Skip to content

VPN not working with OpenSnitch #1629

Description

@Alan-Jay

ProtonVPN WireGuard "Connect timeout" caused by OpenSnitch NFQUEUE — Complete Diagnosis & Fix

Summary

When running ProSnitch alongside ProtonVPN on Linux, WireGuard connections fail with a "Connect timeout" error after ~10 seconds, and then it tries again, and again... The root cause is OpenSnitch's NFQUEUE rule in the nftables mangle OUTPUT chain, which intercepts WireGuard's kernel-generated UDP packets but cannot identify an owning process. The queue stalls, exceeding ProtonVPN's local agent timeout. OpenVPN is unaffected because it runs as a userspace binary (/usr/sbin/openvpn) that OpenSnitch can identify.

This was diagnosed and resolved on Linux Mint with ProtonVPN v4.14.1 and OpenSnitch v1.7.x using iptables-nft.


Diagnosis

Symptom

ProtonVPN launched from terminal shows:

INFO | VPN server REACHABLE.
INFO | Waiting for agent status from node-XXX.protonvpn.net...
INFO | Connect timeout
INFO | CONN:STATE_CHANGED | Error
WARNING | Reached connection error state: Timeout

The tunnel comes up and the server is reachable, but the local agent times out after 10 seconds.

Confirmation Tests

Test 1 — Stop OpenSnitch, test WireGuard:

sudo systemctl stop opensnitch protonvpn-app # connect with WireGuard — succeeds sudo systemctl start opensnitch

If WireGuard connects without OpenSnitch running, OpenSnitch is confirmed as the cause.

Test 2 — Check OpenSnitch daemon log for queue errors:

sudo tail -50 /var/log/opensnitchd.log | grep -i "queue\|stuck\|timeout"

Look for:

WAR  queue stuck, closing by timeout
WAR  Queue.destroy(), nfq_close() not closed: -1
ERR  Connection to the UI service lost.

Test 3 — Check nftables mangle OUTPUT chain:

sudo nft -a list chain ip mangle OUTPUT

Look for a rule containing queue num 0 bypass — this is the rule intercepting WireGuard's UDP traffic.


Root Cause

WireGuard operates entirely in the Linux kernel. Encrypted UDP packets are generated by the kernel, not by any userspace process. OpenSnitch intercepts outbound packets via an NFQUEUE rule in the nftables mangle OUTPUT chain and attempts to match them to a process. When no process is found (because WireGuard packets are kernel-generated), the queue stalls. OpenSnitch's processing timeout (often 30 seconds) exceeds ProtonVPN's local agent timeout (10 seconds), causing the connection to fail.

This is related to issue #454 but extends the diagnosis: the problem is not limited to DNS interception — it affects the entire NFQUEUE in the mangle table, which intercepts all new outbound connections.


Fix

Temporary Fix (test first)

Insert a rule that allows all UDP traffic to bypass the NFQUEUE:

sudo nft insert rule ip mangle OUTPUT ip protocol udp counter accept

Test WireGuard:

protonvpn-app

If it connects, proceed to the permanent fix.

Permanent Fix

Create a systemd override so the rule is inserted after OpenSnitch finishes setting up its nftables chains:

sudo mkdir -p /etc/systemd/system/opensnitch.service.d/ sudo nano /etc/systemd/system/opensnitch.service.d/override.conf

Paste:

[Service] ExecStartPost=/bin/bash -c "sleep 2 && /usr/sbin/nft insert rule ip mangle OUTPUT ip protocol udp counter accept"

Save and exit, then:

sudo systemctl daemon-reload sudo systemctl restart opensnitch

Verify:

sudo nft -a list chain ip mangle OUTPUT

The UDP accept rule should appear as the first rule in the chain.

Reboot to confirm the fix survives a full restart.

If the Fix Stops Working After Reboot

The sleep 2 may not be long enough. Increase it:

sudo nano /etc/systemd/system/opensnitch.service.d/override.conf

Change sleep 2 to sleep 5.


Security Impact

This fix allows all UDP traffic to bypass OpenSnitch's NFQUEUE filtering. Impact assessment:

  • TCP filtering remains fully intact — browsers, mail clients, and most applications use TCP and are still monitored
  • WireGuard's tunnel traffic is kernel-generated and cannot be matched to a process, so OpenSnitch provides no useful filtering for it
  • DNS queries (UDP port 53) bypass the NFQUEUE, but OpenSnitch's separate DNS interception (if enabled) continues to work

For a more restrictive bypass limited to ProtonVPN's WireGuard ports only:

[Service] ExecStartPost=/bin/bash -c "sleep 2 && /usr/sbin/nft insert rule ip mangle OUTPUT ip protocol udp dport { 443, 88, 1224, 51820, 500, 4500 } counter accept"

Undo

sudo rm /etc/systemd/system/opensnitch.service.d/override.conf sudo systemctl daemon-reload sudo systemctl restart opensnitch

Environment

  • Linux Mint (kernel with WireGuard built-in)
  • ProtonVPN v4.14.1 (proton-vpn-gtk-app)
  • OpenSnitch v1.7.x (opensnitch.service, iptables-nft backend)
  • WireGuard protocol selected in ProtonVPN settings
  • IPv6 disabled (not required for this fix, but noted for completeness)

Quick Reference

Action | Command -- | -- Stop OpenSnitch | sudo systemctl stop opensnitch Start OpenSnitch | sudo systemctl start opensnitch Restart OpenSnitch | sudo systemctl restart opensnitch Check mangle rules | sudo nft -a list chain ip mangle OUTPUT Insert fix manually (temp) | sudo nft insert rule ip mangle OUTPUT ip protocol udp counter accept View OpenSnitch log | sudo tail -50 /var/log/opensnitchd.log Edit the override file | sudo nano /etc/systemd/system/opensnitch.service.d/override.conf Remove the fix | sudo rm /etc/systemd/system/opensnitch.service.d/override.conf

Diagnosed and resolved through systematic isolation testing. Key discovery: OpenSnitch's NFQUEUE in the nftables mangle table intercepts WireGuard's kernel-generated UDP packets but cannot identify an owning process, causing the queue to stall and exceed ProtonVPN's local agent timeout.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions