i have a question can the installation of waydroid and the configuration of the firewall kill my sys-vpn? because after the installation of waydroid i cannot connect to the vpn provider anymore
Which firewall did you configure?
If you change firewall for your waydroid qube then it couldnât affect other qubes.
Im having the same issue. I have internet access on sys-vpn. When i type ping 9.9.9.9 on terminal in the waydroid app vm, im getting pings.
But on sway, when i click the wifi toggle it doesnt connect. The internet is not working in the android vm.
I tried nft list ruleset but i wasnt able to copy the result from xterm.
I noticed an update for the waydroid template. Maybe something broke?
Itâs not connected using WiFi so WiFi toggle does nothing.
How are you testing this?
You can Ctrl + Middle Mouse Click â Select to Clipboard in XTerm and then the text selected with mouse will be copied in clipboard.
If Waydroid says that there is update available then the internet is working in Waydroid.
ohh haha! seems i forgot how to use waydroid lol. I couldnt get my vpn to work - thats how i figured the internet stopped workingâŚ
in fact i just needed to update the vpn certificate.
all working now.
Sorry!
First of all, thanks for this really nice guide. I have been trying to find something like this for a while now.
Iâve tried several times to walk through this, and always ending up with the same result.
Everything is working just fine, BUT only the qube it self is able to acces internet, Waydroid application is not.
Iâm getting a headache soon 
Please help me.
Best regards
Do you have Qubes OS 4.1 or Qubes OS 4.2?
How are you checking that Waydroid has no network access?
Newest 4.2.1.
Iâve tried through playstore and browser. Iâve installed Firefox with install-app script and that didnât get access to internet.
Go to Settings â System â Waydroid Updater â press refresh button.
Do you see any change?
Do you see the âUnknownâ text to the right of the System/Vendor image lines or the versions with date?"
Yes. Both are marked as âUnknownâ.
Whatâs the output of these commands in the waydroid qubeâs root terminal?
systemctl status waydroid-firewall.service
nft list ruleset
From appvm or dom0 terminal?
Do you also know a safe way to copy/paste text from the terminal
Sorry, you already answered my first question
Run this command in dom0 terminal to start you Waydroid qube root terminal:
qvm-run -u root YourWaydroidQubeName xterm &
Run command there and you can copy the output from xterm terminal by selecting Ctrl + Middle Mouse Click â Select to clipboard, then you can select text in the terminal and itâll be copied to the clipboard.
When i press ctrl+middle mouse, a menu appears and disappears shortly after.
Press and hold Ctrl + Middle mouse button and select the option by releasing them when the mouse pointer is selecting the option.
Finally i succeeded
I truly appreciate your help, thanks!
root@d12m-waydroid:~# systemctl status waydroid-firewall.service
â waydroid-firewall.service
Loaded: loaded (/etc/systemd/system/waydroid-firewall.service; enabled; preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Sun 2024-04-21 07:21:28 EDT; 3h 9min ago
ââ ConditionPathExists=!/run/qubes/this-is-templatevm was not met
Apr 21 07:21:28 d12m-waydroid systemd[1]: waydroid-firewall.service was skipped because of an unmet condition check (ConditionPathExists=!/run/qubes/this-is-templatevm).
root@d12m-waydroid:~#
root@d12m-waydroid:~# nft list ruleset
table ip qubes {
set downstream {
type ipv4_addr
}
set allowed {
type ifname . ipv4_addr
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
table inet lxc {
chain input {
type filter hook input priority filter; policy accept;
iifname âlxcbr0â udp dport { 53, 67 } accept
iifname âlxcbr0â tcp dport { 53, 67 } accept
}
chain forward {
type filter hook forward priority filter; policy accept;
iifname "lxcbr0" accept
oifname "lxcbr0" accept
}
}
table ip lxc {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 0 bytes 0 masquerade
}
}
root@d12m-waydroid:~#
Run the commands in your Waydroid AppVM based on d12m-waydroid template, not in template itself.
Ă waydroid-firewall.service
Loaded: loaded (/etc/systemd/system/waydroid-firewall.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Sun 2024-04-21 03:12:36 EDT; 7h ago
Process: 662 ExecStart=/usr/bin/bash -c if (nft create chain ip qubes waydroid-input) &>/dev/null; then nft add rule ip qubes custom-input jump waydroid-input; fi (code=>
Process: 676 ExecStart=/usr/bin/bash =c if (nft create chani ip qubes waydroid-forward) &>/dev/null; then nft add rule ip qubes custom-forward jump waydroid-forward; fi >
Main PID: 676 (code=exited, status=127)
CPU: 13ms
Apr 21 03:12:36 Waydroid systemd[1]: Starting waydroid-firewall.serviceâŚ
Apr 21 03:12:36 Waydroid bash[676]: /usr/bin/bash: =c: No such file or directory
Apr 21 03:12:36 Waydroid systemd[1]: waydroid-firewall.service: Main process exited, code=exited, status=127/n/a
Apr 21 03:12:36 Waydroid systemd[1]: waydroid-firewall.service: Failed with result âexit-codeâ.
Apr 21 03:12:36 Waydroid systemd[1]: Failed to start waydroid-firewall.service.
~
~
root@Waydroid:~# nft list ruleset
table ip qubes {
set downstream {
type ipv4_addr
}
set allowed {
type ifname . ipv4_addr
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 27 bytes 9180
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
jump waydroid-input
}
chain custom-forward {
}
chain waydroid-input {
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
table inet lxc {
chain input {
type filter hook input priority filter; policy accept;
iifname âlxcbr0â udp dport { 53, 67 } accept
iifname âlxcbr0â tcp dport { 53, 67 } accept
}
chain forward {
type filter hook forward priority filter; policy accept;
iifname "lxcbr0" accept
oifname "lxcbr0" accept
}
}
table ip lxc {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 0 bytes 0 masquerade
}
}
root@Waydroid:~#
Whatâs the output of this command in your Waydroid AppVM?
systemctl cat waydroid-firewall.service
There seems to be a misspelling: /usr/bin/bash =c instead of /usr/bin/bash -c in /etc/systemd/system/waydroid-firewall.service.
If there is indeed an error then rerun the âConfigure firewall for Waydroidâ step in d12m-waydroid to fix the file:
Waydroid template
1 Like