How to make Vopono work with UFW (iptables) firewall?

[adamnejm]

The application works great with UFW completely disabled (iptables backend) firewall:

1. ufw disable
2. systemctl disable ufw.service
3. The services iptables and ip6tables already disabled per UFW requirements
4. Reboot (doesn't work unless I do)

However, when I turn the UFW it doesn't work, even if default policies are Allow for both Incoming and Outgoing connections. I do not have any custom rules added.
I was using the latest stable release 0.10.6 during the tests (also tried latest master build, but it made no difference).
The sync was done with all the default settings for Mullvad.

What I tried so far:

1. Switching from NetworkManager to systemd-networkd and systemd-resolved
2. Switching from iptables to nftables (UFW can handle this backend too)

Below are the tests from User Guide's Troubleshooting section, performed after launching a terminal emulator Alacritty using the following command (with exception of the simple curl test):

vopono --verbose exec --no-killswitch --disable-ipv6 --firewall iptables --provider mullvad --server germany alacritty

UFW disabled (working)

Simple curl test

```sh vopono --verbose exec --no-killswitch --disable-ipv6 --firewall iptables --provider mullvad --server germany "curl ifconfig.co/country" ``` ```sh 2023-06-04T00:00:33.287Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:33.291Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native 2023-06-04T00:00:33.291Z INFO vopono_core::util > Calling sudo for elevated privileges, current user will be used as default user 2023-06-04T00:00:33.291Z DEBUG vopono_core::util > Args: ["vopono", "--verbose", "exec", "--no-killswitch", "--disable-ipv6", "--firewall", "IpTables", "--provider", "Mullvad", "--server", "germany", "curl ifconfig.co/country"] [sudo] password for name: 2023-06-04T00:00:35.391Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.395Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native 2023-06-04T00:00:35.395Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.395Z DEBUG vopono_core::util > Existing namespaces: [] 2023-06-04T00:00:35.395Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.395Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "custom_config" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "custom_netns_name" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "open_hosts" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "allow_host_access" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "postup" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "predown" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "user" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "group" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "working-directory" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "dns" not found 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "protocol" not found 2023-06-04T00:00:35.395Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.395Z DEBUG vopono::exec > vopono config.toml: configuration property "interface" not found 2023-06-04T00:00:35.395Z DEBUG vopono_core::network::network_interface > ip addr 2023-06-04T00:00:35.396Z DEBUG vopono::exec > Interface: enp5s0 2023-06-04T00:00:35.396Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.397Z INFO vopono_core::util > Chosen config: /home/name/.config/vopono/mv/wireguard/germany-defra001.conf 2023-06-04T00:00:35.397Z DEBUG vopono_core::util > Existing namespaces: [] 2023-06-04T00:00:35.397Z DEBUG vopono_core::util > ip netns add vo_mv_germany 2023-06-04T00:00:35.398Z INFO vopono_core::network::netns > Created new network namespace: vo_mv_germany 2023-06-04T00:00:35.399Z DEBUG vopono_core::util > Existing interfaces: 2023-06-04T00:00:35.399Z DEBUG vopono_core::util > Assigned IPs: [] 2023-06-04T00:00:35.399Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip addr add 127.0.0.1/8 dev lo 2023-06-04T00:00:35.400Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip link set lo up STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN connected full missing enabled missing enabled 2023-06-04T00:00:35.408Z DEBUG vopono_core::network::veth_pair > Detected NetworkManager running 2023-06-04T00:00:35.408Z DEBUG vopono_core::network::veth_pair > NetworkManager detected, adding vo_mv_germany_d to unmanaged devices 2023-06-04T00:00:35.408Z DEBUG vopono_core::network::veth_pair > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf 2023-06-04T00:00:35.408Z DEBUG vopono_core::util > nmcli connection reload 2023-06-04T00:00:35.412Z DEBUG vopono_core::network::veth_pair > firewalld not detected running 2023-06-04T00:00:35.412Z DEBUG vopono_core::util > ip link add vo_mv_germany_d type veth peer name vo_mv_germany_s 2023-06-04T00:00:35.413Z DEBUG vopono_core::util > ip link set vo_mv_germany_d up 2023-06-04T00:00:35.414Z DEBUG vopono_core::util > ip link set vo_mv_germany_s netns vo_mv_germany up 2023-06-04T00:00:35.459Z DEBUG vopono_core::util > ip addr add 10.200.1.1/24 dev vo_mv_germany_d 2023-06-04T00:00:35.460Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip addr add 10.200.1.2/24 dev vo_mv_germany_s 2023-06-04T00:00:35.461Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip route add default via 10.200.1.1 dev vo_mv_germany_s 2023-06-04T00:00:35.462Z INFO vopono_core::network::netns > IP address of namespace as seen from host: 10.200.1.2 2023-06-04T00:00:35.462Z INFO vopono_core::network::netns > IP address of host as seen from namespace: 10.200.1.1 2023-06-04T00:00:35.462Z DEBUG vopono_core::util > iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o enp5s0 -j MASQUERADE 2023-06-04T00:00:35.463Z DEBUG vopono_core::util > iptables -I FORWARD -i vo_mv_germany_d -o enp5s0 -j ACCEPT 2023-06-04T00:00:35.464Z DEBUG vopono_core::util > iptables -I FORWARD -o vo_mv_germany_d -i enp5s0 -j ACCEPT 2023-06-04T00:00:35.464Z DEBUG vopono_core::util > sysctl -q net.ipv4.ip_forward=1 2023-06-04T00:00:35.475Z DEBUG vopono_core::network::wireguard > Deserializing: 193.138.218.74 to Vec 2023-06-04T00:00:35.475Z DEBUG vopono_core::network::wireguard > TOML config: WireguardConfig { interface: WireguardInterface { private_key: "YJD2JTrmMdGaig2wfYNGs3LmNP0d6gmMMrEpxl4D7kM=", address: [10.67.57.40/32, fc00:bbbb:bbbb:bb01::4:3927/128], dns: Some([193.138.218.74]) }, peer: WireguardPeer { public_key: "HQHCrq4J6bSpdW1fI5hR/bvcrYa6HgGgwaa5ZY749ik=", allowed_ips: [0.0.0.0/0, ::/0], endpoint: 185.213.155.73:51820, keepalive: None } } 2023-06-04T00:00:35.475Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip link add vo_mv_germany type wireguard 2023-06-04T00:00:35.477Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany wg setconf vo_mv_germany /tmp/vopono_nft.conf 2023-06-04T00:00:35.478Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 address add 10.67.57.40/32 dev vo_mv_germany 2023-06-04T00:00:35.479Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -6 address add fc00:bbbb:bbbb:bb01::4:3927/128 dev vo_mv_germany 2023-06-04T00:00:35.480Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip link set mtu 1420 up dev vo_mv_germany 2023-06-04T00:00:35.481Z DEBUG vopono_core::network::dns_config > Setting namespace vo_mv_germany DNS server to 193.138.218.74 2023-06-04T00:00:35.482Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany wg set vo_mv_germany fwmark 51820 2023-06-04T00:00:35.483Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 route add 0.0.0.0/0 dev vo_mv_germany table 51820 2023-06-04T00:00:35.484Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 rule add not fwmark 51820 table 51820 2023-06-04T00:00:35.485Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 rule add table main suppress_prefixlength 0 2023-06-04T00:00:35.486Z DEBUG vopono_core::util > sysctl -q net.ipv4.conf.all.src_valid_mark=1 2023-06-04T00:00:35.486Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -P INPUT DROP 2023-06-04T00:00:35.488Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -I INPUT -j DROP 2023-06-04T00:00:35.489Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -P FORWARD DROP 2023-06-04T00:00:35.490Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -I FORWARD -j DROP 2023-06-04T00:00:35.491Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -P OUTPUT DROP 2023-06-04T00:00:35.492Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -I OUTPUT -j DROP 2023-06-04T00:00:35.493Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany iptables -t raw -A PREROUTING ! -i vo_mv_germany -d 10.67.57.40/32 -m addrtype ! --src-type LOCAL -j DROP 2023-06-04T00:00:35.494Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -t raw -A PREROUTING ! -i vo_mv_germany -d fc00:bbbb:bbbb:bb01::4:3927/128 -m addrtype ! --src-type LOCAL -j DROP 2023-06-04T00:00:35.495Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 51820 2023-06-04T00:00:35.496Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany iptables -t mangle -A PREROUTING -p udp -j CONNMARK --save-mark 2023-06-04T00:00:35.497Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.497Z DEBUG vopono_core::network::netns > Writing lockfile: /home/name/.config/vopono/locks/vo_mv_germany 2023-06-04T00:00:35.497Z DEBUG vopono_core::network::netns > Lockfile written: /home/name/.config/vopono/locks/vo_mv_germany/5441 2023-06-04T00:00:35.497Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.507Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany sudo --preserve-env --user name curl ifconfig.co/country 2023-06-04T00:00:35.507Z INFO vopono::exec > Application curl ifconfig.co/country launched in network namespace vo_mv_germany with pid 5550 Germany 2023-06-04T00:00:35.688Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.688Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.688Z INFO vopono_core::network::netns > Shutting down vopono namespace - as there are no processes left running inside 2023-06-04T00:00:35.688Z DEBUG vopono_core::util > ip link delete vo_mv_germany_d 2023-06-04T00:00:35.745Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.745Z DEBUG vopono_core::util > nmcli connection reload 2023-06-04T00:00:35.749Z DEBUG vopono_core::util > ip netns exec vo_mv_germany ip link del vo_mv_germany 2023-06-04T00:00:35.955Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.955Z DEBUG vopono_core::network::host_masquerade > Remaining namespaces: Ok({}) 2023-06-04T00:00:35.955Z DEBUG vopono_core::util > iptables -t nat -D POSTROUTING -s 10.200.1.0/24 -o enp5s0 -j MASQUERADE 2023-06-04T00:00:35.956Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:00:35.956Z DEBUG vopono_core::network::host_masquerade > Remaining namespaces: Ok({}) 2023-06-04T00:00:35.956Z DEBUG vopono_core::util > iptables -D FORWARD -o vo_mv_germany_d -i enp5s0 -j ACCEPT 2023-06-04T00:00:35.956Z DEBUG vopono_core::util > iptables -D FORWARD -i vo_mv_germany_d -o enp5s0 -j ACCEPT 2023-06-04T00:00:35.957Z DEBUG vopono_core::util > ip netns delete vo_mv_germany ```

Host machine

ip addr

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp5s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 2c:f0:5d:a9:10:23 brd ff:ff:ff:ff:ff:ff inet 192.168.0.100/24 brd 192.168.0.255 scope global dynamic noprefixroute enp5s0 valid_lft 84048sec preferred_lft 84048sec inet6 fe80::617f:b9fe:731b:e2cf/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp42s0: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 2c:f0:5d:a9:10:22 brd ff:ff:ff:ff:ff:ff 21: vo_mv_germany_d@if20: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:a3:59:a6:c1:d1 brd ff:ff:ff:ff:ff:ff link-netns vo_mv_germany inet 10.200.1.1/24 scope global vo_mv_germany_d valid_lft forever preferred_lft forever inet6 fe80::fca3:59ff:fea6:c1d1/64 scope link valid_lft forever preferred_lft forever ```

ip link

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp5s0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 2c:f0:5d:a9:10:23 brd ff:ff:ff:ff:ff:ff 3: enp42s0: mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000 link/ether 2c:f0:5d:a9:10:22 brd ff:ff:ff:ff:ff:ff 21: vo_mv_germany_d@if20: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether fe:a3:59:a6:c1:d1 brd ff:ff:ff:ff:ff:ff link-netns vo_mv_germany ```

sudo iptables -t nat -L

```sh Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 10.200.1.0/24 anywhere ```

ping 10.200.1.1

```sh PING 10.200.1.1 (10.200.1.1) 56(84) bytes of data. 64 bytes from 10.200.1.1: icmp_seq=1 ttl=64 time=0.021 ms 64 bytes from 10.200.1.1: icmp_seq=2 ttl=64 time=0.012 ms 64 bytes from 10.200.1.1: icmp_seq=3 ttl=64 time=0.018 ms 64 bytes from 10.200.1.1: icmp_seq=4 ttl=64 time=0.013 ms 64 bytes from 10.200.1.1: icmp_seq=5 ttl=64 time=0.011 ms ^C --- 10.200.1.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4042ms rtt min/avg/max/mdev = 0.011/0.015/0.021/0.003 ms ```

ping 10.200.1.2

```sh PING 10.200.1.2 (10.200.1.2) 56(84) bytes of data. 64 bytes from 10.200.1.2: icmp_seq=1 ttl=64 time=0.022 ms 64 bytes from 10.200.1.2: icmp_seq=2 ttl=64 time=0.013 ms 64 bytes from 10.200.1.2: icmp_seq=3 ttl=64 time=0.016 ms 64 bytes from 10.200.1.2: icmp_seq=4 ttl=64 time=0.012 ms 64 bytes from 10.200.1.2: icmp_seq=5 ttl=64 time=0.022 ms ^C --- 10.200.1.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4053ms rtt min/avg/max/mdev = 0.012/0.017/0.022/0.004 ms ```

Namespace

sudo ip netns exec vo_mv_germany ip addr

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: vo_mv_germany: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.67.57.40/32 scope global vo_mv_germany valid_lft forever preferred_lft forever inet6 fc00:bbbb:bbbb:bb01::4:3927/128 scope global valid_lft forever preferred_lft forever 20: vo_mv_germany_s@if21: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 5a:48:80:56:66:e3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.200.1.2/24 scope global vo_mv_germany_s valid_lft forever preferred_lft forever inet6 fe80::5848:80ff:fe56:66e3/64 scope link valid_lft forever preferred_lft forever ```

sudo ip netns exec vo_mv_germany ip link

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: vo_mv_germany: mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/none 20: vo_mv_germany_s@if21: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 5a:48:80:56:66:e3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 ```

sudo ip netns exec vo_mv_germany iptables -L

```sh Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ```

sudo ip netns exec vo_mv_germany ping 10.200.1.1

```sh PING 10.200.1.1 (10.200.1.1) 56(84) bytes of data. 64 bytes from 10.200.1.1: icmp_seq=1 ttl=64 time=0.028 ms 64 bytes from 10.200.1.1: icmp_seq=2 ttl=64 time=0.014 ms 64 bytes from 10.200.1.1: icmp_seq=3 ttl=64 time=0.047 ms 64 bytes from 10.200.1.1: icmp_seq=4 ttl=64 time=0.015 ms 64 bytes from 10.200.1.1: icmp_seq=5 ttl=64 time=0.018 ms ^C --- 10.200.1.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4067ms rtt min/avg/max/mdev = 0.014/0.024/0.047/0.012 ms ```

sudo ip netns exec vo_mv_germany ping 10.200.1.2

```sh PING 10.200.1.2 (10.200.1.2) 56(84) bytes of data. 64 bytes from 10.200.1.2: icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from 10.200.1.2: icmp_seq=2 ttl=64 time=0.015 ms 64 bytes from 10.200.1.2: icmp_seq=3 ttl=64 time=0.012 ms 64 bytes from 10.200.1.2: icmp_seq=4 ttl=64 time=0.016 ms 64 bytes from 10.200.1.2: icmp_seq=5 ttl=64 time=0.013 ms ^C --- 10.200.1.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4060ms rtt min/avg/max/mdev = 0.012/0.014/0.018/0.002 ms ```

sudo ip netns exec vo_mv_germany ping 8.8.8.8

```sh PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=62.3 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=31.2 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=31.3 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=31.1 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=31.1 ms ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4004ms rtt min/avg/max/mdev = 31.051/37.402/62.327/12.462 ms ```

UFW enabled (not working)

Simple curl test

```sh vopono --verbose exec --no-killswitch --disable-ipv6 --firewall iptables --provider mullvad --server germany "curl ifconfig.co/country" ``` ```sh 2023-06-04T00:18:15.526Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:15.596Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native 2023-06-04T00:18:15.596Z INFO vopono_core::util > Calling sudo for elevated privileges, current user will be used as default user 2023-06-04T00:18:15.596Z DEBUG vopono_core::util > Args: ["vopono", "--verbose", "exec", "--no-killswitch", "--disable-ipv6", "--firewall", "iptables", "--provider", "mullvad", "--server", "germany", "curl ifconfig.co/country"] [sudo] password for name: 2023-06-04T00:18:18.519Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.523Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native 2023-06-04T00:18:18.523Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.537Z DEBUG vopono_core::util > Existing namespaces: [] 2023-06-04T00:18:18.537Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.537Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "custom_config" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "custom_netns_name" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "open_hosts" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "allow_host_access" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "postup" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "predown" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "user" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "group" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "working-directory" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "dns" not found 2023-06-04T00:18:18.537Z DEBUG vopono::exec > vopono config.toml: configuration property "protocol" not found 2023-06-04T00:18:18.537Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.538Z DEBUG vopono::exec > vopono config.toml: configuration property "interface" not found 2023-06-04T00:18:18.538Z DEBUG vopono_core::network::network_interface > ip addr 2023-06-04T00:18:18.539Z DEBUG vopono::exec > Interface: enp5s0 2023-06-04T00:18:18.539Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.541Z INFO vopono_core::util > Chosen config: /home/name/.config/vopono/mv/wireguard/germany-defra106.conf 2023-06-04T00:18:18.541Z DEBUG vopono_core::util > Existing namespaces: [] 2023-06-04T00:18:18.541Z DEBUG vopono_core::util > ip netns add vo_mv_germany 2023-06-04T00:18:18.542Z INFO vopono_core::network::netns > Created new network namespace: vo_mv_germany 2023-06-04T00:18:18.543Z DEBUG vopono_core::util > Existing interfaces: 2023-06-04T00:18:18.543Z DEBUG vopono_core::util > Assigned IPs: [] 2023-06-04T00:18:18.543Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip addr add 127.0.0.1/8 dev lo 2023-06-04T00:18:18.545Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip link set lo up STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN connected full missing enabled missing enabled 2023-06-04T00:18:18.556Z DEBUG vopono_core::network::veth_pair > Detected NetworkManager running 2023-06-04T00:18:18.556Z DEBUG vopono_core::network::veth_pair > NetworkManager detected, adding vo_mv_germany_d to unmanaged devices 2023-06-04T00:18:18.556Z DEBUG vopono_core::network::veth_pair > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf 2023-06-04T00:18:18.556Z DEBUG vopono_core::util > nmcli connection reload 2023-06-04T00:18:18.560Z DEBUG vopono_core::network::veth_pair > firewalld not detected running 2023-06-04T00:18:18.560Z DEBUG vopono_core::util > ip link add vo_mv_germany_d type veth peer name vo_mv_germany_s 2023-06-04T00:18:18.565Z DEBUG vopono_core::util > ip link set vo_mv_germany_d up 2023-06-04T00:18:18.566Z DEBUG vopono_core::util > ip link set vo_mv_germany_s netns vo_mv_germany up 2023-06-04T00:18:18.652Z DEBUG vopono_core::util > ip addr add 10.200.1.1/24 dev vo_mv_germany_d 2023-06-04T00:18:18.653Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip addr add 10.200.1.2/24 dev vo_mv_germany_s 2023-06-04T00:18:18.654Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip route add default via 10.200.1.1 dev vo_mv_germany_s 2023-06-04T00:18:18.655Z INFO vopono_core::network::netns > IP address of namespace as seen from host: 10.200.1.2 2023-06-04T00:18:18.655Z INFO vopono_core::network::netns > IP address of host as seen from namespace: 10.200.1.1 2023-06-04T00:18:18.655Z DEBUG vopono_core::util > iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o enp5s0 -j MASQUERADE 2023-06-04T00:18:18.662Z DEBUG vopono_core::util > iptables -I FORWARD -i vo_mv_germany_d -o enp5s0 -j ACCEPT 2023-06-04T00:18:18.662Z DEBUG vopono_core::util > iptables -I FORWARD -o vo_mv_germany_d -i enp5s0 -j ACCEPT 2023-06-04T00:18:18.663Z DEBUG vopono_core::util > sysctl -q net.ipv4.ip_forward=1 2023-06-04T00:18:18.665Z DEBUG vopono_core::network::wireguard > Deserializing: 193.138.218.74 to Vec 2023-06-04T00:18:18.665Z DEBUG vopono_core::network::wireguard > TOML config: WireguardConfig { interface: WireguardInterface { private_key: "YJD2JTrmMdGaig2wfYNGs3LmNP0d6gmMMrEpxl4D7kM=", address: [10.67.57.40/32, fc00:bbbb:bbbb:bb01::4:3927/128], dns: Some([193.138.218.74]) }, peer: WireguardPeer { public_key: "9ldhvN7r4xGZkGehbsNfYb5tpyTJ5KBb5B3TbxCwklw=", allowed_ips: [0.0.0.0/0, ::/0], endpoint: 146.70.117.34:51820, keepalive: None } } 2023-06-04T00:18:18.665Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip link add vo_mv_germany type wireguard 2023-06-04T00:18:18.688Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany wg setconf vo_mv_germany /tmp/vopono_nft.conf 2023-06-04T00:18:18.690Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 address add 10.67.57.40/32 dev vo_mv_germany 2023-06-04T00:18:18.691Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -6 address add fc00:bbbb:bbbb:bb01::4:3927/128 dev vo_mv_germany 2023-06-04T00:18:18.692Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip link set mtu 1420 up dev vo_mv_germany 2023-06-04T00:18:18.694Z DEBUG vopono_core::network::dns_config > Setting namespace vo_mv_germany DNS server to 193.138.218.74 2023-06-04T00:18:18.694Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany wg set vo_mv_germany fwmark 51820 2023-06-04T00:18:18.695Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 route add 0.0.0.0/0 dev vo_mv_germany table 51820 2023-06-04T00:18:18.696Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 rule add not fwmark 51820 table 51820 2023-06-04T00:18:18.697Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip -4 rule add table main suppress_prefixlength 0 2023-06-04T00:18:18.698Z DEBUG vopono_core::util > sysctl -q net.ipv4.conf.all.src_valid_mark=1 2023-06-04T00:18:18.699Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -P INPUT DROP 2023-06-04T00:18:18.700Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -I INPUT -j DROP 2023-06-04T00:18:18.701Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -P FORWARD DROP 2023-06-04T00:18:18.702Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -I FORWARD -j DROP 2023-06-04T00:18:18.703Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -P OUTPUT DROP 2023-06-04T00:18:18.704Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -I OUTPUT -j DROP 2023-06-04T00:18:18.705Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany iptables -t raw -A PREROUTING ! -i vo_mv_germany -d 10.67.57.40/32 -m addrtype ! --src-type LOCAL -j DROP 2023-06-04T00:18:18.709Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany ip6tables -t raw -A PREROUTING ! -i vo_mv_germany -d fc00:bbbb:bbbb:bb01::4:3927/128 -m addrtype ! --src-type LOCAL -j DROP 2023-06-04T00:18:18.713Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 51820 2023-06-04T00:18:18.720Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany iptables -t mangle -A PREROUTING -p udp -j CONNMARK --save-mark 2023-06-04T00:18:18.724Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.724Z DEBUG vopono_core::network::netns > Writing lockfile: /home/name/.config/vopono/locks/vo_mv_germany 2023-06-04T00:18:18.724Z DEBUG vopono_core::network::netns > Lockfile written: /home/name/.config/vopono/locks/vo_mv_germany/1906 2023-06-04T00:18:18.724Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:18.733Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_germany sudo --preserve-env --user name curl ifconfig.co/country 2023-06-04T00:18:18.733Z INFO vopono::exec > Application curl ifconfig.co/country launched in network namespace vo_mv_germany with pid 2018 curl: (6) Could not resolve host: ifconfig.co 2023-06-04T00:18:28.767Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:28.767Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:28.767Z INFO vopono_core::network::netns > Shutting down vopono namespace - as there are no processes left running inside 2023-06-04T00:18:28.767Z DEBUG vopono_core::util > ip link delete vo_mv_germany_d 2023-06-04T00:18:28.802Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:28.802Z DEBUG vopono_core::util > nmcli connection reload 2023-06-04T00:18:28.806Z DEBUG vopono_core::util > ip netns exec vo_mv_germany ip link del vo_mv_germany 2023-06-04T00:18:29.045Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:29.045Z DEBUG vopono_core::network::host_masquerade > Remaining namespaces: Ok({}) 2023-06-04T00:18:29.045Z DEBUG vopono_core::util > iptables -t nat -D POSTROUTING -s 10.200.1.0/24 -o enp5s0 -j MASQUERADE 2023-06-04T00:18:29.046Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/name/.config 2023-06-04T00:18:29.046Z DEBUG vopono_core::network::host_masquerade > Remaining namespaces: Ok({}) 2023-06-04T00:18:29.046Z DEBUG vopono_core::util > iptables -D FORWARD -o vo_mv_germany_d -i enp5s0 -j ACCEPT 2023-06-04T00:18:29.046Z DEBUG vopono_core::util > iptables -D FORWARD -i vo_mv_germany_d -o enp5s0 -j ACCEPT 2023-06-04T00:18:29.047Z DEBUG vopono_core::util > ip netns delete vo_mv_germany ```

Host machine

ip addr

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp5s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 2c:f0:5d:a9:10:23 brd ff:ff:ff:ff:ff:ff inet 192.168.0.100/24 brd 192.168.0.255 scope global dynamic noprefixroute enp5s0 valid_lft 86186sec preferred_lft 86186sec inet6 fe80::617f:b9fe:731b:e2cf/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp42s0: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 2c:f0:5d:a9:10:22 brd ff:ff:ff:ff:ff:ff 7: vo_mv_germany_d@if6: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:a3:59:a6:c1:d1 brd ff:ff:ff:ff:ff:ff link-netns vo_mv_germany inet 10.200.1.1/24 scope global vo_mv_germany_d valid_lft forever preferred_lft forever inet6 fe80::fca3:59ff:fea6:c1d1/64 scope link valid_lft forever preferred_lft forever ```

ip link

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp5s0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 2c:f0:5d:a9:10:23 brd ff:ff:ff:ff:ff:ff 3: enp42s0: mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000 link/ether 2c:f0:5d:a9:10:22 brd ff:ff:ff:ff:ff:ff 7: vo_mv_germany_d@if6: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether fe:a3:59:a6:c1:d1 brd ff:ff:ff:ff:ff:ff link-netns vo_mv_germany ```

sudo iptables -t nat -L

```sh Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 10.200.1.0/24 anywhere ```

ping 10.200.1.1

```sh PING 10.200.1.1 (10.200.1.1) 56(84) bytes of data. 64 bytes from 10.200.1.1: icmp_seq=1 ttl=64 time=0.030 ms 64 bytes from 10.200.1.1: icmp_seq=2 ttl=64 time=0.023 ms 64 bytes from 10.200.1.1: icmp_seq=3 ttl=64 time=0.016 ms 64 bytes from 10.200.1.1: icmp_seq=4 ttl=64 time=0.035 ms 64 bytes from 10.200.1.1: icmp_seq=5 ttl=64 time=0.018 ms ^C --- 10.200.1.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4062ms rtt min/avg/max/mdev = 0.016/0.024/0.035/0.007 ms ```

ping 10.200.1.2

```sh PING 10.200.1.2 (10.200.1.2) 56(84) bytes of data. 64 bytes from 10.200.1.2: icmp_seq=1 ttl=64 time=0.050 ms 64 bytes from 10.200.1.2: icmp_seq=2 ttl=64 time=0.016 ms 64 bytes from 10.200.1.2: icmp_seq=3 ttl=64 time=0.020 ms 64 bytes from 10.200.1.2: icmp_seq=4 ttl=64 time=0.018 ms 64 bytes from 10.200.1.2: icmp_seq=5 ttl=64 time=0.015 ms ^C --- 10.200.1.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4042ms rtt min/avg/max/mdev = 0.015/0.023/0.050/0.013 ms ```

Namespace

sudo ip netns exec vo_mv_germany ip addr

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: vo_mv_germany: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.67.57.40/32 scope global vo_mv_germany valid_lft forever preferred_lft forever inet6 fc00:bbbb:bbbb:bb01::4:3927/128 scope global valid_lft forever preferred_lft forever 6: vo_mv_germany_s@if7: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 5a:48:80:56:66:e3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.200.1.2/24 scope global vo_mv_germany_s valid_lft forever preferred_lft forever inet6 fe80::5848:80ff:fe56:66e3/64 scope link valid_lft forever preferred_lft forever ```

sudo ip netns exec vo_mv_germany ip link

```sh 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: vo_mv_germany: mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/none 6: vo_mv_germany_s@if7: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 5a:48:80:56:66:e3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 ```

sudo ip netns exec vo_mv_germany iptables -L

```sh Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ```

sudo ip netns exec vo_mv_germany ping 10.200.1.1

```sh PING 10.200.1.1 (10.200.1.1) 56(84) bytes of data. 64 bytes from 10.200.1.1: icmp_seq=1 ttl=64 time=0.033 ms 64 bytes from 10.200.1.1: icmp_seq=2 ttl=64 time=0.021 ms 64 bytes from 10.200.1.1: icmp_seq=3 ttl=64 time=0.043 ms 64 bytes from 10.200.1.1: icmp_seq=4 ttl=64 time=0.017 ms 64 bytes from 10.200.1.1: icmp_seq=5 ttl=64 time=0.026 ms ^C --- 10.200.1.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4063ms rtt min/avg/max/mdev = 0.017/0.028/0.043/0.009 ms ```

sudo ip netns exec vo_mv_germany ping 10.200.1.2

```sh PING 10.200.1.2 (10.200.1.2) 56(84) bytes of data. 64 bytes from 10.200.1.2: icmp_seq=1 ttl=64 time=0.023 ms 64 bytes from 10.200.1.2: icmp_seq=2 ttl=64 time=0.011 ms 64 bytes from 10.200.1.2: icmp_seq=3 ttl=64 time=0.019 ms 64 bytes from 10.200.1.2: icmp_seq=4 ttl=64 time=0.011 ms 64 bytes from 10.200.1.2: icmp_seq=5 ttl=64 time=0.017 ms ^C --- 10.200.1.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4045ms rtt min/avg/max/mdev = 0.011/0.016/0.023/0.004 ms ```

sudo ip netns exec vo_mv_germany ping 8.8.8.8

```sh PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4044ms ```

[jamesmcm]

If you want to use ufw I think the only option is to port the current nftables / iptables rules to ufw commands directly.

I'm not sure if it supports everything we need though. It looks like it might be possible - https://gist.github.com/kimus/9315140

But definitely the easier option is just to use nftables or iptables directly.

Btw you might be able to use systemctl stop ufw.service to disable it temporarily and without rebooting.

[adamnejm]

I'm differently-abled when it comes to networking and such, sorry for that.
I thought UFW (and GUFW by extension) was a user front-end that simply converted rules 1:1 into iptables, but looks like it's doing more than that.

Per your instructions I have switched to using iptables and it works fine.
It would be nice if I could keep being a noob and use UFW, but looks like I'll have to learn iptables :<

Thank you for the quick response and resolution of my issue!

---

PS. The ufw.service is a one-shot service that just activates UFW on boot, so it wasn't the root cause for rebooting. I don't know what required that.

[ClumsyAdmin]

Just wanted to note here, I had to add -A ufw-before-forward -i vo_mv+ -o enp35s0 -j ACCEPT in my /etc/ufw/before.rules to make it work (as ufw defaults to blocking all forwarding). I believe mv is my provider (mullvad) so you may have to change that to whatever interface is being created for your provider, and make sure to change your outbound nic to your corresponding outbound nic as well.