RC11 can't connect to VPN anymore on arch #47
Comments
|
check if you have an error similar to this one in dmesg or journalctl: https://bugzilla.netfilter.org/show_bug.cgi?id=1440 By the way, what kind of VPN is it (openvpn, pptp, l2tp, ipsec)? |
|
Ok, I will check. It is openvpn. I didn't add any hardening parameters, just use clear kernel from aur. |
|
Another Arch user told a few days ago that a similar problem was fixed just by updating the kernel: safing/portmaster#82 (comment) maybe not the same problem, but just in case.. |
|
hey @Ph0rk0z , I've got ready a new feature to prioritize certain rules that wouldn't intercepted. Very simple, a conf file where you can allow or deny connections/protocols/etc: I think it would be sufficient to workaround this problem, but I don't know if you had in mind using more complex rules. It'll be also configurable from the GUI. |
In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
|
Added this feature to this branch: https://github.com/gustavo-iniguez-goya/opensnitch/tree/priority-rules I'd be grateful if you can test it. |
|
I tried the branch and update to 5.7.10.. no change. Just silently fails to connect. |
|
and do you see the ICMP rule added under if so, does ping work now? |
|
Will have to check on arch. Today I tried to upgrade to ubuntu 20 on another machine. On first boot it blocked everything, second boot it blocked nothing and disable/enable didn't have effect. Config wouldn't change even though I set them from the gui and service was running. I manually changed the daemon file and restarted to get it working. Seems using ftrace was causing issues but forcing it to proc works for now. I also deleted rules and re-installed the debs. Looked in the log but only saw the gui disconnecting. I'll try it out some more, especially since I have another machine to update this week. |
|
I checked the branch. The priority rules chain is there but no rules are added and so ping doesn't work. |
|
I've just checked the branch, compiled it and has worked for me, with this /etc/opensnitchd/fw.json: can you post yours or check if the above json is different from yours? |
|
ooops. I used your earlier example: So how to exempt openvpn? |
|
see if with the ICMP rule added now you can connect to the VPN. Also check that you can ping any host (ping 9.9.9.9). The ICMP rule should appear in the mangle table: By the way, silly question: can you connect to the VPN with Default Action Allow? |
|
Yea, the ping worked after I corrected fw.json. VPN did not. With default allow or pausing the daemon through the GUI it of course connects. |
|
Did this get merged with the latest protocol based filtering? I added the file on my ubuntu machine and it didn't work so maybe not? Also saw the "client.disconnected" bug when updating. Rules could not be added and I pulled my hair out until I ended up deleting the remnants in the python folder. |
|
No @Ph0rk0z , as it didn't solved the issue with the VPNs I didn't merge it, sorry :( On the other hand, after analyzing some VPNs I don't see an easy way of allowing only "VPN traffic", it's a bit tricky. The easiest way of solving this would be revert the inner working to the behavior of the original fork, but still, I think some VPNs won't work if Deny action is configured. In future releases we can allow to filter by protocols. |
|
Yes please, it's still useful to have ping work. I notice there is a startup dataleak too. Qomui gets off a few pings while the desktop loads. Ntpdate works during kernel boot but I don't think this one is fixable. |
|
ok! I want to release a new version with all the latest changes. I'll add it for the next one. |
|
I've just tested this problem, and the openvpn tunnel has been established with no problem (Default Action: deny, openvpn binary detected fine). Using this conf: https://openvpn.net/community-resources/static-key-mini-howto/ Could you post the details of your vpn, dev (tun/tap), compression, etc..? I think we haven't talked about it before. |
Ok, branch merged. I've changed the struct and the file name to configure the rules, see here: Now you can define in the file any type of rule. In order to bypass the interception and allow icmp, add the rule to the mangle table, chain OUTPUT. Some day there will be a dialog to configure the system rules from the GUI. It should be easy but it takes time. |
Maybe similar to the ping problem? Either way, I can no longer establish a connection via quomui when the firewall is enabled.
It started happening after latest upgrades, including kernel 5.7. I have to pause the FW connect and then unpause. Ubuntu being frozen in place doesn't have this problem but I worry for v20.
Nothing shows under blocked connections either.
The text was updated successfully, but these errors were encountered: