Waydroid template

Does network works in the Waydroid qube itself?
Open the terminal in the Waydroid qube and run these commands to check the connectivity:

curl https://debian.org
curl https://1.1.1.1

Can you get the web pages successfully using curl?

curl https://debian.org returns nothing.
curl https://1.1.1.1 returns a html code, which I assume confirms the qube has internet.

btw: I try to figure out how to copy/paste from xterm. Right click doesn’t work. ctrl+c/ctrl+v not works, and I dont see any menu in the top bar (like edit). I can copy with ctrl+insert and shift+insert, but can’t get it out of the terminal. The clipboard notifies me “0 bytes were copied to the global clipboard”.

Then network works in your qube.
Open the root terminal for your Waydroid qube and post the output of these commands:

journalctl -b -u waydroid-firewall
nft list ruleset

Press and hold Ctrl + Middle mouse click → “Select to clipboard”.

Jun 08 10:12:04 testqubewaydroid systemd[1]: Starting waydroid-firewall.service...
Jun 08 10:12:04 testqubewaydroid systemd[1]: Finished waydroid-firewall.service.

table ip qubes {
	set downstream {
		type ipv4_addr
	}

	set allowed {
		type ifname . ipv4_addr
	}

	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifgroup 2 goto antispoof
		ip saddr @downstream counter packets 0 bytes 0 drop
	}

	chain antispoof {
		iifname . ip saddr @allowed accept
		counter packets 0 bytes 0 drop
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifgroup 2 accept
		oif "lo" accept
		masquerade
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump custom-input
		ct state invalid counter packets 0 bytes 0 drop
		iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
		ct state established,related accept
		iifgroup 2 meta l4proto icmp accept
		iif "lo" accept
		iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
		counter packets 0 bytes 0
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		jump custom-forward
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		oifgroup 2 counter packets 0 bytes 0 drop
	}

	chain custom-input {
		jump waydroid-input
	}

	chain custom-forward {
		jump waydroid-forward
	}

	chain waydroid-input {
		iifname "waydroid0" meta l4proto { tcp, udp } th dport { 53, 67 } accept
	}

	chain waydroid-forward {
		iifname "waydroid0" oifgroup 1 accept
		oifname "waydroid0" iifgroup 1 accept
	}
}
table ip6 qubes {
	set downstream {
		type ipv6_addr
	}

	set allowed {
		type ifname . ipv6_addr
	}

	chain antispoof {
		iifname . ip6 saddr @allowed accept
		counter packets 0 bytes 0 drop
	}

	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifgroup 2 goto antispoof
		ip6 saddr @downstream counter packets 0 bytes 0 drop
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifgroup 2 accept
		oif "lo" accept
		masquerade
	}

	chain _icmpv6 {
		meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
		icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
		accept
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump custom-input
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		iifgroup 2 goto _icmpv6
		iif "lo" accept
		ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
		meta l4proto ipv6-icmp accept
		counter packets 0 bytes 0
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		jump custom-forward
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		oifgroup 2 counter packets 0 bytes 0 drop
	}

	chain custom-input {
	}

	chain custom-forward {
	}
}
table inet lxc {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lxcbr0" udp dport { 53, 67 } accept
		iifname "lxcbr0" tcp dport { 53, 67 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "lxcbr0" accept
		oifname "lxcbr0" accept
	}
}
table ip lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 0 bytes 0 masquerade
	}
}

Internet seems to work now. I think I copy/pasted the firewall rules for 4.1. I’m not 100% sure, because I did all the steps over again and deleted the old template.

Also QubesOs and Waydroid is much faster now. I updated the kernel to the newest version, disabled Optimus, enabed Turboboost and disabled Speedstep.

This is a whole new experience now. I continue testing and playing with Waydroid, pretty sure I will have more questions. Thank you for now @apparatus

I noticed that internet works with default firewall, but not with sys-whonix. How to get Waydroid also work with sys-whonix? Do I need to allow TOR traffic in the waydroid-firewall.service? And how to do this?

It works for me with sys-whonix.
Check that network works in your Waydroid qube with sys-whonix net qube:

Also check this in the Waydroid:

Also note that UDP won’t work with Tor if you’re checking the connectivity in Waydroid in some app that is using UDP.

It seems I don’t have network connection at all with the sys-whonix NetVM. With the default (sys-firewall) it works. You say, UDP won’t work with TOR if a app is using UDP. Could you elaborate? So I assume I need to add some new rules to waydroid-firewall.service, to allow UDP traffic?

Check your tor service log in sys-whonix, you can click on the sdwdate-gui icon in system tray → sys-whonix → Tor control panel → Logs tab.
Maybe you’ll need to configure the bridge if Tor is blocked by your ISP.

Tor itself only support TCP protocol and can’t route UDP/ICMP and other protocols:
https://www.reddit.com/r/TOR/comments/7oizra/why_tor_doesnt_support_udp/