Hi all—as title suggests I’m experiencing a compatibility issue between UFW and my vpn (Windscribe if it matters). My UFW defaults are set to deny incoming, allow outgoing, and routed disabled, with no exception rules configured. When I enable Windscribe (I use OpenVPN udp on port 80 if that matters) while UFW is active, Windscribe reports a network configuration error and requests sending debug logs; ignoring the error still allows the VPN to function, but I observe IPv6 and DNS leaks. Disabling UFW removes the error and the leaks. What UFW configuration is causing this behavior, and which specific rules should I add to prevent IPv6 and DNS leaks while keeping UFW enabled?

  • aprehendedmerlin@lemmy.dbzer0.comOPEnglish
    2·
    3 days ago

    ok thank you for your time here is the output of ip6tables -L:

    Chain INPUT (policy DROP) target prot opt source destination
ufw6-before-logging-input all -- anywhere anywhere
ufw6-before-input all -- anywhere anywhere
ufw6-after-input all -- anywhere anywhere
ufw6-after-logging-input all -- anywhere anywhere
ufw6-reject-input all -- anywhere anywhere
ufw6-track-input all -- anywhere anywhere
windscribe_input all -- anywhere anywhere /* Windscribe client rule */
Chain FORWARD (policy DROP) target prot opt source destination
ufw6-before-logging-forward all -- anywhere anywhere
ufw6-before-forward all -- anywhere anywhere
ufw6-after-forward all -- anywhere anywhere
ufw6-after-logging-forward all -- anywhere anywhere
ufw6-reject-forward all -- anywhere anywhere
ufw6-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
ufw6-before-logging-output all -- anywhere anywhere
ufw6-before-output all -- anywhere anywhere
ufw6-after-output all -- anywhere anywhere
ufw6-after-logging-output all -- anywhere anywhere
ufw6-reject-output all -- anywhere anywhere
ufw6-track-output all -- anywhere anywhere
windscribe_output all -- anywhere anywhere /* Windscribe client rule */
Chain ufw6-after-forward (1 references) target prot opt source destination
Chain ufw6-after-input (1 references) target prot opt source destination
ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw6-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw6-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:dhcpv6-client ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:dhcpv6-server
Chain ufw6-after-logging-forward (1 references) target prot opt source destination
Chain ufw6-after-logging-input (1 references) target prot opt source destination
Chain ufw6-after-logging-output (1 references) target prot opt source destination
Chain ufw6-after-output (1 references) target prot opt source destination
Chain ufw6-before-forward (1 references) target prot opt source destination
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ufw6-user-forward all -- anywhere anywhere
Chain ufw6-before-input (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ufw6-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-query ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-report ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-done ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 144 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 145 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 146 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 147 ACCEPT udp -- fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client ACCEPT udp -- anywhere ff02::fb udp dpt:mdns ACCEPT udp -- anywhere ff02::f udp dpt:1900 ufw6-user-input all -- anywhere anywhere
Chain ufw6-before-logging-forward (1 references) target prot opt source destination
Chain ufw6-before-logging-input (1 references) target prot opt source destination
Chain ufw6-before-logging-output (1 references) target prot opt source destination
Chain ufw6-before-output (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-query ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-report ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-done ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ufw6-user-output all -- anywhere anywhere
Chain ufw6-logging-allow (0 references) target prot opt source destination
Chain ufw6-logging-deny (1 references) target prot opt source destination
Chain ufw6-reject-forward (1 references) target prot opt source destination
Chain ufw6-reject-input (1 references) target prot opt source destination
Chain ufw6-reject-output (1 references) target prot opt source destination
Chain ufw6-skip-to-policy-forward (0 references) target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw6-skip-to-policy-input (6 references) target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw6-skip-to-policy-output (0 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw6-track-forward (1 references) target prot opt source destination
Chain ufw6-track-input (1 references) target prot opt source destination
Chain ufw6-track-output (1 references) target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw6-user-forward (1 references) target prot opt source destination
Chain ufw6-user-input (1 references) target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22000 /* 'dapp_syncthing' / ACCEPT udp -- anywhere anywhere udp dpt:22000 / 'dapp_syncthing' / ACCEPT udp -- anywhere anywhere udp dpt:21027 / 'dapp_syncthing' */ ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:10387 ACCEPT udp -- anywhere anywhere udp dpt:10387
Chain ufw6-user-limit (0 references) target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw6-user-logging-forward (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw6-user-logging-input (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw6-user-logging-output (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw6-user-output (1 references) target prot opt source destination
Chain windscribe_input (1 references) target prot opt source destination
ACCEPT all -- ip6-localhost anywhere /* Windscribe client rule / DROP all -- anywhere anywhere / Windscribe client rule */
Chain windscribe_output (1 references) target prot opt source destination
ACCEPT all -- anywhere ip6-localhost /* Windscribe client rule / DROP all -- anywhere anywhere / Windscribe client rule */
    • drspod@lemmy.ml
      2·
      2 days ago

      Sorry to be a doofus, but could you paste the output of iptables-save and ip6tables-save instead? The default iptables output actually just leaves out important information like which interface the rule applies to.

      I think the best thing to do would be to see if you can get support from Windscribe and find out whether it’s a known issue or a bug that needs fixing.