| View previous topic :: View next topic |
| Author |
Message |
tnull
n00b
Joined: 18 Jul 2022
Posts: 2
|
 Posted: Mon Jul 18, 2022 7:19 pm Post subject: [SOLVED] UFW and WireGuard not working together |
 |
|
Hi, I've been trying to fix this for several days. I don't think its specific to Gentoo, but I am using Gentoo so here I am.
I'm using an external VPN service (Mullvad). When UFW is enabled, I can connect to the VPN through network manager, but I have no internet access. If I disable UFW, I also get no internet access, but if I reboot after disabling UFW it will work as expected. I've tried several combinations of rules to allow incoming / outgoing connections on the WireGuard interface to no avail.
My question is: What exactly is UFW doing that it would continue to block it even when disabled? It only works if I reboot after disabling it.
This leads me to believe that it wouldn't really matter which rules I use since UFW is clearly doing something under the hood that blocks it regardless of status.
Any insight is appreciated, thanks.
Last edited by tnull on Mon Jul 18, 2022 11:09 pm; edited 1 time in total |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5366
Location: Bavaria
|
| Posted: Mon Jul 18, 2022 8:21 pm Post subject: |
|
|
tnull,
Welcome to Gentoo Forums.
UFW is an Uncomplicated FireWall. See more in our Wiki: https://wiki.gentoo.org/wiki/Ufw
A problem with uncomplicated things is, it doesnt help if someone dont know what it does ... UFW is NOT your firewall; it helps you only to set some rules for your firewall. Your real firewall is in your kernel (as modules). These modules must be configured with "iptables" or "nftables". UFW uses one of these commands to send fw-rules to your kernel-modules. If your UFW is using "iptables" you can list all active rules with "iptables -L" (better: "iptables -L -v -n").
In my opinion it is easier for everyone who has "specific" network "solutions" (like a VPN) to do native firewalling with "iptables" or "nftables". If you understand which ports must be allowed you can play with UFW later (or throw it away forever). Maybe you want read an old article -> chapter II. of: https://forums.gentoo.org/viewtopic-p-8612346.html (here is a link to my german article which is updated).
Most important when doing firewalling is Logging ! It is very helpful to see what is blocked/forbidden - and it is necessary to recognize bad requests. If you need more help we need first a short description of your system:
1. OpenRC or systemd ? Stable or ~amd64 ?
2. Output of "dmesg".
3. How do you installed and configured UFW ? |
|
| Back to top |
|
|
tnull
n00b
Joined: 18 Jul 2022
Posts: 2
|
| Posted: Mon Jul 18, 2022 11:08 pm Post subject: |
|
|
pietinger,
Thank you for the informative post. After reading through your links, I decided I would ditch ufw and just try to configure iptables myself since I have a simple use-case. I went with the following basic rules to get started with:
| Code: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
This is basically all I was doing in UFW, but here it now works as I expected it to. The difference seems to be in the stateful rule for input. The vpn / WireGuard connection works fine with that rule.
I'll continue to evolve the rules as I learn more about it, but I'll consider this as solved since in my case the uncomplicated firewall just made it more complicated!  |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5366
Location: Bavaria
|
| Posted: Mon Jul 18, 2022 11:51 pm Post subject: |
|
|
tnull,
I am glad it works for you So, you have one rule (and 3 defaults) and this is sufficient to prevent your host from incoming traffic. Of course I must recommend to filter outgoing traffic also ...  But one after another; I am sure you will get it.
Have fun with Gentoo ! |
|
| Back to top |
|
|
|
Networking & Security
