search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
10.93k stars 510 forks source link

NordVPN not connecting when Opensnitch enabled #685

Closed cypherbits closed 2 years ago

cypherbits commented 2 years ago

NordVPN not connecting when Opensnitch enabled. Version v1.6.0-rc.1 Ubuntu 22.04 with kernel 5.15. No suspicious blocking rule. MullvadVPN worked with OpenVPN and Wireguard. NordVPN uses some sort of Wireguard (they say NordLynx).

gustavo-iniguez-goya commented 2 years ago

hi @cypherbits ,

Could you provide a little bit more of information?

The v1.6.0rc1 may have som regressions, but I tested it with Mullvad and worked fine, so maybe NordVPN makes something different.

Henshall commented 2 years ago

I have the same problem. Opensnitch does not pick up nordvpn normally to intercept it (sometimes it does). When it does intercept and I allow it, it still does not allow a nordvpn connection... not sure why.

My /sys/kernel/debug/tracing/kprobe_events shows:

p:kprobes/ptcp_v4_connect tcp_v4_connect r64:kprobes/rtcp_v4_connect tcp_v4_connect p:kprobes/ptcp_v6_connect tcp_v6_connect r64:kprobes/rtcp_v6_connect tcp_v6_connect p:kprobes/pudp_sendmsg udp_sendmsg p:kprobes/pudpv6_sendmsg udpv6_sendmsg

This still happens when I have ufw disabled, and as well as when I delete all of the opensnitch rules and attempt to start with a fresh set of rules.

cypherbits commented 2 years ago

Actually my problem was because I hardened a little my system, disabling debugfs. I had to enable it again for Opensnitch to work. It would be great if Opensnitch worked with this disabled, if that is possible.

gustavo-iniguez-goya commented 2 years ago

hey @Henshall ,

My /sys/kernel/debug/tracing/kprobe_events shows: p:kprobes/ptcp_v4_connect tcp_v4_connect r64:kprobes/rtcp_v4_connect tcp_v4_connect p:kprobes/ptcp_v6_connect tcp_v6_connect r64:kprobes/rtcp_v6_connect tcp_v6_connect p:kprobes/pudp_sendmsg udp_sendmsg p:kprobes/pudpv6_sendmsg udpv6_sendmsg

What kernel and distro are you using? There's one hook missing: p:kprobes/piptunnel_xmit iptunnel_xmit

# grep tunnel /sys/kernel/debug/tracing/available_events 
kprobes:piptunnel_xmit

could you also check [x] Debug invalid connections under Preferences->Nodes and try it again? It should prompt you to allow an "outgoing connection".

Henshall commented 2 years ago

@gustavo-iniguez-goya

Yes! that worked right away. Thank you!!!!

Selecting 'debug invalid connections' fixed the problem right away.

In case anyone has the same problem - I have kernal version: 5.19.0-051900-generic, and im running kubuntu.

Thanks!

gustavo-iniguez-goya commented 2 years ago

The remaining question is, why your kernel doesn't have the iptunnel_xmit function. It hasn't been removed on 5.19.x series: https://elixir.bootlin.com/linux/v5.19/source/include/net/ip_tunnels.h#L427

Could you execute this command $ objdump -h /etc/opensnitchd/opensnitch.o | grep tunnel and tell me if it outputs anything?

Also get the checksum of the module: md5sum /etc/opensnitchd/opensnitch.o

btw, what opensnitch version are you using? I think you could be using an old ebpf module, but it's a little bit strange.

And what architecture is your system? x86_64, i386, arm64,...?

Henshall commented 2 years ago

hello! thanks for bearing with me regarding the reply. I appreciate your help @gustavo-iniguez-goya :)

objdump -h /etc/opensnitchd/opensnitch.o | grep tunnel ----> (shows nothing)

md5sum /etc/opensnitchd/opensnitch.o ----> 5014f8c550fb02b53c18e41c5225dc5c /etc/opensnitchd/opensnitch.o

uname -m ----> x86_64

I am using opensnitch 1.4.0 (shows in lower right corner of gui)

Basically I just got a new computer, installed kubuntu, installed new 5.19.0-051900-generic kernel and then replaced graphicscard/ram/SSD with better models. I ran the dd command to clone data to the new drive exactly as it was. Other then that its a fresh install. Thanks!

gustavo-iniguez-goya commented 2 years ago

thank you for the info @Henshall :)

----> 5014f8c550fb02b53c18e41c5225dc5c /etc/opensnitchd/opensnitch.o

That's the module from an old version, it doesn't have support for VPNs.

You can get latest module from the deb package: https://github.com/evilsocket/opensnitch/releases/download/v1.5.2/opensnitch_1.5.2-1_amd64.deb

backup your existing module:

$ sudo cp /etc/opensnitchd/opensnitch.o /etc/opensnitchd/opensnitch.o-0.1

extract and copy the new module:

$ dpkg -x opensnitch_1.5.2-1_amd64.deb latest
$ sudo service opensnitch stop
$ sudo cp latest/etc/opensnitchd/opensnitch.o /etc/opensnitchd/opensnitch.o
$ sudo service opensnitch start

Probably you'll be prompted to allow the VPN connection again.

Henshall commented 2 years ago

oh okay great - I just upgraded. Thanks!

cypherbits commented 1 year ago

Hello, upgraded from 1.6.0rc2 to rc3 and this is happening again. Same settings as OP:

gustavo-iniguez-goya commented 1 year ago

Hi @cypherbits ,

The distributed modules with v1.6.0rc3 are compiled against kernel 5.19. You need the ones compiled against 5.8, get them from here: https://github.com/evilsocket/opensnitch/suites/9801387740/artifacts/471534790

Direct link: https://github.com/evilsocket/opensnitch/suites/9801387740/artifacts/471534790

copy the modules to /usr/lib/opensnitchd/ebpf/

cypherbits commented 1 year ago

Tried that. It is not asking me anything. On the System rules you can enable the "Exclude WireGuard VPN from being intercepted" and it connects fine without asking. Disable the rule and it cannot connect but it doesn't asks.