1.2/24 dev proton_nether_s
 2021-04-22T12:42:48.386Z DEBUG vopono::netns             > ip netns exec vopono_proton_netherlands-nl-free ip route add default via 10.200.1.1 dev proton_nether_s
 2021-04-22T12:42:48.390Z INFO  vopono::netns             > IP address of namespace as seen from host: 10.200.1.2
 2021-04-22T12:42:48.390Z INFO  vopono::netns             > IP address of host as seen from namespace: 10.200.1.1
 2021-04-22T12:42:48.390Z DEBUG vopono::util              > nft add table inet vopono_nat
 2021-04-22T12:42:48.394Z DEBUG vopono::util              > nft add chain inet vopono_nat postrouting { type nat hook postrouting priority 100 ; }
 2021-04-22T12:42:48.396Z DEBUG vopono::util              > nft add rule inet vopono_nat postrouting oifname wlan0 ip saddr 10.200.1.0/24 counter masquerade
 2021-04-22T12:42:48.399Z DEBUG vopono::util              > nft add table inet vopono_bridge
 2021-04-22T12:42:48.400Z DEBUG vopono::util              > nft add chain inet vopono_bridge forward { type filter hook forward priority -10 ; }
 2021-04-22T12:42:48.402Z DEBUG vopono::util              > nft add rule inet vopono_bridge forward iifname proton_nether_d oifname wlan0 counter accept
 2021-04-22T12:42:48.408Z DEBUG vopono::util              > nft add rule inet vopono_bridge forward oifname proton_nether_d iifname wlan0 counter accept
 2021-04-22T12:42:48.412Z DEBUG vopono::util              > sysctl -q net.ipv4.ip_forward=1
 2021-04-22T12:42:48.413Z DEBUG vopono::vpn               > Read auth file: /home/bc7/.config/vopono/proton/openvpn/auth.txt
 2021-04-22T12:42:48.413Z DEBUG vopono::dns_config        > Setting namespace vopono_proton_netherlands-nl-free DNS server to 8.8.8.8
 2021-04-22T12:42:48.414Z INFO  vopono::openvpn           > Launching OpenVPN...
 2021-04-22T12:42:48.414Z DEBUG vopono::openvpn           > Found remotes: [Remote { host: IPv4(190.2.138.15), port: 4569, protocol: UDP }, Remote { host: IPv4(190.2.138.15), port: 5060, protocol: UDP }, Remote { host: IPv4(190.2.138.15), port: 80, protocol: UDP }, Remote { host: IPv4(190.2.138.15), port: 443, protocol: UDP }, Remote { host: IPv4(190.2.138.15), port: 1194, protocol: UDP }]
 2021-04-22T12:42:48.414Z DEBUG vopono::netns             > ip netns exec vopono_proton_netherlands-nl-free openvpn --config /home/bc7/.config/vopono/proton/openvpn/netherlands-nl-free.ovpn --machine-readable-output --log /etc/netns/vopono_proton_netherlands-nl-free/openvpn.log --auth-user-pass /home/bc7/.config/vopono/proton/openvpn/auth.txt
 2021-04-22T12:42:48.426Z DEBUG vopono::openvpn           > "1619095368.426040 40 DEPRECATED OPTION: --cipher set to \'AES-256-CBC\' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add \'AES-256-CBC\' to --data-ciphers or change --cipher \'AES-256-CBC\' to --data-ciphers-fallback \'AES-256-CBC\' to silence this warning.\n"
 2021-04-22T12:42:48.426Z DEBUG vopono::openvpn           > "1619095368.426260 40 WARNING: file \'/home/bc7/.config/vopono/proton/openvpn/auth.txt\' is group or others accessible\n"
 2021-04-22T12:42:48.426Z DEBUG vopono::openvpn           > "1619095368.426273 1 OpenVPN 2.5.1 [git:makepkg/f186691b32e68362+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 24 2021\n"
 2021-04-22T12:42:48.426Z DEBUG vopono::openvpn           > "1619095368.426288 1 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10\n"
 2021-04-22T12:42:48.427Z DEBUG vopono::openvpn           > "1619095368.427074 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash \'SHA512\' for HMAC authentication\n"
 2021-04-22T12:42:48.427Z DEBUG vopono::openvpn           > "1619095368.427107 14000002 Incoming Control Channel Authentication: Using 512 bit message hash \'SHA512\' for HMAC authentication\n"
 2021-04-22T12:42:48.427Z DEBUG vopono::openvpn           > "1619095368.427242 1 TCP/UDP: Preserving recently used remote address: [AF_INET]190.2.138.15:80\n"
 2021-04-22T12:42:48.427Z DEBUG vopono::openvpn           > "1619095368.427267 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n"
 2021-04-22T12:42:48.427Z DEBUG vopono::openvpn           > "1619095368.427274 1 UDP link local: (not bound)\n"
 2021-04-22T12:42:48.427Z DEBUG vopono::openvpn           > "1619095368.427280 1 UDP link remote: [AF_INET]190.2.138.15:80\n"

config.toml

firewall = "NfTables"
provider = "ProtonVPN"
protocol = "OpenVPN"
server = "netherlands-nl-free"
@jamesmcm
Copy link
Owner

Does it work if you use the --no-killswitch option?

@ghost
Copy link
Author

ghost commented Apr 23, 2021

no

@ghost
Copy link

ghost commented May 7, 2021

@blackCauldron7 Did you ever figure this out? I'm having the same issue. I have to force kill the process. I'm using firewalld as my main firewall. Was wondering if maybe adding firewalld support directly would help resolve this, but maybe I'll see if I need to start the nftables service. From my understanding though nftables doesn't need to be running because all it does is add a generic firewall.

@ghost
Copy link

ghost commented May 7, 2021

Confirmed that the iptables or nftables services have to be started. This conflicts with the firewalld service on Arch. Please add a firewalld backend.

@ghost
Copy link

ghost commented May 7, 2021

Guess I was wrong... changing firewalld backend to use iptables also allows this to work.

@jamesmcm
Copy link
Owner

jamesmcm commented May 8, 2021

Thanks, I use Arch as well so I'll try to take a look.

What are your firewalld settings btw?

@ghost
Copy link

ghost commented May 9, 2021

@jamesmcm Was using the default settings with the FirewallBackend=nftables in /etc/firewalld.conf which is now the default. After I changed it to FirewallBackend=iptables and specified the firewall="IpTables" in ~/.config/vopono/config.toml everything started working correctly. Was wondering if you could add a new firewall="Firewalld" backend that uses firewall-cmd and maybe rich rules or --direct, if needed. Not sure why the nftables backend isn't working. Happy to help debug.

@jamesmcm
Copy link
Owner

This is likely the same issue as #93 - this has been addressed in PR #101 so please test it if you can.

@ghost ghost closed this as completed Aug 13, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jamesmcm