Afwall blocking VPN over cellular connections in Android 10

[cb474]

I recently upgraded to Android 10 and am now finding that Afwall blocks my vpn app from connecting to the remote vpn servers, but only over cellular data connections. It works fine over wifi.

Even if I enable every app and service listed in Afwall, the vpn app is still blocked over cellular data. Only if I disable the firewall or select the "any app" setting (-10) does it work.

In the Afwall log (and with the toasts when I try to use the vpn app) I see that an app with the ID (1029) is being blocked. But there is no app with that UID listed in Afwall to enable. The UID of my vpn is (10209).

Curiously, if I set the log to the old view method it identifies the app being blocked as (-1), but in the new view it remains (1029).

I'm using Afwall 3.1.0 (donate), but I tried the 3.2.0 beta and had the identical issue. This is on a Pixel 2. Stock Android. Rooted with Magisk.

[ukanth]

Seems like there is a new system port which needs to be opened for android 10.

define AID_CLAT 1029

Try adding the following custom rules and see if it works

$IPTABLES -A afwall-wifi-lan -m owner --uid-owner 1029 -j RETURN
$IPTABLES -A afwall-wifi-wan -m owner --uid-owner 1029 -j RETURN
$IPTABLES -A afwall-3g-home -m owner --uid-owner 1029 -j RETURN

[cb474]

Thanks for the quick reply.

How do I add custom rules?

(Also something else curious I noticed in the log is the the linux kernel (-11) is getting blocked, but I have it enabled in my rules.)

[ukanth]

You can add it in the set custom script option under menu. Just copy paste the above lines (each line)

other one is a bug(kernel -11), will try to fix it.

[cb474]

That worked! Thanks so much for the quick response.

Will the rules persist after a reboot and when switching between wifi and cellular? Or do I have to apply them manually every time the rules are reapplied?

Also, will bug fixes show up in the playstore donate version? Or will I have to use the beta? I noticed when I tried the beta that it wouldn't let me import my preferences (only rules), because it said that was a donate option. But I already purchased the donate option. And when you hit the button to get the donate options in the beta version, you just get sent to the stable (3.1.0) donate version in the play store. So it seems there's no way to get the beta to have the features of the donate version.

[oushidian]

Thank you! I've been dealing with this issue for the past 6 months (Pixel 3, Android 9&10).

TLDR: The custom script worked for me. NOTE, add each line one at a time (cut/paste), then hit enter, add next line, etc.

More details, When I first got my Pixel 3 I was in Canada and everything worked fine on Google Fi. When I returned to the States it worked on wifi and randomly didn't work on Cell (sometimes it would block everything and sometimes nothing. Probably because Google Fi switches between Verizon/Sprint/Tmobile). I kept messing with settings, Magick, etc. but nothing worked. So when Android 10 comes out I decided to wipe and try again. Now it stops working when VPN is on (the original post). This is a success to me because it consistently doesn't work rather than acting random.

So I sign up for the Beta AFWall yesterday and nothing changes. I think it's a DNS issue since my VPN (Wireguard btw) automatically changes the DNS so I start searching on that and eventually find this post. Success!

Edit: I just found the Wireguard post but I've never had that problem. I just enabled VPN in the rules and it worked, I never had to add "tun" to the name.

[cb474]

@oushidian When I applied the rules, I copied them all together, pasted all three lines together into the custom script option, and applied them altogether. But I made sure there were line breaks, between the lines (that is, not all strung together as one long line). I wasn't sure what ukanth means above by "each line." Anyway, that worked for me.

When I tried applying one line and then the next, it seemed like AFwall was completely rewriting all of the rules, plus the custom script, each time. So I assumed that meant it was completely overwriting the existing rules, which would therefore overwrite the line from the custom script applied the previous time. This would leave, I assume, only the last custom script line actually applied. Anyway. I'm not sure what the correct way is, but what I did has worked for me so far.

[oushidian]

Sorry for the confusion, yes, all three lines must be in the custom script box with NEWLINES in between them. I found it easier to paste them one at a time then hit ENTER rather than paste all three then try to scroll around to enter the breaks.

[ukanth]

Added clat to apps. 3.2.0 final will have the fix.