New AppArmor rule for wg on Ubuntu 25.04 breaks vopono: "fopen: Permission denied" #317
Description
vopono on Ubuntu 25.04 doesn't work, no network inside the netns.
When vopono runs the command ip netns exec vo_mv_sg wg setconf vo_mv_sg /tmp/vopono_nft.conf there is a "fopen: Permission denied" error.
Here's full debug log:
vopono -v exec --dns "1.1.1.1" --open-hosts 192.168.50.1,10.200.1.1 --provider mullvad --server sg "bash"
2025-06-13T07:35:05.521Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:05.521Z DEBUG vopono_core::util > Cleaning dead lock files...
2025-06-13T07:35:06.532Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
2025-06-13T07:35:06.532Z INFO vopono_core::util > Calling sudo for elevated privileges, current user will be used as default user
2025-06-13T07:35:06.532Z DEBUG vopono_core::util > Args: ["vopono", "-v", "exec", "--dns", "1.1.1.1", "--open-hosts", "192.168.50.1,10.200.1.1", "--provider", "mullvad", "--server", "sg", "bash"]
2025-06-13T07:35:06.670Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:06.670Z DEBUG vopono_core::util > Cleaning dead lock files...
2025-06-13T07:35:07.680Z DEBUG vopono_core::util::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
2025-06-13T07:35:07.680Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:07.683Z DEBUG vopono_core::util > Existing namespaces: []
2025-06-13T07:35:07.683Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:07.683Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "custom" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "custom-netns-name" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "hosts" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "open-ports" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "forward" not found
[src/args_config.rs:132:9] &command.postup = None
[src/args_config.rs:135:9] &postup = Some(
"/home/user1/Dotfiles/vopono/postup.sh",
)
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "predown" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "group" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "working-directory" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "user" not found
2025-06-13T07:35:07.683Z DEBUG vopono::args_config > configuration property "port-forwarding-callback" not found
2025-06-13T07:35:07.683Z DEBUG vopono_core::network::network_interface > ip addr
2025-06-13T07:35:07.685Z DEBUG vopono::args_config > Interface: wlp3s0
2025-06-13T07:35:07.685Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:07.688Z DEBUG vopono_core::util > Existing namespaces: []
2025-06-13T07:35:07.688Z DEBUG vopono_core::util > ip netns add vo_mv_sg
2025-06-13T07:35:07.690Z INFO vopono_core::network::netns > Created new network namespace: vo_mv_sg
2025-06-13T07:35:07.692Z DEBUG vopono_core::util > Existing interfaces:
2025-06-13T07:35:07.693Z DEBUG vopono_core::util > Assigned IPs: []
2025-06-13T07:35:07.693Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip addr add 127.0.0.1/8 dev lo
2025-06-13T07:35:07.696Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip link set lo up
STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN METERED
已連線 已滿 已啟用 已啟用 missing 已啟用 不(猜到)
2025-06-13T07:35:07.745Z DEBUG vopono_core::network::veth_pair > Detected NetworkManager running
2025-06-13T07:35:07.745Z DEBUG vopono_core::network::veth_pair > NetworkManager detected, adding vo_mv_sg_d to unmanaged devices
2025-06-13T07:35:07.745Z DEBUG vopono_core::network::veth_pair > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf
2025-06-13T07:35:07.754Z DEBUG vopono_core::util > nmcli connection reload
2025-06-13T07:35:08.458Z DEBUG vopono_core::network::veth_pair > firewalld not detected running
2025-06-13T07:35:08.458Z DEBUG vopono_core::util > ip link add vo_mv_sg_d type veth peer name vo_mv_sg_s
2025-06-13T07:35:08.461Z DEBUG vopono_core::util > ip link set vo_mv_sg_d up
2025-06-13T07:35:08.463Z DEBUG vopono_core::util > ip link set vo_mv_sg_s netns vo_mv_sg up
2025-06-13T07:35:08.482Z DEBUG vopono_core::util > ip addr add 10.200.1.1/24 dev vo_mv_sg_d
2025-06-13T07:35:08.484Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip addr add 10.200.1.2/24 dev vo_mv_sg_s
2025-06-13T07:35:08.495Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip route add default via 10.200.1.1 dev vo_mv_sg_s
2025-06-13T07:35:08.502Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip route add 192.168.50.1 via 10.200.1.1 dev vo_mv_sg_s
2025-06-13T07:35:08.506Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip route add 10.200.1.1 via 10.200.1.1 dev vo_mv_sg_s
2025-06-13T07:35:08.510Z INFO vopono_core::network::netns > IP address of namespace as seen from host: 10.200.1.2
2025-06-13T07:35:08.510Z INFO vopono_core::network::netns > IP address of host as seen from namespace: 10.200.1.1
2025-06-13T07:35:08.510Z DEBUG vopono_core::util > nft add table inet vopono_nat
2025-06-13T07:35:08.512Z DEBUG vopono_core::util > nft add chain inet vopono_nat postrouting { type nat hook postrouting priority 100 ; }
2025-06-13T07:35:08.517Z DEBUG vopono_core::util > nft add rule inet vopono_nat postrouting oifname wlp3s0 ip saddr 10.200.1.0/24 counter masquerade
2025-06-13T07:35:08.522Z DEBUG vopono_core::util > nft add table inet vopono_bridge
2025-06-13T07:35:08.526Z DEBUG vopono_core::util > nft add chain inet vopono_bridge forward { type filter hook forward priority -10 ; }
2025-06-13T07:35:08.531Z DEBUG vopono_core::util > nft add rule inet vopono_bridge forward iifname vo_mv_sg_d oifname wlp3s0 counter accept
2025-06-13T07:35:08.536Z DEBUG vopono_core::util > nft add rule inet vopono_bridge forward oifname vo_mv_sg_d iifname wlp3s0 counter accept
2025-06-13T07:35:08.542Z DEBUG vopono_core::util > sysctl -q net.ipv4.ip_forward=1
2025-06-13T07:35:08.543Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:08.546Z INFO vopono_core::util > Chosen config: /home/user1/.config/vopono/mv/wireguard/singapore-sgsin101.conf
2025-06-13T07:35:08.547Z DEBUG vopono_core::network::wireguard > Deserializing: 193.138.218.74 to Vec<IpAddr>
2025-06-13T07:35:08.547Z DEBUG vopono_core::network::wireguard > TOML config: WireguardConfig { interface: WireguardInterface { private_key: "XXXXXXXXXXXXXXXXXX", address: [10.66.226.80/32, fc00:bbbb:bbbb:bb01::3:e24f/128], dns: Some([193.138.218.74]) }, peer: WireguardPeer { public_key: "XXXXXXXXXXXXXXXXXX", allowed_ips: [0.0.0.0/0, ::/0], endpoint: 146.70.199.194:51820, keepalive: None } }
2025-06-13T07:35:08.547Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip link add vo_mv_sg type wireguard
2025-06-13T07:35:08.551Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg wg setconf vo_mv_sg /tmp/vopono_nft.conf
fopen: Permission denied
2025-06-13T07:35:08.554Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -4 address add 10.66.226.80/32 dev vo_mv_sg
2025-06-13T07:35:08.558Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -6 address add fc00:bbbb:bbbb:bb01::3:e24f/128 dev vo_mv_sg
2025-06-13T07:35:08.561Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip link set mtu 1420 up dev vo_mv_sg
2025-06-13T07:35:08.565Z DEBUG vopono_core::network::dns_config > Setting namespace vo_mv_sg DNS server to 1.1.1.1
2025-06-13T07:35:08.573Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg wg set vo_mv_sg fwmark 51820
2025-06-13T07:35:08.576Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -4 route add 0.0.0.0/0 dev vo_mv_sg table 51820
2025-06-13T07:35:08.580Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -4 rule add not fwmark 51820 table 51820
2025-06-13T07:35:08.583Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -4 rule add table main suppress_prefixlength 0
2025-06-13T07:35:08.586Z DEBUG vopono_core::util > sysctl -q net.ipv4.conf.all.src_valid_mark=1
2025-06-13T07:35:08.587Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -6 route add ::/0 dev vo_mv_sg table 51820
2025-06-13T07:35:08.590Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -6 rule add not fwmark 51820 table 51820
2025-06-13T07:35:08.593Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg ip -6 rule add table main suppress_prefixlength 0
2025-06-13T07:35:08.596Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg nft -f /tmp/vopono_nft.sh
2025-06-13T07:35:08.601Z DEBUG vopono_core::network::wireguard > Setting Wireguard killswitch....
2025-06-13T07:35:08.601Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg nft add table inet vo_mv_sg
2025-06-13T07:35:08.606Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg nft add chain inet vo_mv_sg output { type filter hook output priority -500 ; policy accept; }
2025-06-13T07:35:08.611Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg nft add rule inet vo_mv_sg output oifname != vo_mv_sg mark != 51820 fib daddr type != local counter reject
2025-06-13T07:35:08.615Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg nft insert rule inet vo_mv_sg output ip daddr 192.168.50.1 counter accept
2025-06-13T07:35:08.619Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg nft insert rule inet vo_mv_sg output ip daddr 10.200.1.1 counter accept
2025-06-13T07:35:08.625Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:08.625Z DEBUG vopono_core::network::netns > Writing lockfile: /home/user1/.config/vopono/locks/vo_mv_sg
2025-06-13T07:35:08.625Z DEBUG vopono_core::network::netns > Lockfile written: /home/user1/.config/vopono/locks/vo_mv_sg/56501
2025-06-13T07:35:08.625Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/user1/.config
2025-06-13T07:35:08.692Z DEBUG vopono_core::network::netns > ip netns exec vo_mv_sg sudo --preserve-env --user user1 bash
2025-06-13T07:35:08.692Z INFO vopono::exec > Application bash launched in network namespace vo_mv_sg with pid 56782
After a bit of debugging, I realized that the permission denied is caused by a AppArmor. Apparantly Ubuntu 25.04 introduced new AppArmor rules for wg and wg-quick. Here is another report of the same issue.
The following workaround works:
# ln -s /etc/apparmor.d/wg /etc/apparmor.d/disable/
# apparmor_parser -R /etc/apparmor.d/wg
# systemctl reload apparmor
I have only tested vopono 0.10.10 because 0.10.12 is affected by issue #313 .
I don't think vopono can fix this issue on its own, but still reporting here for other people's reference. Maybe also add a note in the documentation.