Fail closed on WireGuard startup errors

Author: kasnder

app/build.gradle

@@ -8,6 +8,7 @@ apply plugin: 'org.jetbrains.kotlin.android'
 // single `./gradlew assemble` for contributors.
 def wgbridgeSrcDir = file("$rootDir/wgbridge")
 def wgbridgeAar    = file("$buildDir/wgbridge/wgbridge.aar")
+def gomobileVersion = 'v0.0.0-20260410095206-2cfb76559b7b'
 
 // Locate the `go` binary. Android Studio launches Gradle with a sanitized
 // PATH that omits /usr/local/go/bin and Homebrew dirs, so falling back to
@@ -82,8 +83,8 @@ tasks.register('wgbridgeBind') {
             exec {
                 environment env
                 commandLine goBin, 'install',
-                        'golang.org/x/mobile/cmd/gomobile@latest',
-                        'golang.org/x/mobile/cmd/gobind@latest'
+                        "golang.org/x/mobile/cmd/gomobile@${gomobileVersion}",
+                        "golang.org/x/mobile/cmd/gobind@${gomobileVersion}"
             }
             if (!file(gomobileBin).canExecute() || !file(gobindBin).canExecute()) {
                 throw new GradleException("Installed gomobile/gobind but ${gopath}/bin still missing one of them.")

app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java

@@ -185,6 +185,7 @@ public class ServiceSinkhole extends VpnService {
     private static final int NOTIFY_UPDATE = 8;
     public static final int NOTIFY_EXTERNAL = 9;
     private static final int NOTIFY_DOH_ERROR = 11;
+    private static final int NOTIFY_WG_ERROR = 12;
 
     public static final String EXTRA_COMMAND = "Command";
     private static final String EXTRA_REASON = "Reason";
@@ -548,7 +549,8 @@ private void start() {
                 if (vpn == null)
                     throw new StartFailedException(getString((R.string.msg_start_failed)));
 
-                startNative(vpn, listAllowed, listRule);
+                if (!startNative(vpn, listAllowed, listRule))
+                    return;
 
                 // Start DoH proxy if enabled
                 net.kollnig.missioncontrol.dns.DnsProxyServer.getInstance(ServiceSinkhole.this).start();
@@ -662,7 +664,8 @@ private void reload(boolean interactive) {
             if (vpn == null)
                 throw new StartFailedException(getString((R.string.msg_start_failed)));
 
-            startNative(vpn, listAllowed, listRule);
+            if (!startNative(vpn, listAllowed, listRule))
+                return;
 
             // Update DoH proxy state based on current settings
             net.kollnig.missioncontrol.dns.DnsProxyServer.getInstance(ServiceSinkhole.this).checkAndUpdateState();
@@ -1600,7 +1603,7 @@ else if (filter)
         return builder;
     }
 
-    private void startNative(final ParcelFileDescriptor vpn, List<Rule> listAllowed, List<Rule> listRule) {
+    private boolean startNative(final ParcelFileDescriptor vpn, List<Rule> listAllowed, List<Rule> listRule) {
         SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(ServiceSinkhole.this);
         boolean log = prefs.getBoolean("log", false);
         boolean log_app = prefs.getBoolean("log_app", true);
@@ -1649,8 +1652,12 @@ private void startNative(final ParcelFileDescriptor vpn, List<Rule> listAllowed,
                     vpn,
                     () -> jni_wireguard_start(),
                     () -> { jni_wireguard_stop(); return kotlin.Unit.INSTANCE; });
-            if (!wgOk)
-                Log.w(TAG, "WireGuard egress failed to start; falling back to direct");
+            if (!wgOk) {
+                String wgError = net.kollnig.missioncontrol.wg.WgEgress.INSTANCE.getLastError();
+                Log.w(TAG, "WireGuard egress failed to start; blocking traffic: " + wgError);
+                showWireGuardErrorNotification(wgError);
+                return false;
+            }
 
             if (tunnelThread == null) {
                 Log.i(TAG, "Starting tunnel thread context=" + jni_context);
@@ -1671,6 +1678,8 @@ public void run() {
                 Log.i(TAG, "Started tunnel thread");
             }
         }
+
+        return true;
     }
 
     private void stopNative(ParcelFileDescriptor vpn) {
@@ -3404,6 +3413,35 @@ private void showDohErrorNotification() {
             NotificationManagerCompat.from(this).notify(NOTIFY_DOH_ERROR, notification.build());
     }
 
+    private void showWireGuardErrorNotification(String message) {
+        Intent main = new Intent(this, ActivitySettings.class);
+        PendingIntent pi = PendingIntentCompat.getActivity(this, NOTIFY_WG_ERROR, main,
+                PendingIntent.FLAG_UPDATE_CURRENT);
+
+        String detail = TextUtils.isEmpty(message)
+                ? getString(R.string.msg_wg_blocked)
+                : getString(R.string.msg_wg_blocked_detail, message);
+
+        NotificationCompat.Builder builder = new NotificationCompat.Builder(this, "notify");
+        builder.setSmallIcon(R.drawable.ic_error_white_24dp)
+                .setContentTitle(getString(R.string.msg_wg_blocked_title))
+                .setContentText(detail)
+                .setContentIntent(pi)
+                .setColor(getResources().getColor(R.color.colorTrackerControl))
+                .setOngoing(false)
+                .setAutoCancel(true);
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP)
+            builder.setCategory(NotificationCompat.CATEGORY_STATUS)
+                    .setVisibility(NotificationCompat.VISIBILITY_SECRET);
+
+        NotificationCompat.BigTextStyle notification = new NotificationCompat.BigTextStyle(builder);
+        notification.bigText(detail);
+
+        if (Util.canNotify(this))
+            NotificationManagerCompat.from(this).notify(NOTIFY_WG_ERROR, notification.build());
+    }
+
     private void showUpdateNotification(String name, String url) {
         if (Util.isFDroidInstall())
             return;
@@ -3433,6 +3471,7 @@ private void removeWarningNotifications() {
         NotificationManagerCompat.from(this).cancel(NOTIFY_AUTOSTART);
         NotificationManagerCompat.from(this).cancel(NOTIFY_ERROR);
         NotificationManagerCompat.from(this).cancel(NOTIFY_DOH_ERROR);
+        NotificationManagerCompat.from(this).cancel(NOTIFY_WG_ERROR);
     }
 
     private class Builder extends VpnService.Builder {

app/src/main/java/net/kollnig/missioncontrol/wg/WgEgress.kt

@@ -25,6 +25,7 @@ object WgEgress {
     private const val DEFAULT_MTU = 1420
 
     @Volatile private var tunnel: WgTunnel? = null
+    @Volatile private var lastError: String? = null
     private var currentConfig: String? = null
     private var currentTunFd: Int = -1
 
@@ -34,9 +35,8 @@ object WgEgress {
      * no-op so reload-induced restarts don't re-handshake.
      *
      * Returns true on success or already-correct state. Returns false if
-     * WG was supposed to start but failed; in that case the C side is left
-     * with `wg_enabled = 0` so traffic isn't black-holed (fail-closed
-     * applies only when WG is *running* and traffic should be protected).
+     * WG was supposed to start but failed; in that case the caller must keep
+     * the VPN from forwarding direct traffic so the user remains fail-closed.
      */
     fun startOrUpdate(
         wgEnabled: Boolean,
@@ -48,6 +48,7 @@ object WgEgress {
     ): Boolean {
         val wantRunning = wgEnabled && !configText.isNullOrEmpty()
         val desiredFd = vpnFd.fd
+        lastError = null
 
         if (!wantRunning) {
             if (tunnel != null) {
@@ -70,19 +71,22 @@ object WgEgress {
         val parsed = try {
             WgConfigParser.parse(configText!!)
         } catch (e: Exception) {
+            lastError = "Invalid WireGuard config: ${e.message}"
             Log.e(TAG, "config parse: ${e.message}")
             return false
         }
 
         val resolved = try {
             withResolvedEndpoints(parsed)
         } catch (e: Exception) {
+            lastError = "WireGuard endpoint resolution failed: ${e.message}"
             Log.e(TAG, "endpoint resolve: ${e.message}")
             return false
         }
 
         val rxFd = startSocketpair()
         if (rxFd < 0) {
+            lastError = "Could not create WireGuard packet socket"
             Log.e(TAG, "jni_wireguard_start failed")
             return false
         }
@@ -101,9 +105,13 @@ object WgEgress {
                 resolved.toUapi(), rxFd, desiredFd, mtu, protector, logger
             )
         } catch (e: Throwable) {
+            lastError = "WireGuard tunnel failed to start: ${e.message ?: e.javaClass.simpleName}"
             Log.e(TAG, "Wgbridge.startTunnel failed", e)
+            closeRawFd(rxFd)
             stopSocketpair()
             return false
+        } finally {
+            if (tunnel != null) closeRawFd(rxFd)
         }
 
         currentConfig = configText
@@ -119,6 +127,8 @@ object WgEgress {
 
     fun isRunning(): Boolean = tunnel != null
 
+    fun getLastError(): String? = lastError
+
     private fun stopInternal(stopSocketpair: () -> Unit) {
         val t = tunnel
         tunnel = null
@@ -163,4 +173,12 @@ object WgEgress {
         val ip = addr.hostAddress ?: throw IllegalStateException("getHostAddress null for $host")
         return if (addr is java.net.Inet6Address) "[$ip]:$port" else "$ip:$port"
     }
+
+    private fun closeRawFd(fd: Int) {
+        try {
+            ParcelFileDescriptor.adoptFd(fd).close()
+        } catch (e: Throwable) {
+            Log.w(TAG, "close fd $fd failed", e)
+        }
+    }
 }

app/src/main/res/values/strings.xml

@@ -182,6 +182,9 @@
     <string name="summary_wg_enabled">Hides device IP. Tunnels TCP and UDP egress. Apps will see network errors during outages — fail-closed, no fall-through to direct.</string>
     <string name="summary_wg_config">Paste a [Interface] / [Peer] config from your provider</string>
     <string name="msg_wg_config_invalid">Invalid WireGuard config: %s</string>
+    <string name="msg_wg_blocked_title">WireGuard tunnel unavailable</string>
+    <string name="msg_wg_blocked">Internet access is blocked until WireGuard starts or the WireGuard setting is disabled.</string>
+    <string name="msg_wg_blocked_detail">Internet access is blocked until WireGuard starts or the WireGuard setting is disabled. %s</string>
     <string name="summary_watchdog">Periodically check if TrackerControl is still running (enter zero to disable this option). This might result in extra battery usage.</string>
     <string name="summary_log_logcat">Research mode: identified trackers are logged to ADB and SNI extraction is enabled for better hostname detection. Retrieve logs with adb logcat using tag \'TC-Log\'.</string>
 

wgbridge/bridge.go

@@ -10,14 +10,14 @@
 // would be re-captured by NetGuard's TUN and loop forever.
 //
 // Build:
-//   gomobile bind -target=android -androidapi 23 -o ../app/libs/wgbridge.aar .
+//
+//	gomobile bind -target=android -androidapi 23 -o ../app/libs/wgbridge.aar .
 package wgbridge
 
 import (
 	"errors"
 	"fmt"
 	"os"
-	"strconv"
 	"sync"
 
 	"golang.org/x/sys/unix"
@@ -86,13 +86,7 @@ func StartTunnel(uapiConfig string, outboundRxFd int32, tunWriteFd int32, mtu in
 	}
 	t.events <- tun.EventUp
 
-	// Snapshot UDP fds before wireguard-go opens its outer sockets, so we
-	// can identify exactly the new ones afterwards and protect those — and
-	// only those. Avoids accidentally protecting unrelated sockets that
-	// belong to anyone else in the process.
-	udpBefore := snapshotUdpFds()
-
-	dev := device.NewDevice(t, conn.NewStdNetBind(), newDeviceLogger(logger))
+	dev := device.NewDevice(t, newProtectedBind(protect), newDeviceLogger(logger))
 
 	if err := dev.IpcSet(uapiConfig); err != nil {
 		dev.Close()
@@ -105,20 +99,78 @@ func StartTunnel(uapiConfig string, outboundRxFd int32, tunWriteFd int32, mtu in
 		return nil, fmt.Errorf("device up: %w", err)
 	}
 
-	// Protect each new UDP socket so its egress bypasses the VpnService TUN.
-	udpAfter := snapshotUdpFds()
-	for fd := range udpAfter {
-		if _, existed := udpBefore[fd]; existed {
-			continue
+	return &Tunnel{dev: dev, tunDev: t}, nil
+}
+
+type protectedBind struct {
+	inner   conn.Bind
+	protect Protector
+}
+
+func newProtectedBind(protect Protector) conn.Bind {
+	return &protectedBind{inner: conn.NewStdNetBind(), protect: protect}
+}
+
+func (b *protectedBind) Open(port uint16) ([]conn.ReceiveFunc, uint16, error) {
+	fns, actualPort, err := b.inner.Open(port)
+	if err != nil {
+		return nil, 0, err
+	}
+	if err := b.protectOpenSockets(); err != nil {
+		_ = b.inner.Close()
+		return nil, 0, err
+	}
+	return fns, actualPort, nil
+}
+
+func (b *protectedBind) Close() error              { return b.inner.Close() }
+func (b *protectedBind) SetMark(mark uint32) error { return b.inner.SetMark(mark) }
+func (b *protectedBind) Send(bufs [][]byte, ep conn.Endpoint) error {
+	return b.inner.Send(bufs, ep)
+}
+func (b *protectedBind) ParseEndpoint(s string) (conn.Endpoint, error) {
+	return b.inner.ParseEndpoint(s)
+}
+func (b *protectedBind) BatchSize() int { return b.inner.BatchSize() }
+
+func (b *protectedBind) protectOpenSockets() error {
+	peek, ok := b.inner.(conn.PeekLookAtSocketFd)
+	if !ok {
+		return errors.New("bind does not expose socket fds")
+	}
+
+	fds := make(map[int]struct{}, 2)
+	for _, peekFn := range []func() (int, error){peek.PeekLookAtSocketFd4, peek.PeekLookAtSocketFd6} {
+		fd, ok, err := safePeekSocketFd(peekFn)
+		if err != nil {
+			return err
 		}
-		if !protect.Protect(int32(fd)) {
-			dev.Close()
-			_ = t.Close()
-			return nil, fmt.Errorf("VpnService.protect(%d) failed", fd)
+		if ok && fd >= 0 {
+			fds[fd] = struct{}{}
 		}
 	}
+	if len(fds) == 0 {
+		return errors.New("bind opened no protectable UDP sockets")
+	}
 
-	return &Tunnel{dev: dev, tunDev: t}, nil
+	for fd := range fds {
+		if !b.protect.Protect(int32(fd)) {
+			return fmt.Errorf("VpnService.protect(%d) failed", fd)
+		}
+	}
+	return nil
+}
+
+func safePeekSocketFd(peek func() (int, error)) (fd int, ok bool, err error) {
+	defer func() {
+		if recover() != nil {
+			fd = -1
+			ok = false
+			err = nil
+		}
+	}()
+	fd, err = peek()
+	return fd, err == nil, err
 }
 
 // Stop tears down wireguard-go and closes the duplicated fds.
@@ -181,40 +233,6 @@ func (t *socketpairTun) Close() error {
 	return err2
 }
 
-// snapshotUdpFds enumerates UDP sockets in the current process by reading
-// /proc/self/fd and filtering by readlink target prefix "socket:". A
-// secondary filter (SO_TYPE == SOCK_DGRAM) further narrows it to UDP. The
-// returned set's keys are the integer fds.
-func snapshotUdpFds() map[int]struct{} {
-	out := make(map[int]struct{})
-	entries, err := os.ReadDir("/proc/self/fd")
-	if err != nil {
-		return out
-	}
-	for _, e := range entries {
-		fd, err := strconv.Atoi(e.Name())
-		if err != nil {
-			continue
-		}
-		// Skip stdio.
-		if fd < 3 {
-			continue
-		}
-		// Filter by socket type.
-		stype, err := unix.GetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_TYPE)
-		if err != nil || stype != unix.SOCK_DGRAM {
-			continue
-		}
-		// Filter by socket family.
-		family, err := unix.GetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_DOMAIN)
-		if err != nil || (family != unix.AF_INET && family != unix.AF_INET6) {
-			continue
-		}
-		out[fd] = struct{}{}
-	}
-	return out
-}
-
 func newDeviceLogger(l Logger) *device.Logger {
 	if l == nil {
 		return &device.Logger{