VPN doesn't work with opensnitchd most of the time [wireguard, iptables] #454
Comments
|
@gustavo-iniguez-goya Could help me please? Answerting first three questions. |
|
Hi @chicagoo17 ! First things firsts, could you tell us the opensnitch version and GNU/Linux distribution you're using?
You can set log level to DEBUG (GUI -> Preferences -> Nodes) and monitor the log file
To intercept DNS responses, so we can keep a cache of known IP-host list. If a new process tries to establish a connection to an IP and it's in the cache, we display the host instead of the IP (which is anyway shown on the popups).
Yes, you can delete the rule, it won't affect the interception of outbound connections. But we check every 30s if that rule is added, and if it's not present we add it again (it's pretty common to disable fw rules once you get access to a system).
Actually, this is the first time I see this problem, so I can't tell you for now.
It seems that the daemon cannot connect to the GUI. Could you verify that the file |
|
I have the same problem with the latest release candidate. Fedora 34, which uses nftables & firewalld frontend. Default action on GUI is allow, default action in nodes is deny. I can't connect to my VPN with the firewall enabled. Had to downgrade to 1.3.6. Edit: By checking "Intercept Unknown Connections", I am able to allow the wireguard vpn connection with opensnitch. |
|
@pizzadude could you post the output of |
|
Attached is output of "nft list ruleset". Without applying the workaround, latest opensnitch does not detect the VPN at all, and silently blocks it. It could be the fact that there is no process ID for wireguard, as it uses a kernel module. I worked around this issue by checking "Intercept Unknown Connections" in opensnitch, and allowing the wireguard port 51820 in opensnitch. |
|
mm. I think that this issue is caused by 1) 21c6a91 and 2) da23c82, mainly by 1). If the daemon and GUI default action is deny, then I think this is the correct behaviour. By the way, I don't see our rules in the nft output. There should be 2 tables called opensnitch-filter and opensnitch-mangle for ip and ip6. |
|
For some reason, opensnitch rules are not added. Maybe it's because Fedora uses firewalld on top? |
|
They should coexist I guess. I haven't tested it with firewalld. With iptables everyone added the rules to the hardcoded tables nat, mangle, etc. But with nftables you can name the tables as you wish, what makes me wonder what table has priority if different firewalls create same chains (like opensnitch -> { mangle, nat, ...} and firewalld -> { mangle, nat, ... }) . Maybe it's checked in alphabetical order. "Convention is though to use the iptables names by default", I'll change the tables for the next release, but I don't think firewalld is following that "convention". Anyway, if the daemon is intercepting connections then our rules are added. |
|
Opensnitch seems to be working, despite the VPN problem and the ICMP (can't ping) problem, even though the rules didn't show up. Testing with "curl https://google.com" shows that opensnitch is intercepting connections fine. |
|
I also have the iptables command. If I do " sudo iptables --list-rules " I found a rule: "-A INPUT -p udp -m udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass" is that the opensnitch rule? |
|
mm, yes, could you post the output of |
|
I figured out why the rules were showing up in iptables, and not nftables. I had iptables-legacy installed. I uninstalled iptables-legacy, and the iptables command now points to "/usr/sbin/iptables-nft". Now the opensnitch rules show up in nftables. I still have the same issues though, but at least that mystery is solved. |
|
aah ok, I was also mixing up different issues. |
|
Confirmed that we don't intercept the process name that establishes the wireguard tunnel (nor even by using ebpf): At least we're able to intercept the ougoing connection. @chicagoo17 see if activating the option "Unknown connections" you're prompted to allow the outgoing connection (Preferences -> Nodes) |
|
I'm having issues with Wireguard too, Opensnitch just blocks it without prompting for user action, I'm using the VPN provider custom app, OpenVPN works fine with Opensnitch but Wireguard does not.
|
|
Hi @jdk32f2 , did you enable [x] Debug invalid connections, under Preferences -> Nodes? It should prompt you to allow an outgoing connection. If not, post your WireGuard configuration. By the way, using eBPF or proc monitor method? |
|
Hi, that worked, I got a prompt to the server IP and I allowed it, I'm using eBPF. I didn't realize the name was changed I was looking for "Unknown connections" based on your old comment and couldn't find it. So I'm assuming it is safe now to disable the debug invalid connections option, since I see the IPs got whitelisted. So why does this happen with Wireguard and not Openvpn? Also off-topic but my opensnitch logs are being blasted nonstop with |
The problem is that WireGuard connections are initiated from kernel-space, so there's no really a process that's initiating it (I haven't analyzed this but I guess that user-space tools will tell the kernel module to open the connection). OpenVPN on the other hand doesn't have a kernel module, so the connections are initiated from user-space.
That log indicates that the IP is not an IP of the system (as seen by |
|
I've added the solution of this issue to the FAQs https://github.com/evilsocket/opensnitch/wiki/FAQs |
|
Hi, the issue with this is that it makes it very difficult to create proper rules. For example, you need to whitelist every single IP of the VPN provider that you're connecting to since you cannot just whitelist the application (because opensnitch can not determine it). If there is no way to fix this in a way that would make it possible for OpenSnitch to determine the actual process, it would be helpful to implement a "Comment" field so that you have at least an overview as to what IP belongs to what application. When the popup opens that asks you to Allow/Disallow the connection, there should be a "Comment" field. That field should afterwards be visible in the rules list. |
Yeah, for now there's no fix for this scenario. Adding a Description/Comment field to the rules was also suggested by NRGLine4Sec on another issue, and I think that it'd be useful. But I think that the pop-up dialog is already quite complex, so I'd prefer to leave it as it's now. |
|
By the way, I'm playing with a kernel module to initiate connections from kernel space, and at least in this scenario, we're able to intercept the process: |
Interesting, did you modify something in opensnitch and it was able to intercept this module, or is this working on the current version of opensnitch? |
So, with that kernel module it would be possible to determine the actual process for wireguard connections? |
It's working with latest RC. If you use the "proc" monitor method you'll see the "unknown process" pop-up, but if you use "ebpf" then we're able get the process in this particular case.
No, no. I meant that we're able to intercept connections initiated from kernel space, including the name of the process that initiated them (it wasn't obvious if we were able to do this, or if the "unknown connections" + eBPF were always kernel connections). Anyway, I think I've got something interesting. I've realized that the WireGuard lkm uses I've modified the script udplife.bt to intercept those functions, and now when setting up a WireGuard tunnel it intercepts the PID and COMM of the process that initiates the tunnel. hooking
All other procfs fields are empty (cmdline, environ, fd/*, etc) I can also see that there's a process with the following however I've been unable yet to relate it with any connection. @themighty1 what do you think, could we add these functions to the ebpf module? udp_socket_create4(), udp_socket_create6(). |
|
@gustavo-iniguez-goya , hi, I don't think, I'll have the time to work on this but generally, I think it is a direction worth researching. |
|
There's some progress on this:
|
|
Sorry, I noticed that I forgot to update my |
|
I guess I should put a note somewhere :) |
|
I seem to be running into a similar issue. It started happening recently, possibly after an update to Fedora 36. After enabling "Debug invalid connections" I also see the KIPI Plugins pop-up whenever I try to connect with Mullvad.
I have tried completely removing opensnitch (checked no The last print-out of my logs show the following when the connection starts with mullvad Then whenever I click always allow for this executable I see the error with the rule: When I allow just for the port, instead of the executable then I see: @gustavo-iniguez-goya I can share my mullvad key if you want to try and reproduce it. |
|
I forgot to mention the system details, but I'm running the latest releases of everything:
|
|
|
Brilliant, that worked for me. Thank you @pizzadude! |
|
🚀 @pizzadude I'll buy 1 month of mullvad to see if I can reproduce this behaviour and try to fix it. |
|
@pizzadude @chriscz what options do you have configured under Mullvad -> Advanced? and what tunnel protocol options (ipv4/ipv6, udp/tcp, port, etc)? |
|
@gustavo-iniguez-goya Also Mullvad uses UDP by default. Also, it should be worth noting that this only started happening after the kernel update in Fedora 36 to kernel version 5.19.x In kernel 5.18.x and below I could just allow it via an opensnitch regular rule. |
|
ok, that's good to know. I'll try to reproduce it with kernel the 5.19 |
|
ok, reproduced with kernel 5.19. I'll investigate why these connections are not intercepted. [update] nice, the iptunnel_xmit hook is working (so we don't have to update the ebpf module): If you select Advanced -> Tunnel protocol -> openvpn, does it connect to their servers? |
|
OpenVPN works fine, I get an opensnitch popup asking me to allow it and it works. |
|
ok, this problem can solved by recompiling the eBPF module against latest sources of your kernel, in this case 5.19. Following these steps https://github.com/evilsocket/opensnitch/blob/master/ebpf_prog/README but changing 5.8 by 5.19 |
|
Recompiling the eBPF module against kernel 5.19.x fixed it, no need for my workaround anymore. Thanks! |
|
Hi, I'm jumping on this thread since I just discovered I'm facing the same issue with wireguard (custom hosted server) and kernel 5.19 I did try to compile as instructed buth then I'm getting this error when trying to start opensnitchd kernel is 5.19.0-76051900-generic I did not try to completely reboot, only tried a systemctl stop then start (either with systemctl or sudo opensnitchd with suggested options) Any idea what may be failing ? |
|
what opensnitch version are you using @squalou ? v1.5.2? |
|
didn't check, apparently it's labeled 1.5.0.rc1 in the UI I could probably build 1.5.2 locally if it is required edit : I probably instaled it manually from a .deb somehow edit 2 Still the same error after compile / cp to /etc But, the workaround with Don't bother, I bet there will be a working fix one day, until then the workaround seems fine |
|
I think that the segfault is caused for using v1.6.0 ebpf module with daemon v1.5.0, could you confirm that you compiled the ebpf module from v1.5.0 branch? https://github.com/evilsocket/opensnitch/tree/1.5.0/ebpf_prog Or post the full stacktrace. I'm trying to make it work for > 5.19 and <= 5.18, but no luck for now. |
|
You're right : I did use Thank you again ! (for this answer and for the work on opensnitch in general) And good luck... (maybe the best approach would be to set 5.19 as a prerequisite to version 1.6.0) |
|
no problem @squalou :) The problem is something expected: we're reading sk_buff struct to extract tunnels parameters (vpn, nfs, smb, etc), but it's not a stable interface, so it may change from kernel to kernel, leading to these kind of errors. If I'm not wrong, the (correct) way of solving this problem is by updating the ebpf module to be bpf CO:RE compatible. I've tried it but still it doesn't work, but probably I'm doing something wrong. Other options:
|
Build eBPF modules whenever a change to the modules is pushed. It'll fail if there're some warnings. The action compiles *and publishes* the modules for several branches and kernels. Hopefully this will help to automate this process and be more transparent. It'll also help on issues like this one: #454
|
hey folks, @pizzadude I've created a github action to compile the modules manually, or whenever a change to the modules is pushed. I've reproduced the scenario where the VPN connections weren't intercepted, then downloaded the compiled module for 1.6.0rc2 + kernel 5.19, replaced it with the one installed, restart the daemon and the VPN connections were intercepted again. The artifacts are at the bottom of the page: |
|
Nice. |
|
hey all, I've changed the way we compile the ebpf modules: #942 Could you test the precompiled binaries (or compile them by yourself) and let me know if they work on your systems? As far as I can tell, they work fine intercepting VPNs/cifs/nfs/ksmbd/etc. Thank you! |
|
I compiled using the new method earlier and it works fine. |
|
thank you! |
|
hello, i would like to know if there are any issues when using a kernel with lockdown=confidentiality enabled (which in effect disables bpf). I noticed that my wireguard tunnel gets blocked and no popup shows for the connection. |
|
Yes @schiavonedimitri , opensnitch needs ebpf to intercept the VPN outgoing connection. Another option would be to add a nftables rule to exclude outgoing traffic to the VPN port (Firewall -> Allow service (out)). |
Hi there, only started my journey in linux and maybe just don't understand something.
My wireguard vpn doesn't work sometimes (sometimes if I turn on vpn after opensnitchd it works, around 30% cases) when opensnitchd runs.
That seems to be because of an iptables rule:
-A INPUT -p udp -m udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
If I delete this rule everything works fine, but I didn't manage to fully understand what it does.
If it matters, my wireguard .conf uses "DNS = 10.0.0.1" (and IPv6 address).
I don't quite understand where to see logs of wireguard or opensnitch for this (I couldn't find this) so just asking.
Questions:
1. What is the purpose of this iptables rule above?
2. Is it safe for my safety and privacy to delete this rule?
3. Do I need to configure my vpn to bypass this?
4. By the way what do these lines mean? It's from /var/log/opensnitchd.log
Error while pinging UI service: rpc error: code = DeadlineExceeded desc = context deadline exceeded, state: READY
[date and time] ERR getting notifications: rpc error: code = Unavailable desc = transport is closing
[date and time]] WAR Error while pinging UI service: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /tmp/osui.sock: connect: connection refused", state: TRANSIENT_FAILURE
The text was updated successfully, but these errors were encountered: