AFWall+ - VPN - FritzBox -> Not working

[Isa76]

Hi, i use a VPN between a Fritzbox 7530, connected to a DSL-Account. And my Android-Device with Lineago OS 16.

But it is only possible to connect to the internet via Firefox when i disable AFWall+.

If it is on, then no connection over the VPN is possible,

The protocol says: Root - denied. But all hook are set by Root, the VPN-hook too.

What is the problem? Here: https://forum.kuketz-blog.de/viewtopic.php?f=10&t=3555 someone has the same issue.

Thank you!

[hucky58]

Same problem for me. Seems there is no dns while afwall enabled. Direct IP adressing without DNS resolve works. Edit: Perhaps more a problem of the FritzBox. Tried another VPN service (but also other protocol:PPTP instead of IPSec Xauth which is used by the FritzBox) and everything works fine out of the box with and without AFWall

[Jasper-Ben]

Experiencing the same issue, also with a fritzbox and lineageOS 16 (previous phone with LOS 15 worked). My workaround: globally overwrite DNS server in settings: Network & Internet -> Private DNS -> e.g. 1dot1dot1dot1.cloudflare-dns.com

[hucky58]

Experiencing the same issue, also with a fritzbox and lineageOS 16 (previous phone with LOS 15 worked). My workaround: globally overwrite DNS server in settings: Network & Internet -> Private DNS -> e.g. 1dot1dot1dot1.cloudflare-dns.com

When trying this setting the result after saving is "Connection not possible" and so it is ...

[tusch001]

@hucky58: Jasper-Bens workaround for LOS 16 works only when both ports 53 (for unencrypted normal dns) and 853 (for dns-over-tls) are open. LOS 16 needs port 53 open to resolve the domain name of the dns server (eg cloudflare-dns.com). App ID -12 needs to be allowed for this. Then los encrypts all dns requests and sents them over port 853. In previous versions of afwall port 853 was blocked. Don't know if this has changed. You would need to open this port in a custom script (not really recommended).

@Isa76 / @hucky58: If this is not successful: The original error still points to a problem with resolving dns. The linked blog post from Mike Kuketz blog is about blocked port 4500. The IP belongs to the ISP. Don't know much about IPsec and encryption. Those ports seem to be necessary for a kind of handshake. The Fritzbox could - hypothetically - supply the dns settings (and maybe encryption method?) with dhcp to the OS. And firefox insists on using its own security certificates. It doesn't use certificates of the OS (at least on linux). Maybe you need port 4500 open for firefox for a handshake to encrypt DNS? I can't test my hypothesis at the moment with my parents' fritzbox (corona quarantine) but for troubleshooting try the following:

1. Try another browser that uses the system certificates or system dns (eg FOSS Browser) - If this browser works firefox is the additional culprit. How about receiving / sending emails in a different app? Is that possible (eg does dns work there)?

2. For firefox: Allow access to that specific blocked Telekom Server / Port in a custom script. Maybe it is a legitimate need. In your custom script add:

   
   IPTABLES=/system/bin/iptables

IP of ISP may be different

$IPTABLES -A "afwall" -d 79.214.14.183 -p udp --dport 4500 -j ACCEPT

Make sure afwall uses system iptable binary (settings - binaries). otherwise adjust path in iptables variable. 

The path to your start script is set in afwall settings - custom script. I think you have to put a dot in front of the path (I do - not sure if necessary). Somewhere in Mike's security blog he explains how to set up a custom script in AFwall. 

Does Firefox resolve domain names now?

[hucky58]

AFAIK it is not depending on firefox's DNS handling. It seems AFWall is blocking the VPN initizilation in some kind of blocking port or protocol ever. For me everything works fine while starting the VPN first, then adding private DNS and last starting AFWall. Of course this method is not recommended for security reasons but for me the only way to enable VPN and private DNS with the fritz router. Private DNS seems to be blocked by my (mobile)provider because this is not possible to use even when AFWAll is off, only with enabled VPN ...

[tusch001]

@hucky58 1.Do you get any toasts about blocked connections at all? (Blocked DNS requests are usually not reported as I have found in older versions)

With private DNS - Do you refer to DNS-over-TLS in Android 9+ / LOS 16+ or do you use a third party or other methods? Which OS? Default port is 853 but others are used in different settings. I had to open port 853 in a custom script because AFwall in whitelist modes blocks all non-essential ports.

edit: which provider? (Also German Telekom?)

[Jasper-Ben]

@tusch001 thanks for stepping in and providing more technical details! :) I didn't yet get the chance to take a closer look myself. Interesting enough, my work-around also only works on a day-to-day basis, sometimes I initially have to disable the firewall as well. So it might be that the dns entry is just cached for the period of time where is actually works.

Generally it seems a lot happened between LOS 15 and LOS 16 (android 8 & 9) affecting the reliability of unblocking apps in AFWall. eg. yesterday I also had to disable AFWall in order to connect to a jitsi server, same with signal desktop peering, some of which might be related to https://github.com/ukanth/afwall/issues/981, even though there wasn't always a log entry. So maybe this is all part of a bigger issue?

[tusch001]

What has changed in recent months / years is the move to encrypt DNS and enhance security with vpns. Unfortunately there are huge differences in the way they are implemented in different os versions / app / vpn setups and it is just not possible for afwall to keep track of all methods without compromising security.

I wish there would be a way in AFwall settings to allow to open ports for troubleshooting.

Like in the original reference to the block post where clearly a connection to the ISP over port 4500 was blocked.

Maybe a feature request?

Just to be clear: I still think it is a good thing that most port are blocked in whitekist mode by default.

[hucky58]

If someone is interested and able to interpret I can try to make captures of net transfer while starting the procedures.

[tusch001]

I'm not sure if there is anything to see if afwall blocks something without reporting.

My way of troubleshooting would be: 1. turn on vpn, turn on afwall protocol + toasts, don't use private dns, allow app id -12 in afwall to open port 53, make sure the vpn app has general internet access and apps are allowed to access the vpn 2. use a terminal app (allow in afwall) and try the list:

• ping 8.8.8.8
• ping google.com

3a.to test if a browser is blocked or making its own dns: use a simple browser + unencrypted dns (I always test 2 browsers - firefox and FOSS Browser maybe even curl in terminal) This will tell if unencrypted dns is working

3b. If dns is still blocked eg because of ISP + VPN I would use NAT in a custom script to send DNS requests to a different dns server example:

IPTABLES=/system/bin/iptables
ROOT_UID=0

#choose dns server
#digitalcourage.de
DNS=46.182.19.48
#dnscache.berlin.ccc.de
#DNS=213.73.91.35
#Cisco OpenDNS
#DNS=208.67.222.222

#send all dns to this server (unencrypted)
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $DNS:53
#this opens port 53
$IPTABLES -A "afwall" -p udp --dport 53 -d $DNS -m owner --uid-owner $ROOT_UID -j ACCEPT

4. Only when unencrypted dns is working I would turn on private dns. Depending on the specific setup the specific port needs to be open, eg

$IPTABLES -A "afwall" -p udp --dport 853 -m owner --uid-owner $ROOT_UID -j ACCEPT

or - if you don't know the port - allow all traffic to the ip of the dns server

DNS=46.182.19.48
$IPTABLES -A "afwall" -p udp -d $DNS_1 -m owner --uid-owner $ROOT_UID -j ACCEPT

As I have said before you may have to additionally open port 53 (app id -12) which defies the idea of private dns if other apps just can use normal dns. This is necessary when private dns is not built into the os and you use apps like Intra or is stupidly implemented (Los 16 where you can't set the ip address only domain name of server).

5. During the test look for any toasts that say something about blocked (not readily recognised) ports. They may be needed by the vpn. I would add a line for those in the custon script too. The goal is to get a working setup with afwall and vpn and then reduce the custom script.

Good luck.