afwall not blocking when wireguard active

[jancm]

I'm running wireguard as a VPN. It works fine (one exception, which I'll get to). Afwall works fine when wireguard isn't active. When it is active afwall doesn't block anything. Wireguard activates at boot, with a script in /sbin/.core/img/.core/service.d
It activates before afwall. If afwall is active, or if it was active and I disable it, bring down wireguard then try to being it back up I get an error "RTNETLINK answers: Out of memory"
I have an attachment if I can figure out how to attach it :) contains ifconfig, rule dump, afwall settings.
Looks like I need desktop view.
(url
afwall.zip
)

[siliconninja]

I know this issue is about 1 year old, but I found a fix. I did some searching in the repo and I found that AfWall uses specific interface names (prefixes) for the VPNs.

afwall/aFWall/src/main/java/dev/ukanth/ufirewall/InterfaceTracker.java

Line 56 in 724c30a

public static final String ITFS_VPN[] = {"tun+", "ppp+", "tap+"};

So for example, if you use OpenVPN for Android, the interface name would be tun0 or tun1. If you use the WireGuard app, the interface name would be called whatever the "name" of the configuration is. For example, if you called it my-vpn, in the WireGuard app, if you tap on "my-vpn" entry, it would say "Interface" then "Name" and "my-vpn" under it. tun+ means that anything would be matched with the prefix "tun" would be recognized as a VPN to AfWall and then the firewall rules would be applied to that interface.
To check your interface name, in Termux, then type ifconfig then look at the entry with your configuration's name, for example "my-vpn", it would be displayed as my-vpn: and list flags, ip address, etc. of it. When I set the interface name to be something like tunmy-vpn or tun-my-vpn, the firewall works properly.

Here is the fix (you have to first turn on the separate VPN setting in 3 dots>AfWall preferences>Rules/Connectivity>VPN control):
My test was to temporarily block termux with the VPN setting blacklisted, then with a specific wireguard configuration, I would first turn Wireguard off, rename the config to have a prefix of tun before the actual config name, turn on Wireguard again with that specific config, then running apt update in termux. I was trying to see if the app could go past the firewall by accessing the internet by blocking a specific app and connecting to it. You can turn off the Termux block once you've checked to see if it works. You can use any app, I just used Termux to test internet connectivity. If you have other connection types (such as wifi,etc) allowed, but VPN blocked, it will block all internet in the app when connected to the VPN, but allow it through the others (but if VPN is on, you won't be able to access the internet through the app at all, it won't fallback to another interface).
I have tried this and it works for all of my Wireguard VPN configs.
I hope this helps you.

[oushidian]

Just to add some info, I've been using Wireguard + AFWall for over a year on three different phones and all I had to do was add VPN to the rules. Almost all of the apps I want to have access only have only VPN checked and it's just worked.