VPN Compatibility

[dhaavi]

UPDATE:

This issue is deprecated, see our new VPN Compatibility list in the docs!

---

old post:

This issue is about investigating incompatibilities with VPN Providers. The Portmaster is in principal fully compatible with VPNs as in the technology. But some VPN providers do special things that then break compatibility. This issue shall be used to discuss problems in that regard, find solutions and document them.

Here is the Wiki entry, where we will be pooling the output from here.

If you have compatibility issues with you VPN, please post here. Many VPNs will experience similar issues.

[dhaavi]

First off, Mullvad:

The Mullvad VPN App does not allow to turn off forcing their own DNS Servers. This in itself is not a problem, as the Portmaster would hijack the queries anyway and put them where you have configured them to go. What breaks their app, is that it requires the Windows DNS Client (the dnscache service) to be running - it simply fails if it's not. The Portmaster has disabled this service to gain the required system integration in order to be able to find out which process sent which DNS query - we don't like that either, but unfortunately this is the only way to gain that integration on Windows.

The workaround is to use OpenVPN directly and use their configuration tool and guide.

Full compatibility might be available in the future when this feature request for Mullvad is implemented.

[dhaavi]

Second, ProtonVPN on Windows:

Worked flawlessly. 👌

[mynamekovu]

Hey, i can't get it to work with NordVPN.

[dhaavi]

Thanks for letting us know, I will take a look in the coming weeks.

[MPeti1]

The official WireGuard client also does not work with Portmaster. It outputs this error to the log if I try to connect to a VPN server: 2020-11-25 13:52:10.950: [TUN] [tunnelname] Unable to set interface addresses, routes, dns, and/or interface settings: runNetsh run - exit status 1

The client works as expected if Portmaster is not installed. Could it be the same as with Mullvad, but because the WG client itself wants to use the dnscache service?

[dhaavi]

Yes, that seems to be case. Can you see if it works if you remove the DNS server setting from the Wireguard config?

[MPeti1]

I've tried it, but unfortunately it's not enough :/
Just to clarify, you meant the DNS field in the Interface section, right?

[dhaavi]

I've tried it, but unfortunately it's not enough :/

Ok. Will have to take a closer look, then.

Just to clarify, you meant the DNS field in the Interface section, right?

Yes.

[Kali273]

Hi, I can't run TorGuard vpn with installed portmaster..

[mynamekovu]

First off, Mullvad:

The Mullvad VPN App does not allow to turn off forcing their own DNS Servers. This in itself is not a problem, as the Portmaster would hijack the queries anyway and put them where you have configured them to go. What breaks their app, is that it requires the Windows DNS Client (the dnscache service) to be running - it simply fails if it's not. The Portmaster has disabled this service to gain the required system integration in order to be able to find out which process sent which DNS query - we don't like that either, but unfortunately this is the only way to gain that integration on Windows.

The workaround is to use OpenVPN directly and use their configuration tool and guide.

Full compatibility might be available in the future when this feature request for Mullvad is implemented.

could this work now? https://github.com/mullvad/mullvadvpn-app/issues/473#issuecomment-778127781

[dhaavi]

Hi, I can't run TorGuard vpn with installed portmaster..

Sorry, this was somehow lost. Please ping us when we don't respond.

We are currently working on a fix that will probably fix a lot of VPN clients, including TorGuard.

could this work now? mullvad/mullvadvpn-app#473 (comment)

I haven't checked yet, but I'm not so sure, because afaict the client fails at setting the DNS server, no matter what the actual server is. If you want to try, try with 127.0.0.1 and 127.0.0.17.

But, as stated above, we might have this fixed another way soon.

[northys]

I can say that wireguard used to work with portmaster like a charm since I first used portmaster. I never used DNS in [Interface] section and always had wireguard just to access servers (computers actually) behind NAT.

Today I decided to finish setup of MASQUERADE (I have no idea what am I doing) so I can tunnel everything through gateway server. TLDR I changed AllowedIPs in [Peer] section from 10.10.0.0/8 to 0.0.0.0/0.

• client connects to the server and shows like 50bytes/s traffic when running wg command
• network stopped working at all
• couldn't dig anything
• couldn't ping 8.8.8.8 / 10.10.0.1 (wg gw) / 192.168.1.1 (lan gw)

When I changed AllowedIPs to 31.0.0.0/8 which is subnet that includes address of famous Czech "what is my ip" website it worked like a charm. I don't think setting DNS in wireguard is an issue. It more likely catches some traffic between portmaster and everything else and it breaks because of this.

[dhaavi]

There might be an issue when packets are modified by masquerade. Where exactly and how are you masquerading?

[northys]

@dhaavi you need to setup masquarade on the server you are tunneling your traffic through so you can "take over" the server's IP. This is BFU description of what I tried to do.

I suppose you understand iptables more than I do so I'll just share the article I used to setup it - https://www.linuxbabe.com/ubuntu/wireguard-vpn-server-ubuntu (steps 4 and 5, I'm not using the DNS resolver from step 6 or any other, the DNS is not set on Client side)

[dhaavi]

Ok, that looks good. Interestingly, it works when you set AllowedIPs to 31.0.0.0/8. Can you share the output of route when set to 0.0.0.0/0 and ::/0? The Arch Wiki suggests 0.0.0.0/0;::/0;.

Especially the LAN should continue to work, because the local scope should take priority over the default route. The Arch Wiki mentions special handling of the default route. If you are using NetworkManager, consider using it directly to configure your wireguard.

I've seen people posting about 0.0.0.0/0 not working for them either. Not saying that the Portmaster is not at fault, but it may not be - does it also not work when you stop the Portmaster?

[northys]

Can you share the output of route when set to 0.0.0.0/0 and ::/0?

When using 10.10.0.0/24

» route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp0s20f3
10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 wg0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-d290f336f37a
172.25.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-5b012f32b359
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp0s20f3

With 0.0.0.0/0 and after adding ::/0 (pls note my network is IPv4 only):

» route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp0s20f3
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-d290f336f37a
172.25.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-5b012f32b359
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp0s20f3

Whe wg0 is missing so I suppose it did not even connect.

This is what I found in portmaster:

If you are using NetworkManager, consider using it directly to configure your wireguard.

I have no idea how to use network manager.

I've seen people posting about 0.0.0.0/0 not working for them either. Not saying that the Portmaster is not at fault, but it may not be - does it also not work when you stop the Portmaster?

It works on my intel nuc which I use as a home server. There is no portmaster installed and it uses kernel module. It also works on my Google Pixel 4 which uses user space implementation of wireguard.

[northys]

@dhaavi actually the wg0 iface isn't in route list even when I stop portmaster.

» route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp0s20f3
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-d290f336f37a
172.25.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-5b012f32b359
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp0s20f3

Here's how I checked that my current IP is same as IP of my VPN gateway.

northys at northys-fedora in ~
» dig +short myip.opendns.com @resolver1.opendns.com.
157.90.XXX.YYY
northys at northys-fedora in ~
» dig +short gw.vpn.example.com
157.90.XXX.YYY

[northys]

@dhaavi If you are using NetworkManager, consider using it directly to configure your wireguard.

I've tried to import wireguard config by stopping and disabling the wg-quick@wg0.service and importing the wg0 config using nmcli connection import type wireguard file /etc/wireguard/wg0.conf. This automatically connected but with 0.0.0.0/0 the networking didn't work as when it was set by systemd service.

[dhaavi]

As far as I understand, Network Manager has a special way for setting the default route, which might make it work. The problem seems to be that just setting 0.0.0.0/0 breaks the tunnel, because the IP of the server still needs to go through your normal gateway. Read more here: https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/#routing-all-your-traffic

---

northys at northys-fedora in ~
» dig +short myip.opendns.com @resolver1.opendns.com.
157.90.XXX.YYY
northys at northys-fedora in ~
» dig +short gw.vpn.example.com
157.90.XXX.YYY

I'm not sure if that works when the Portmaster is running, as it will intercept, resolve and cache the result. So switching between not-tunneled and tunneled might not give you the insights you need. I'm pretty sure that you know that, just checking. ;)

[northys]

The problem seems to be that just setting 0.0.0.0/0 breaks the tunnel, because the IP of the server still needs to go through your normal gateway.

That's not true. It wouldn't work without portmaster as well but it does. But it came to my mind as well before I figured out that it's portmaster that needs to be stopped for some reason.

I'm not sure if that works when the Portmaster is running, as it will intercept, resolve and cache the result.

Doesn't matter because when portmaster is running nothing else works. Not even https://www.whatismyip.com I shouldn't tell you how I got my current IP it just messed up the context.

[northys]

@ 19:50:30 I changed AllowedIPs to 0.0.0.0/0 and restarted wg @ 19:51:30 I changed AllowedIPs back to 10.10.0.0/24 and restarted wg

portmaster.service: https://bin.privacytools.io/?aa045eb190f18ce9#63NPDbvHA7oyJqHmWkFvm4udydEHx45vbhAq3kV6xeJS

@dhaavi do you see anything besides Clouflare CDN heartbeat failed?

wg-quick@wg0.service: https://bin.privacytools.io/?f6371a12de56c530#4s7oTQxpabt67eGMKP1TYNQSmryAVaVRTAYtc6sEgaN7

I see no error here. But there is interesting line wg-quick[12079]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 with no error around it. The second run (first block @ 19:51:30) which did not add routes just cleans up the mess after first run with 0.0.0.0/0. It always fails when portmaster is running so after you change it back to 10.10.0.0/24 you have to restart it twice.

NetworkManager.service: https://bin.privacytools.io/?7398026ca8be0674#CR82o1t6ezmsTNBsx4vx1xydzWFHXUNQof7kNfyNaA2Y

To me it looks like wg-quick already manages it somehow using network manager. There is connection with UUID which is always the same and wg-quick just changes its config IMHO. But it's just my oppinion based on what I see in logs. Also it looks like every time I restarted wg-quick it produced the same logs no matter what AllowedIPs was.

[dhaavi]

Hey @northys, sorry for the delay in handling this. I had a chat with @ppacher this week and he'll look into it as soon as he can. He also uses Wireguard, but not with a 0.0.0.0/0 route, but I'm sure he will be able to help.

[northys]

I think I can setup second wg interface on my server for you to test it with 0.0.0.0/0.

[dhaavi]

As a general notice to anyone watching this thread, we recently worked around the requirement that the Portmaster needs the Windows DNS-Client service stopped, which turned out to be a problem, especially for VPN clients.

With v0.6.7, the Portmaster re-enables the DNS-Client and VPN clients previously broken could now work flawlessly! If you try it again, please report back so we can collect the information in order to tell others!

Read more about this change in this blog post.

(@northys: @ppacher will come back to you soon.)

[fatpowaranga]

Anyone have any experience using NextDNS? They seem to have a bit of a different setup from usual, but I'm also just not very experienced at configuring stuff like this.

[dhaavi]

The Portmaster would block NextDNS as a firewall bypass attempt. Both provide a very similar feature set and value and the Portmaster has lots of potential which will unravel over time.

I would not recommend using the NextDNS software and the Portmaster at the same time. If you really want to, you can configure NextDNS within the Portmaster using your assigned DoT domain, that should work fine.

[dhaavi]

As a general notice, we now have a dedicated template for reporting in/compatibilities.

We are closing this issue thread in favor of this - please open a new issue for new reports or any follow-ups.

[northys]

If you really want to, you can configure NextDNS within the Portmaster using your assigned DoT domain, that should work fine.

You cannot use portmaster with nextdns. Nextdns tells you to set nameserver which is a domain but portmaster requires to use IP as resolver. You can get also IPs from NextDNS but it decides by your public IP that its you and it wont work on public IP change so its basically useless for anything that is not desktop PC.

There was an issue from my beginings with portmaster when I was still using nextdns. From what I remember we did not figure out how to put yourprofilesubdomain.nextdns.io to nextcloud.

[northys]

@dhaavi havent you closed this issue by accident?

[davegson]

with our new contribution guide we also decided to deprecate this issue. Bundling VPN issues all into one is messy, with the new in/compatibility template we ask to talk about each issue separately which also makes it easier for us to tackle

[dhaavi]

NextDNS seems to work like a charm if configured in the Portmaster: https://github.com/safing/portmaster/issues/291

The wireguard issue previously reported here is being continued in https://github.com/safing/portmaster/issues/282 https://github.com/safing/portmaster/issues/292.

[xircon]

I am having problems with Azire, VPN works, wireguard appears to connect, but internet is unreachable.

Make a connection:

wg-quick up azirevpn-us3
[#] ip link add azirevpn-us3 type wireguard
[#] wg setconf azirevpn-us3 /dev/fd/63
[#] ip -4 address add 100.83.28.98/32 dev azirevpn-us3
[#] ip -6 address add 2a0e:1c80:14:4000::1c63/128 dev azirevpn-us3
[#] ip link set mtu 1420 up dev azirevpn-us3
[#] resolvconf -a azirevpn-us3 -m 0 -x
[#] wg set azirevpn-us3 fwmark 51820
[#] ip -6 route add ::/0 dev azirevpn-us3 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev azirevpn-us3 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

Everything looks good, but no connection.

[davegson]

hey @xircon, thanks for your report! Did you find this open wireguard issue? https://github.com/safing/portmaster/issues/292

this might shed some light into what is going on. If it continues not to work please update us over there https://github.com/safing/portmaster/issues/292

[northys]

@xircon just try to restart portmaster befote you start applying any systemd unit file patches mentioned in #292. the internet should work when you connect to wg and restart portmaster. then you can apply the patches I provided to make it restart automatically.

[northys]

@dhaavi pls update the wiki link in the description so it leads to portmaster doc web so ppl can find all the new issues easily

[dhaavi]

@dhaavi pls update the wiki link in the description so it leads to portmaster doc web so ppl can find all the new issues easily

Great suggestions! Done that.