UFW compatibility issues with my VPN

UFW compatibility issues with my VPN
from aprehendedmerlin@lemmy.dbzer0.com to linux@lemmy.ml on 09 Sep 12:09
https://lemmy.dbzer0.com/post/52917015

Hi all—as title suggests I’m experiencing a compatibility issue between UFW and my vpn (Windscribe if it matters). My UFW defaults are set to deny incoming, allow outgoing, and routed disabled, with no exception rules configured. When I enable Windscribe (I use OpenVPN udp on port 80 if that matters) while UFW is active, Windscribe reports a network configuration error and requests sending debug logs; ignoring the error still allows the VPN to function, but I observe IPv6 and DNS leaks. Disabling UFW removes the error and the leaks. What UFW configuration is causing this behavior, and which specific rules should I add to prevent IPv6 and DNS leaks while keeping UFW enabled?

#linux

threaded - newest

drspod@lemmy.ml on 09 Sep 12:36 next collapse

It might help if you paste a complete dump of your firewall rules. I’m not sure if ufw uses iptables of netfilter since I haven’t used it before, but you can do:

for iptables firewalls:

iptables -L

for netfilter firewalls:

nft list ruleset

That might help debug exactly what ufw and your vpn are doing.

non_burglar@lemmy.world on 09 Sep 13:36 next collapse

Iptables (and nftables, among others) is just an implementation of netfilter kernel modules.

[deleted] on 09 Sep 15:04 collapse

drspod@lemmy.ml on 09 Sep 19:06 collapse

Thanks, looking at it now, but I should have remembered, iptables has a separate tool for ipv6 called ip6tables. Could you also paste the output of

ip6tables -L

If you put it in the comment between backticks like this:

```
<paste here>
```

then it will keep the formatting exactly as it was when you copied it, instead of munging the linebreaks.

[deleted] on 09 Sep 21:58 next collapse

aprehendedmerlin@lemmy.dbzer0.com on 09 Sep 22:39 next collapse

ok thank you for your time here is the output of ip6tables -L:

Chain INPUT (policy DROP) target prot opt source destination
ufw6-before-logging-input all -- anywhere anywhere
ufw6-before-input all -- anywhere anywhere
ufw6-after-input all -- anywhere anywhere
ufw6-after-logging-input all -- anywhere anywhere
ufw6-reject-input all -- anywhere anywhere
ufw6-track-input all -- anywhere anywhere
windscribe_input all -- anywhere anywhere /* Windscribe client rule */
Chain FORWARD (policy DROP) target prot opt source destination
ufw6-before-logging-forward all -- anywhere anywhere
ufw6-before-forward all -- anywhere anywhere
ufw6-after-forward all -- anywhere anywhere
ufw6-after-logging-forward all -- anywhere anywhere
ufw6-reject-forward all -- anywhere anywhere
ufw6-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
ufw6-before-logging-output all -- anywhere anywhere
ufw6-before-output all -- anywhere anywhere
ufw6-after-output all -- anywhere anywhere
ufw6-after-logging-output all -- anywhere anywhere
ufw6-reject-output all -- anywhere anywhere
ufw6-track-output all -- anywhere anywhere
windscribe_output all -- anywhere anywhere /* Windscribe client rule */
Chain ufw6-after-forward (1 references) target prot opt source destination
Chain ufw6-after-input (1 references) target prot opt source destination
ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw6-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw6-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:dhcpv6-client ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:dhcpv6-server
Chain ufw6-after-logging-forward (1 references) target prot opt source destination
Chain ufw6-after-logging-input (1 references) target prot opt source destination
Chain ufw6-after-logging-output (1 references) target prot opt source destination
Chain ufw6-after-output (1 references) target prot opt source destination
Chain ufw6-before-forward (1 references) target prot opt source destination
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ufw6-user-forward all -- anywhere anywhere
Chain ufw6-before-input (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ufw6-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icm

drspod@lemmy.ml on 10 Sep 14:14 collapse

Sorry to be a doofus, but could you paste the output of iptables-save and ip6tables-save instead? The default iptables output actually just leaves out important information like which interface the rule applies to.

I think the best thing to do would be to see if you can get support from Windscribe and find out whether it’s a known issue or a bug that needs fixing.

aprehendedmerlin@lemmy.dbzer0.com on 10 Sep 20:44 collapse

I did they said it just how their app is made and I should disable ufw

aprehendedmerlin@lemmy.dbzer0.com on 09 Sep 22:46 collapse

also here is the output of iptables -L again with markdown:

Chain INPUT (policy DROP) target prot opt source destination
windscribe_input all -- anywhere anywhere /* Windscribe client rule / ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
windscribe_block all -- anywhere anywhere / Windscribe client rule */
Chain FORWARD (policy DROP) target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
windscribe_output all -- anywhere anywhere /* Windscribe client rule / windscribe_dnsleaks all -- anywhere anywhere / Windscribe client dns leak protection / ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
windscribe_block all -- anywhere anywhere / Windscribe client rule */
Chain ufw-after-forward (1 references) target prot opt source destination
Chain ufw-after-input (1 references) target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references) target prot opt source destination
Chain ufw-after-logging-input (1 references) target prot opt source destination
Chain ufw-after-logging-output (1 references) target prot opt source destination
Chain ufw-after-output (1 references) target prot opt source destination
Chain ufw-before-forward (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references) target prot opt source destination

colournoun@beehaw.org on 09 Sep 14:12 collapse

A quick fix might be to disable any ipv6 addresses if you don’t specifically need them. The vpn /could/ be ipv4 only, which /could/ leave your ipv6 free to leak or make ipv6 dns requests.