jamesmcm
commented
2 years ago Can you try it with ufw disabled? and also using --no-killswitch ?
I can't see anything unusual in the iptables rules at least.
Open kinoegit opened 2 years ago
jamesmcm
commented
2 years ago Can you try it with ufw disabled? and also using --no-killswitch ?
I can't see anything unusual in the iptables rules at least.
kinoegit
commented
2 years ago Thank you for answering that fast. I did try it with --no-killswitch and ufw disabled, unfortunately to no avail: no connection!
Maybe the issue is caused by some process outside vopono. What other installation or config could interfere with vopono?
Should I adjust iptables/ufw manually during the setup of vopono?
kinoegit
commented
2 years ago No idea?
Jayrgo
commented
1 year ago I think I have the same issue
**$ ./vopono -v exec --protocol wireguard --custom * -k "sudo ping -c 1 -W 5 9.9.9.9"
2023-04-19T16:03:25.668Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:25.674Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/***/pulse/native
2023-04-19T16:03:25.674Z INFO vopono_core::util > Calling sudo for elevated privileges, current user will be used as default user
2023-04-19T16:03:25.674Z DEBUG vopono_core::util > Args: ["./vopono", "-v", "exec", "--protocol", "wireguard", "--custom", "***", "-k", "sudo ping -c 1 -W 5 9.9.9.9"]
2023-04-19T16:03:25.868Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:25.874Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/***/pulse/native
2023-04-19T16:03:25.874Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:25.875Z DEBUG vopono_core::util > Existing namespaces: []
2023-04-19T16:03:25.875Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:25.875Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:25.875Z DEBUG vopono::exec > vopono config.toml: configuration property "firewall" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "custom_netns_name" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "open_hosts" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "allow_host_access" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "postup" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "predown" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "user" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "group" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "working-directory" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "dns" not found
2023-04-19T16:03:25.876Z DEBUG vopono::exec > vopono config.toml: configuration property "interface" not found
2023-04-19T16:03:25.876Z DEBUG vopono_core::network::network_interface > ip addr
2023-04-19T16:03:25.877Z DEBUG vopono::exec > Interface: eth0
2023-04-19T16:03:25.878Z DEBUG vopono_core::util > Existing namespaces: []
2023-04-19T16:03:25.878Z DEBUG vopono_core::util > ip netns add vo_c_Lx2XkPk
2023-04-19T16:03:25.880Z INFO vopono_core::network::netns > Created new network namespace: vo_c_Lx2XkPk
2023-04-19T16:03:25.881Z DEBUG vopono_core::util > Existing interfaces:
2023-04-19T16:03:25.884Z DEBUG vopono_core::util > Assigned IPs: []
2023-04-19T16:03:25.884Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip addr add 127.0.0.1/8 dev lo
2023-04-19T16:03:25.886Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip link set lo up
STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN
verbunden vollständig missing aktiviert missing aktiviert
2023-04-19T16:03:25.903Z DEBUG vopono_core::network::veth_pair > Detected NetworkManager running
2023-04-19T16:03:25.903Z DEBUG vopono_core::network::veth_pair > NetworkManager detected, adding vo_c_Lx2XkPk_d to unmanaged devices
2023-04-19T16:03:25.903Z DEBUG vopono_core::network::veth_pair > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf
2023-04-19T16:03:25.903Z DEBUG vopono_core::util > nmcli connection reload
2023-04-19T16:03:25.916Z DEBUG vopono_core::network::veth_pair > firewalld not detected running
2023-04-19T16:03:25.916Z DEBUG vopono_core::util > ip link add vo_c_Lx2XkPk_d type veth peer name vo_c_Lx2XkPk_s
2023-04-19T16:03:25.918Z DEBUG vopono_core::util > ip link set vo_c_Lx2XkPk_d up
2023-04-19T16:03:25.919Z DEBUG vopono_core::util > ip link set vo_c_Lx2XkPk_s netns vo_c_Lx2XkPk up
2023-04-19T16:03:25.956Z DEBUG vopono_core::util > ip addr add 10.200.1.1/24 dev vo_c_Lx2XkPk_d
2023-04-19T16:03:25.957Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip addr add 10.200.1.2/24 dev vo_c_Lx2XkPk_s
2023-04-19T16:03:25.959Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip route add default via 10.200.1.1 dev vo_c_Lx2XkPk_s
2023-04-19T16:03:25.962Z INFO vopono_core::network::netns > IP address of namespace as seen from host: 10.200.1.2
2023-04-19T16:03:25.962Z INFO vopono_core::network::netns > IP address of host as seen from namespace: 10.200.1.1
2023-04-19T16:03:25.962Z DEBUG vopono_core::util > nft add table inet vopono_nat
2023-04-19T16:03:25.965Z DEBUG vopono_core::util > nft add chain inet vopono_nat postrouting { type nat hook postrouting priority 100 ; }
2023-04-19T16:03:25.967Z DEBUG vopono_core::util > nft add rule inet vopono_nat postrouting oifname eth0 ip saddr 10.200.1.0/24 counter masquerade
2023-04-19T16:03:25.970Z DEBUG vopono_core::util > nft add table inet vopono_bridge
2023-04-19T16:03:25.973Z DEBUG vopono_core::util > nft add chain inet vopono_bridge forward { type filter hook forward priority -10 ; }
2023-04-19T16:03:25.975Z DEBUG vopono_core::util > nft add rule inet vopono_bridge forward iifname vo_c_Lx2XkPk_d oifname eth0 counter accept
2023-04-19T16:03:25.978Z DEBUG vopono_core::util > nft add rule inet vopono_bridge forward oifname vo_c_Lx2XkPk_d iifname eth0 counter accept
2023-04-19T16:03:25.981Z DEBUG vopono_core::util > sysctl -q net.ipv4.ip_forward=1
2023-04-19T16:03:25.984Z DEBUG vopono_core::network::wireguard > Deserializing: 10.2.0.1 to Vec<IpAddr>
2023-04-19T16:03:25.984Z DEBUG vopono_core::network::wireguard > TOML config: WireguardConfig { interface: WireguardInterface { private_key: "***", address: [10.2.0.2/32], dns: Some([10.2.0.1]) }, peer: WireguardPeer { public_key: "***", allowed_ips: [0.0.0.0/0], endpoint: ***:***, keepalive: None } }
2023-04-19T16:03:25.984Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip link add vo_c_Lx2XkPk type wireguard
2023-04-19T16:03:25.987Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk wg setconf vo_c_Lx2XkPk /tmp/vopono_nft.conf
2023-04-19T16:03:25.988Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -4 address add 10.2.0.2/32 dev vo_c_Lx2XkPk
2023-04-19T16:03:25.990Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip link set mtu 1420 up dev vo_c_Lx2XkPk
2023-04-19T16:03:25.993Z DEBUG vopono_core::network::dns_config > Setting namespace vo_c_Lx2XkPk DNS server to 10.2.0.1
2023-04-19T16:03:25.997Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk wg set vo_c_Lx2XkPk fwmark 51820
2023-04-19T16:03:25.999Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -4 route add 0.0.0.0/0 dev vo_c_Lx2XkPk table 51820
2023-04-19T16:03:26.001Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -4 rule add not fwmark 51820 table 51820
2023-04-19T16:03:26.003Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -4 rule add table main suppress_prefixlength 0
2023-04-19T16:03:26.005Z DEBUG vopono_core::util > sysctl -q net.ipv4.conf.all.src_valid_mark=1
2023-04-19T16:03:26.006Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -6 route add ::/0 dev vo_c_Lx2XkPk table 51820
RTNETLINK answers: Operation not supported
2023-04-19T16:03:26.008Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -6 rule add not fwmark 51820 table 51820
Error: Rule family not supported.
2023-04-19T16:03:26.010Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -6 rule add table main suppress_prefixlength 0
Error: Rule family not supported.
2023-04-19T16:03:26.012Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk nft -f /tmp/vopono_nft.sh
2023-04-19T16:03:26.015Z DEBUG vopono_core::network::wireguard > Setting Wireguard killswitch....
2023-04-19T16:03:26.015Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk nft add table inet vo_c_Lx2XkPk
2023-04-19T16:03:26.017Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk nft add chain inet vo_c_Lx2XkPk output { type filter hook output priority -500 ; policy accept; }
2023-04-19T16:03:26.020Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk nft add rule inet vo_c_Lx2XkPk output oifname != vo_c_Lx2XkPk mark != 51820 fib daddr type != local counter reject
2023-04-19T16:03:26.023Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:26.023Z DEBUG vopono_core::network::netns > Writing lockfile: /home/***/.config/vopono/locks/vo_c_Lx2XkPk
2023-04-19T16:03:26.023Z DEBUG vopono_core::network::netns > Lockfile written: /home/***/.config/vopono/locks/vo_c_Lx2XkPk/9793
2023-04-19T16:03:26.023Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:03:26.070Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk sudo --preserve-env --user mario sudo ping -c 1 -W 5 9.9.9.9
2023-04-19T16:03:26.070Z INFO vopono::exec > Application sudo ping -c 1 -W 5 9.9.9.9 launched in network namespace vo_c_Lx2XkPk with pid 9923
PING 9.9.9.9 (9.9.9.9) 56(84) Bytes an Daten.
--- 9.9.9.9 ping-Statistik ---
1 Pakete übertragen, 0 empfangen, 100% packet loss, time 0ms
2023-04-19T16:03:31.423Z INFO vopono::exec > Keep-alive flag active - will leave network namespace alive until ctrl+C received
^C 2023-04-19T16:06:19.844Z INFO vopono::exec > SIGINT received, terminating...
thread '<unnamed>' panicked at 'internal error: entered unreachable code: Because of the blocking has_signals method the poll_signal method never returns Poll::Pending but blocks until a signal arrived', /home/***/.cargo/registry/src/github.com-1ecc6299db9ec823/signal-hook-0.3.15/src/iterator/mod.rs:308:36
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Any { .. }', src/exec.rs:639:19
2023-04-19T16:06:19.844Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:06:19.844Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:06:19.845Z INFO vopono_core::network::netns > Shutting down vopono namespace - as there are no processes left running inside
2023-04-19T16:06:19.845Z DEBUG vopono_core::util > ip link delete vo_c_Lx2XkPk_d
2023-04-19T16:06:19.869Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:06:19.869Z DEBUG vopono_core::util > nmcli connection reload
2023-04-19T16:06:19.881Z DEBUG vopono_core::util > ip netns exec vo_c_Lx2XkPk ip link del vo_c_Lx2XkPk
2023-04-19T16:06:20.046Z DEBUG vopono_core::util > ip netns exec vo_c_Lx2XkPk nft delete table inet vo_c_Lx2XkPk
2023-04-19T16:06:20.049Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:06:20.049Z DEBUG vopono_core::network::host_masquerade > Remaining namespaces: Ok({})
2023-04-19T16:06:20.049Z DEBUG vopono_core::util > nft delete table inet vopono_nat
2023-04-19T16:06:20.073Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/***/.config
2023-04-19T16:06:20.073Z DEBUG vopono_core::network::host_masquerade > Remaining namespaces: Ok({})
2023-04-19T16:06:20.073Z DEBUG vopono_core::util > nft delete table inet vopono_bridge
2023-04-19T16:06:20.099Z DEBUG vopono_core::util > ip netns delete vo_c_Lx2XkPk$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether *** brd ff:ff:ff:ff:ff:ff
inet ***/*** brd *** scope global dynamic noprefixroute eth0
valid_lft 171862sec preferred_lft 171862sec
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether *** brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
15: vo_c_Lx2XkPk_d@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ae:60:f7:69:57:df brd ff:ff:ff:ff:ff:ff link-netns vo_c_Lx2XkPk
inet 10.200.1.1/24 scope global vo_c_Lx2XkPk_d
valid_lft forever preferred_lft forever$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether *** brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether *** brd ff:ff:ff:ff:ff:ff
15: vo_c_Lx2XkPk_d@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether ae:60:f7:69:57:df brd ff:ff:ff:ff:ff:ff link-netns vo_c_Lx2XkPk$ ping -c 3 10.200.1.2
PING 10.200.1.2 (10.200.1.2) 56(84) Bytes an Daten.
--- 10.200.1.2 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, 100% packet loss, time 2019ms$ sudo nft list tables
table inet filter
table ip nat
table ip filter
table inet vopono_nat
table inet vopono_bridge$ sudo nft list table nat
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
}$ sudo iptables-legacy -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination$ sudo ip netns exec vo_c_Lx2XkPk ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: vo_c_Lx2XkPk: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.2.0.2/32 scope global vo_c_Lx2XkPk
valid_lft forever preferred_lft forever
14: vo_c_Lx2XkPk_s@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 62:fc:49:bc:bd:be brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.200.1.2/24 scope global vo_c_Lx2XkPk_s
valid_lft forever preferred_lft forever$ sudo ip netns exec vo_c_Lx2XkPk ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: vo_c_Lx2XkPk: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
14: vo_c_Lx2XkPk_s@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 62:fc:49:bc:bd:be brd ff:ff:ff:ff:ff:ff link-netnsid 0$ sudo ip netns exec vo_c_Lx2XkPk nft list tables
table inet vo_c_Lx2XkPk
$ sudo ip netns exec vo_c_Lx2XkPk nft list table inet vo_c_Lx2XkPk
table inet vo_c_Lx2XkPk {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "vo_c_Lx2XkPk" ip daddr 10.2.0.2 fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
}
chain postmangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
chain output {
type filter hook output priority -500; policy accept;
oifname != "vo_c_Lx2XkPk" meta mark != 0x0000ca6c fib daddr type != local counter packets 5 bytes 420 reject
}
}$ sudo ip netns exec vo_c_Lx2XkPk iptables-legacy -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination$ sudo ip netns exec vo_c_Lx2XkPk ping -c 3 10.200.1.1
PING 10.200.1.1 (10.200.1.1) 56(84) Bytes an Daten.
Von 10.200.1.2 icmp_seq=1 Zielport nicht erreichbar
ping: sendmsg: Die Operation ist nicht erlaubt
Von 10.200.1.2 icmp_seq=2 Zielport nicht erreichbar
ping: sendmsg: Die Operation ist nicht erlaubt
Von 10.200.1.2 icmp_seq=3 Zielport nicht erreichbar
ping: sendmsg: Die Operation ist nicht erlaubt
--- 10.200.1.1 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, +3 Fehler, 100% packet loss, time 2037ms$ sudo ip netns exec vo_c_Lx2XkPk ping -c 3 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) Bytes an Daten.
--- 9.9.9.9 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, 100% packet loss, time 2014ms$ sudo ip netns exec vo_c_Lx2XkPk wg
interface: vo_c_Lx2XkPk
public key: ***
private key: (hidden)
listening port: ***
fwmark: 0xca6c
peer: ***
endpoint: ***:***
allowed ips: 0.0.0.0/0
transfer: 0 B received, 3.61 KiB sentIt looks like the issue there is:
2023-04-19T16:03:26.006Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -6 route add ::/0 dev vo_c_Lx2XkPk table 51820
RTNETLINK answers: Operation not supported
2023-04-19T16:03:26.008Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -6 rule add not fwmark 51820 table 51820
Error: Rule family not supported.
2023-04-19T16:03:26.010Z DEBUG vopono_core::network::netns > ip netns exec vo_c_Lx2XkPk ip -6 rule add table main suppress_prefixlength 0
Error: Rule family not supported.Does it work if you try without ipv6? Try with the --disable-ipv6 flag
Jayrgo
commented
1 year ago I tried and it doesn't work, only the errors are gone. The ipv6 errors are because I disabled it.
jamesmcm
commented
1 year ago Maybe try with iptables instead of nftables, and without the killswitch:
$ vopono exec -v --disable-killswitch --firewall IpTables ...And check there's no ufw, or other iptables rules interfering, etc.
Jayrgo
commented
1 year ago It was a wrong configuration of nftables.
All forwarded packets dropped: type filter hook forward priority filter; policy drop;
I added two rules and it works now:
nft add rule inet <table> <chain> iifname "eth0" ip daddr 10.200.1.2 accept
nft add rule inet <table> <chain> oifname "eth0" ip saddr 10.200.1.2 acceptThanks, do you know what created the default drop rule and in which table?
As if it's a common configuration we could try to detect it and set / unset it when we set the firewall rules.
Jayrgo
commented
1 year ago I created the rule. It was from an example for workstations.
punishedJib
commented
7 months ago Hi, on arch nftables comes by default with a simple firewall configuration in /etc/nftables.conf: https://wiki.archlinux.org/title/Nftables#Simple_firewall
Adding what was already said in the thread to the forward chain like this:
chain forward {
type filter hook forward priority filter; policy drop;
iifname "enp9s0" ip daddr 10.200.1.2 accept
oifname "enp9s0" ip saddr 10.200.1.2 accept
}solves the issue.
Edit: These rules won't let you use multiple vopono instances, I managed to get them working using a mask like this:
chain forward {
type filter hook forward priority filter; policy drop;
iifname "enp9s0" ip daddr 10.200.0.2/16 accept
oifname "enp9s0" ip saddr 10.200.0.2/16 accept
}
Installation via yay build and mullvad setup worked fine but apps cannot connect to internet. Default mullvad vpn via mullvad-app works well
Operating System: Arch Linux KDE Plasma Version: 5.24.4 KDE Frameworks Version: 5.92.0 Qt Version: 5.15.3 Kernel Version: 5.17.1-arch1-1 (64-bit) NetworkManager
nftables not installed ufw active
config.toml
Sorry for any german output:
vopono exec falkon
ip addr
ip link
ping 10.200.1.2
sudo iptables -t nat -L
sudo ip netns exec vopono_mv_germany-de24 ip addr
sudo ip netns exec vopono_mv_germany-de24 ip link
sudo ip netns exec vopono_mv_germany-de24 iptables -L
sudo ip netns exec vopono_mv_germany-de24 ping 10.200.1.1
sudo ip netns exec vopono_mv_germany-de24 ping 8.8.8.8