ProtonVPN WireGuard "Connect timeout" caused by OpenSnitch NFQUEUE — Complete Diagnosis & Fix
Summary
When
running ProSnitch alongside ProtonVPN on Linux, WireGuard connections
fail with a "Connect timeout" error after ~10 seconds, and then it tries again, and again... The root cause is
OpenSnitch's NFQUEUE rule in the nftables mangle OUTPUT
chain, which intercepts WireGuard's kernel-generated UDP packets but
cannot identify an owning process. The queue stalls, exceeding
ProtonVPN's local agent timeout. OpenVPN is unaffected because it runs
as a userspace binary (/usr/sbin/openvpn) that OpenSnitch can identify.
This was diagnosed and resolved on Linux Mint with ProtonVPN v4.14.1 and OpenSnitch v1.7.x using iptables-nft.
Diagnosis
Symptom
ProtonVPN launched from terminal shows:
INFO | VPN server REACHABLE.
INFO | Waiting for agent status from node-XXX.protonvpn.net...
INFO | Connect timeout
INFO | CONN:STATE_CHANGED | Error
WARNING | Reached connection error state: Timeout
The tunnel comes up and the server is reachable, but the local agent times out after 10 seconds.
Confirmation Tests
Test 1 — Stop OpenSnitch, test WireGuard:
sudo systemctl stop opensnitch
protonvpn-app # connect with WireGuard — succeeds
sudo systemctl start opensnitch
If WireGuard connects without OpenSnitch running, OpenSnitch is confirmed as the cause.
Test 2 — Check OpenSnitch daemon log for queue errors:
sudo tail -50 /var/log/opensnitchd.log | grep -i "queue\|stuck\|timeout"
WAR queue stuck, closing by timeout
WAR Queue.destroy(), nfq_close() not closed: -1
ERR Connection to the UI service lost.
Test 3 — Check nftables mangle OUTPUT chain:
sudo nft -a list chain ip mangle OUTPUT
Look for a rule containing queue num 0 bypass — this is the rule intercepting WireGuard's UDP traffic.
Root Cause
WireGuard
operates entirely in the Linux kernel. Encrypted UDP packets are
generated by the kernel, not by any userspace process. OpenSnitch
intercepts outbound packets via an NFQUEUE rule in the nftables mangle OUTPUT
chain and attempts to match them to a process. When no process is found
(because WireGuard packets are kernel-generated), the queue stalls.
OpenSnitch's processing timeout (often 30 seconds) exceeds ProtonVPN's
local agent timeout (10 seconds), causing the connection to fail.
This
is related to issue #454 but extends the diagnosis: the problem is not
limited to DNS interception — it affects the entire NFQUEUE in the
mangle table, which intercepts all new outbound connections.
Fix
Temporary Fix (test first)
Insert a rule that allows all UDP traffic to bypass the NFQUEUE:
sudo nft insert rule ip mangle OUTPUT ip protocol udp counter accept
If it connects, proceed to the permanent fix.
Permanent Fix
Create a systemd override so the rule is inserted after OpenSnitch finishes setting up its nftables chains:
sudo mkdir -p /etc/systemd/system/opensnitch.service.d/
sudo nano /etc/systemd/system/opensnitch.service.d/override.conf
[Service]
ExecStartPost=/bin/bash -c "sleep 2 && /usr/sbin/nft insert rule ip mangle OUTPUT ip protocol udp counter accept"
sudo systemctl daemon-reload
sudo systemctl restart opensnitch
sudo nft -a list chain ip mangle OUTPUT
The UDP accept rule should appear as the first rule in the chain.
Reboot to confirm the fix survives a full restart.
If the Fix Stops Working After Reboot
The sleep 2 may not be long enough. Increase it:
sudo nano /etc/systemd/system/opensnitch.service.d/override.conf
Change sleep 2 to sleep 5.
Security Impact
This fix allows all UDP traffic to bypass OpenSnitch's NFQUEUE filtering. Impact assessment:
- TCP filtering remains fully intact — browsers, mail clients, and most applications use TCP and are still monitored
- WireGuard's tunnel traffic is kernel-generated and cannot be matched
to a process, so OpenSnitch provides no useful filtering for it
- DNS queries (UDP port 53) bypass the NFQUEUE, but OpenSnitch's separate DNS interception (if enabled) continues to work
For a more restrictive bypass limited to ProtonVPN's WireGuard ports only:
[Service]
ExecStartPost=/bin/bash -c "sleep 2 && /usr/sbin/nft insert rule ip mangle OUTPUT ip protocol udp dport { 443, 88, 1224, 51820, 500, 4500 } counter accept"
Undo
sudo rm /etc/systemd/system/opensnitch.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl restart opensnitch
Environment
- Linux Mint (kernel with WireGuard built-in)
- ProtonVPN v4.14.1 (
proton-vpn-gtk-app)
- OpenSnitch v1.7.x (
opensnitch.service, iptables-nft backend)
- WireGuard protocol selected in ProtonVPN settings
- IPv6 disabled (not required for this fix, but noted for completeness)
Quick Reference
Action | Command
-- | --
Stop OpenSnitch | sudo systemctl stop opensnitch
Start OpenSnitch | sudo systemctl start opensnitch
Restart OpenSnitch | sudo systemctl restart opensnitch
Check mangle rules | sudo nft -a list chain ip mangle OUTPUT
Insert fix manually (temp) | sudo nft insert rule ip mangle OUTPUT ip protocol udp counter accept
View OpenSnitch log | sudo tail -50 /var/log/opensnitchd.log
Edit the override file | sudo nano /etc/systemd/system/opensnitch.service.d/override.conf
Remove the fix | sudo rm /etc/systemd/system/opensnitch.service.d/override.conf
Diagnosed and resolved through systematic isolation testing. Key
discovery: OpenSnitch's NFQUEUE in the nftables mangle table intercepts
WireGuard's kernel-generated UDP packets but cannot identify an owning
process, causing the queue to stall and exceed ProtonVPN's local agent
timeout.
ProtonVPN WireGuard "Connect timeout" caused by OpenSnitch NFQUEUE — Complete Diagnosis & Fix
Summary
When running ProSnitch alongside ProtonVPN on Linux, WireGuard connections fail with a "Connect timeout" error after ~10 seconds, and then it tries again, and again... The root cause is OpenSnitch's NFQUEUE rule in the nftables
mangle OUTPUTchain, which intercepts WireGuard's kernel-generated UDP packets but cannot identify an owning process. The queue stalls, exceeding ProtonVPN's local agent timeout. OpenVPN is unaffected because it runs as a userspace binary (/usr/sbin/openvpn) that OpenSnitch can identify.This was diagnosed and resolved on Linux Mint with ProtonVPN v4.14.1 and OpenSnitch v1.7.x using iptables-nft.
Diagnosis
Symptom
ProtonVPN launched from terminal shows:
The tunnel comes up and the server is reachable, but the local agent times out after 10 seconds.
Confirmation Tests
Test 1 — Stop OpenSnitch, test WireGuard:
If WireGuard connects without OpenSnitch running, OpenSnitch is confirmed as the cause.
Test 2 — Check OpenSnitch daemon log for queue errors:
Look for:
Test 3 — Check nftables mangle OUTPUT chain:
Look for a rule containing
queue num 0 bypass— this is the rule intercepting WireGuard's UDP traffic.Root Cause
WireGuard operates entirely in the Linux kernel. Encrypted UDP packets are generated by the kernel, not by any userspace process. OpenSnitch intercepts outbound packets via an NFQUEUE rule in the nftables
mangle OUTPUTchain and attempts to match them to a process. When no process is found (because WireGuard packets are kernel-generated), the queue stalls. OpenSnitch's processing timeout (often 30 seconds) exceeds ProtonVPN's local agent timeout (10 seconds), causing the connection to fail.This is related to issue #454 but extends the diagnosis: the problem is not limited to DNS interception — it affects the entire NFQUEUE in the mangle table, which intercepts all new outbound connections.
Fix
Temporary Fix (test first)
Insert a rule that allows all UDP traffic to bypass the NFQUEUE:
Test WireGuard:
If it connects, proceed to the permanent fix.
Permanent Fix
Create a systemd override so the rule is inserted after OpenSnitch finishes setting up its nftables chains:
Paste:
Save and exit, then:
Verify:
The UDP accept rule should appear as the first rule in the chain.
Reboot to confirm the fix survives a full restart.
If the Fix Stops Working After Reboot
The
sleep 2may not be long enough. Increase it:Change
sleep 2tosleep 5.Security Impact
This fix allows all UDP traffic to bypass OpenSnitch's NFQUEUE filtering. Impact assessment:
For a more restrictive bypass limited to ProtonVPN's WireGuard ports only:
Undo
Environment
proton-vpn-gtk-app)opensnitch.service, iptables-nft backend)Quick Reference
Diagnosed and resolved through systematic isolation testing. Key discovery: OpenSnitch's NFQUEUE in the nftables mangle table intercepts WireGuard's kernel-generated UDP packets but cannot identify an owning process, causing the queue to stall and exceed ProtonVPN's local agent timeout.