Waydroid template

apparatus · June 8, 2024, 10:12am

Does network works in the Waydroid qube itself?
Open the terminal in the Waydroid qube and run these commands to check the connectivity:

curl https://debian.org
curl https://1.1.1.1

Can you get the web pages successfully using curl?

J765109 · June 8, 2024, 10:35am

curl https://debian.org returns nothing.
curl https://1.1.1.1 returns a html code, which I assume confirms the qube has internet.

btw: I try to figure out how to copy/paste from xterm. Right click doesn’t work. ctrl+c/ctrl+v not works, and I dont see any menu in the top bar (like edit). I can copy with ctrl+insert and shift+insert, but can’t get it out of the terminal. The clipboard notifies me “0 bytes were copied to the global clipboard”.

apparatus · June 8, 2024, 10:51am

Then network works in your qube.
Open the root terminal for your Waydroid qube and post the output of these commands:

journalctl -b -u waydroid-firewall
nft list ruleset

Press and hold Ctrl + Middle mouse click → “Select to clipboard”.

J765109 · June 8, 2024, 2:25pm

Jun 08 10:12:04 testqubewaydroid systemd[1]: Starting waydroid-firewall.service...
Jun 08 10:12:04 testqubewaydroid systemd[1]: Finished waydroid-firewall.service.

table ip qubes {
	set downstream {
		type ipv4_addr
	}

	set allowed {
		type ifname . ipv4_addr
	}

	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifgroup 2 goto antispoof
		ip saddr @downstream counter packets 0 bytes 0 drop
	}

	chain antispoof {
		iifname . ip saddr @allowed accept
		counter packets 0 bytes 0 drop
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifgroup 2 accept
		oif "lo" accept
		masquerade
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump custom-input
		ct state invalid counter packets 0 bytes 0 drop
		iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
		ct state established,related accept
		iifgroup 2 meta l4proto icmp accept
		iif "lo" accept
		iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
		counter packets 0 bytes 0
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		jump custom-forward
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		oifgroup 2 counter packets 0 bytes 0 drop
	}

	chain custom-input {
		jump waydroid-input
	}

	chain custom-forward {
		jump waydroid-forward
	}

	chain waydroid-input {
		iifname "waydroid0" meta l4proto { tcp, udp } th dport { 53, 67 } accept
	}

	chain waydroid-forward {
		iifname "waydroid0" oifgroup 1 accept
		oifname "waydroid0" iifgroup 1 accept
	}
}
table ip6 qubes {
	set downstream {
		type ipv6_addr
	}

	set allowed {
		type ifname . ipv6_addr
	}

	chain antispoof {
		iifname . ip6 saddr @allowed accept
		counter packets 0 bytes 0 drop
	}

	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifgroup 2 goto antispoof
		ip6 saddr @downstream counter packets 0 bytes 0 drop
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifgroup 2 accept
		oif "lo" accept
		masquerade
	}

	chain _icmpv6 {
		meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
		icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
		accept
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump custom-input
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		iifgroup 2 goto _icmpv6
		iif "lo" accept
		ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
		meta l4proto ipv6-icmp accept
		counter packets 0 bytes 0
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		jump custom-forward
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		oifgroup 2 counter packets 0 bytes 0 drop
	}

	chain custom-input {
	}

	chain custom-forward {
	}
}
table inet lxc {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lxcbr0" udp dport { 53, 67 } accept
		iifname "lxcbr0" tcp dport { 53, 67 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "lxcbr0" accept
		oifname "lxcbr0" accept
	}
}
table ip lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 0 bytes 0 masquerade
	}
}

J765109 · June 8, 2024, 4:41pm

Internet seems to work now. I think I copy/pasted the firewall rules for 4.1. I’m not 100% sure, because I did all the steps over again and deleted the old template.

Also QubesOs and Waydroid is much faster now. I updated the kernel to the newest version, disabled Optimus, enabed Turboboost and disabled Speedstep.

This is a whole new experience now. I continue testing and playing with Waydroid, pretty sure I will have more questions. Thank you for now @apparatus

J765109 · June 9, 2024, 10:37am

I noticed that internet works with default firewall, but not with sys-whonix. How to get Waydroid also work with sys-whonix? Do I need to allow TOR traffic in the waydroid-firewall.service? And how to do this?

apparatus · June 9, 2024, 10:42am

It works for me with sys-whonix.
Check that network works in your Waydroid qube with sys-whonix net qube:

Also check this in the Waydroid:

Also note that UDP won’t work with Tor if you’re checking the connectivity in Waydroid in some app that is using UDP.

J765109 · June 9, 2024, 11:25am

It seems I don’t have network connection at all with the sys-whonix NetVM. With the default (sys-firewall) it works. You say, UDP won’t work with TOR if a app is using UDP. Could you elaborate? So I assume I need to add some new rules to waydroid-firewall.service, to allow UDP traffic?

apparatus · June 9, 2024, 11:39am

Check your tor service log in sys-whonix, you can click on the sdwdate-gui icon in system tray → sys-whonix → Tor control panel → Logs tab.
Maybe you’ll need to configure the bridge if Tor is blocked by your ISP.

Tor itself only support TCP protocol and can’t route UDP/ICMP and other protocols:
https://www.reddit.com/r/TOR/comments/7oizra/why_tor_doesnt_support_udp/

secblocks · June 25, 2024, 5:41pm

apparatus:

Upgrade Waydroid image

To upgrade Waydroid image in the future you’ll need to manually run this command in Waydroid template d12m-waydroid:
waydroid-upgrade
See above on how to create waydroid-upgrade command if it doesn’t exist.

not working with me after create script

apparatus · June 25, 2024, 5:44pm

What’s not working?

secblocks · June 25, 2024, 5:45pm

upgrade command

apparatus · June 25, 2024, 5:51pm

Do you have any errors output when running waydroid-upgrade?

secblocks · June 25, 2024, 5:59pm

bash: waydroid-upgrade: command not found

apparatus · June 25, 2024, 6:12pm

Did you create waydroid-upgrade script?
There is a link in your quote with instructions on how to create it.

secblocks · June 26, 2024, 3:08am

[quote=“apparatus, post:1, topic:23356”]

cat << 'EOF' | tee /opt/bin/waydroid-upgrade >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid upgrade
EOF
chmod +x /opt/bin/waydroid-upgrade

[/quote i used this

apparatus · June 26, 2024, 3:11am

What’s the output of these commands in your Waydroid template?

cat /etc/profile.d/opt-bin.sh
echo $PATH

Did you restart the Waydroid template after setting it up before running waydroid-upgrade?

secblocks · June 26, 2024, 3:14am

and I have another error, when starting sway on appVM based waydroid Template

Waydroid socet '/run/user/1000/wayland-0' doesn't exist; are you running Wayland compositor?

apparatus · June 26, 2024, 3:17am

How do you start it?

secblocks · June 26, 2024, 3:24am

on settings qube app icon is missing
so I start it with command on terminal sway