github-starred/newt
2
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-08 23:03:03 -05:00
Code Issues 21 Packages Projects Releases 25 Wiki Activity

ERROR: Failed to bring up WireGuard device: permission denied in termux (non-root Android) #66

New Issue
Open
opened 2025-11-19 07:13:09 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-19 07:13:09 -06:00
Owner
Copy Link

Originally created by @dpurnam on GitHub (Oct 10, 2025).

Describe the Bug

I've almost given up on setting up a newt client inside the termux app on a non-root android phone (because newt claims to be userspace).

For now reverted to using a functional cloudflared tunnel, unwillingly.

I've tried using the newt binary for arm64, which had its own issues with CA certs verification for remote (pangolin) server, DNS issues (unable to ping 127.0.0.1:53) et al.

So i switched to using termux-udocker, which got me over with the issues above except the one below.

u0_a177@localhost:~/Termux-Udocker$ ./newt.sh 
PANGOLIN_ENDPOINT=https://pangolin.example.org -e NEWT_ID=704bj4md8u65wui -e NEWT_SECRET=<Redacted> -e DNS=1.1.1.1 -e MTU=1500 -e LOG_LEVEL=DEBUG -e KEEP_INTERFACE=true

Running with image default (built-in) Entrypoint/CMD:
INFO: 2025/10/10 08:40:49 Newt version 1.5.2
DEBUG: 2025/10/10 08:40:50 Config already provided, skipping loading from file
DEBUG: 2025/10/10 08:40:50 Endpoint: https://pangolin.example.org
DEBUG: 2025/10/10 08:40:50 Log Level: DEBUG
DEBUG: 2025/10/10 08:40:50 Docker Network Validation Enabled: false
DEBUG: 2025/10/10 08:40:50 Health Check Certificate Enforcement: false
DEBUG: 2025/10/10 08:40:50 Dns: 1.1.1.1
DEBUG: 2025/10/10 08:40:50 MTU: 1500
DEBUG: 2025/10/10 08:40:50 Creating new health check monitor with certificate enforcement: false
DEBUG: 2025/10/10 08:40:50 Received token: <Redacted>
DEBUG: 2025/10/10 08:40:50 Config has not changed, skipping save
DEBUG: 2025/10/10 08:40:50 Public key: <Redacted>
INFO: 2025/10/10 08:40:50 Websocket connected
DEBUG: 2025/10/10 08:40:50 Requesting exit nodes from server
DEBUG: 2025/10/10 08:40:50 Sending message: newt/wg/register, data: map[backwardsCompatible:true newtVersion:1.5.2 publicKey:2PGpCtS6T16+iIkeOrubeiDVw9VbHl/sWerUTgjBSnU=]
DEBUG: 2025/10/10 08:40:50 Sending message: newt/ping/request, data: map[noCloud:false]
DEBUG: 2025/10/10 08:40:50 Received ping message
DEBUG: 2025/10/10 08:40:50 Only one exit node available, using it directly: pangolin.example.org
DEBUG: 2025/10/10 08:40:50 Sending message: newt/wg/register, data: map[newtVersion:1.5.2 pingResults:[{ExitNodeID:1 LatencyMs:0 Weight:1 Error: Name:Exit Node JwHxjc5q Endpoint:pangolin.example.org WasPreviouslyConnected:true}] publicKey:<Redacted>]
DEBUG: 2025/10/10 08:40:51 Received registration message
DEBUG: 2025/10/10 08:40:51 Received registration message data: map[endpoint:pangolin.example.org:51820 publicKey:JwHxjc5qHIwugLIXvyEx4MAmUYXCRgM4RgjlgpT3+z4= serverIP:100.89.128.1 targets:map[tcp:[] udp:[]] tunnelIP:100.89.128.20]
DEBUG: 2025/10/10 08:40:51 Received: {Type:newt/wg/connect Data:map[endpoint:pangolin.example.org:51820 publicKey:<Redacted> serverIP:100.89.128.1 targets:map[tcp:[] udp:[]] tunnelIP:100.89.128.20]}
INFO: 2025/10/10 08:40:51 Connecting to endpoint: pangolin.example.org
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 3 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 1 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 1 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 1 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 2 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 2 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 3 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 2 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 4 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 4 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 4 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 6 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 6 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 6 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 5 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: event worker - started
DEBUG: wireguard: 2025/10/10 08:40:51 Interface up requested
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 3 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 5 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 5 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: TUN reader - started
ERROR: wireguard: 2025/10/10 08:40:51 Unable to update bind: permission denied
DEBUG: wireguard: 2025/10/10 08:40:51 Interface state was Down, requested Up, now Down
DEBUG: wireguard: 2025/10/10 08:40:51 UAPI: Updating private key
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Created
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Adding allowedip
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Updating endpoint
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Updating persistent keepalive interval
ERROR: wireguard: 2025/10/10 08:40:51 Unable to update bind: permission denied
DEBUG: wireguard: 2025/10/10 08:40:51 Interface state was Down, requested Up, now Down
ERROR: 2025/10/10 08:40:51 Failed to bring up WireGuard device: permission denied
DEBUG: 2025/10/10 08:40:51 WireGuard device created. Lets ping the server now...
DEBUG: 2025/10/10 08:40:51 Testing initial connection with reliable ping...
DEBUG: 2025/10/10 08:40:51 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:40:56 Ping attempt 1/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:40:56 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:01 Ping attempt 2/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:41:01 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:07 Ping attempt 3/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:41:08 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:14 Ping attempt 4/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:41:14 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:22 Ping attempt 5/5 failed: failed to read ICMP packet: i/o timeout
WARN: 2025/10/10 08:41:22 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout

Environment

  • OS Type & Version: termux pkg (non-root Android Phone)
  • Pangolin Version: latest
  • Gerbil Version: latest
  • Traefik Version: 3.4
  • Newt Version: latest
  • Olm Version: (Not applicable)

To Reproduce

used a very simple docker compose with udocker:

u0_a177@localhost:~/Termux-Udocker$ cat newt/docker-compose.yml 
services:
  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    environment:
      PANGOLIN_ENDPOINT: https://pangolin.example.org
      NEWT_ID: <Redacted>
      NEWT_SECRET: <Redacted>
      DNS: 1.1.1.1
      MTU: 1500
      LOG_LEVEL: DEBUG
      KEEP_INTERFACE: true

But simple --env arguments for udocker should also be enough instead of a compose file

Expected Behavior

A working newt client?

Originally created by @dpurnam on GitHub (Oct 10, 2025). ### Describe the Bug I've almost given up on setting up a newt client inside the termux app on a non-root android phone (because newt claims to be userspace). For now reverted to using a functional cloudflared tunnel, unwillingly. I've tried using the newt binary for arm64, which had its own issues with CA certs verification for remote (pangolin) server, DNS issues (unable to ping 127.0.0.1:53) et al. So i switched to using termux-udocker, which got me over with the issues above except the one below. ``` u0_a177@localhost:~/Termux-Udocker$ ./newt.sh PANGOLIN_ENDPOINT=https://pangolin.example.org -e NEWT_ID=704bj4md8u65wui -e NEWT_SECRET=<Redacted> -e DNS=1.1.1.1 -e MTU=1500 -e LOG_LEVEL=DEBUG -e KEEP_INTERFACE=true Running with image default (built-in) Entrypoint/CMD: INFO: 2025/10/10 08:40:49 Newt version 1.5.2 DEBUG: 2025/10/10 08:40:50 Config already provided, skipping loading from file DEBUG: 2025/10/10 08:40:50 Endpoint: https://pangolin.example.org DEBUG: 2025/10/10 08:40:50 Log Level: DEBUG DEBUG: 2025/10/10 08:40:50 Docker Network Validation Enabled: false DEBUG: 2025/10/10 08:40:50 Health Check Certificate Enforcement: false DEBUG: 2025/10/10 08:40:50 Dns: 1.1.1.1 DEBUG: 2025/10/10 08:40:50 MTU: 1500 DEBUG: 2025/10/10 08:40:50 Creating new health check monitor with certificate enforcement: false DEBUG: 2025/10/10 08:40:50 Received token: <Redacted> DEBUG: 2025/10/10 08:40:50 Config has not changed, skipping save DEBUG: 2025/10/10 08:40:50 Public key: <Redacted> INFO: 2025/10/10 08:40:50 Websocket connected DEBUG: 2025/10/10 08:40:50 Requesting exit nodes from server DEBUG: 2025/10/10 08:40:50 Sending message: newt/wg/register, data: map[backwardsCompatible:true newtVersion:1.5.2 publicKey:2PGpCtS6T16+iIkeOrubeiDVw9VbHl/sWerUTgjBSnU=] DEBUG: 2025/10/10 08:40:50 Sending message: newt/ping/request, data: map[noCloud:false] DEBUG: 2025/10/10 08:40:50 Received ping message DEBUG: 2025/10/10 08:40:50 Only one exit node available, using it directly: pangolin.example.org DEBUG: 2025/10/10 08:40:50 Sending message: newt/wg/register, data: map[newtVersion:1.5.2 pingResults:[{ExitNodeID:1 LatencyMs:0 Weight:1 Error: Name:Exit Node JwHxjc5q Endpoint:pangolin.example.org WasPreviouslyConnected:true}] publicKey:<Redacted>] DEBUG: 2025/10/10 08:40:51 Received registration message DEBUG: 2025/10/10 08:40:51 Received registration message data: map[endpoint:pangolin.example.org:51820 publicKey:JwHxjc5qHIwugLIXvyEx4MAmUYXCRgM4RgjlgpT3+z4= serverIP:100.89.128.1 targets:map[tcp:[] udp:[]] tunnelIP:100.89.128.20] DEBUG: 2025/10/10 08:40:51 Received: {Type:newt/wg/connect Data:map[endpoint:pangolin.example.org:51820 publicKey:<Redacted> serverIP:100.89.128.1 targets:map[tcp:[] udp:[]] tunnelIP:100.89.128.20]} INFO: 2025/10/10 08:40:51 Connecting to endpoint: pangolin.example.org DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 3 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 1 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 1 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 1 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 2 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 2 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 3 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 2 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 4 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 4 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 4 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 6 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 6 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 6 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 5 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: event worker - started DEBUG: wireguard: 2025/10/10 08:40:51 Interface up requested DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 3 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 5 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 5 - started DEBUG: wireguard: 2025/10/10 08:40:51 Routine: TUN reader - started ERROR: wireguard: 2025/10/10 08:40:51 Unable to update bind: permission denied DEBUG: wireguard: 2025/10/10 08:40:51 Interface state was Down, requested Up, now Down DEBUG: wireguard: 2025/10/10 08:40:51 UAPI: Updating private key DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Created DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Adding allowedip DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Updating endpoint DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Updating persistent keepalive interval ERROR: wireguard: 2025/10/10 08:40:51 Unable to update bind: permission denied DEBUG: wireguard: 2025/10/10 08:40:51 Interface state was Down, requested Up, now Down ERROR: 2025/10/10 08:40:51 Failed to bring up WireGuard device: permission denied DEBUG: 2025/10/10 08:40:51 WireGuard device created. Lets ping the server now... DEBUG: 2025/10/10 08:40:51 Testing initial connection with reliable ping... DEBUG: 2025/10/10 08:40:51 Pinging 100.89.128.1 DEBUG: 2025/10/10 08:40:56 Ping attempt 1/5 failed: failed to read ICMP packet: i/o timeout DEBUG: 2025/10/10 08:40:56 Pinging 100.89.128.1 DEBUG: 2025/10/10 08:41:01 Ping attempt 2/5 failed: failed to read ICMP packet: i/o timeout DEBUG: 2025/10/10 08:41:01 Pinging 100.89.128.1 DEBUG: 2025/10/10 08:41:07 Ping attempt 3/5 failed: failed to read ICMP packet: i/o timeout DEBUG: 2025/10/10 08:41:08 Pinging 100.89.128.1 DEBUG: 2025/10/10 08:41:14 Ping attempt 4/5 failed: failed to read ICMP packet: i/o timeout DEBUG: 2025/10/10 08:41:14 Pinging 100.89.128.1 DEBUG: 2025/10/10 08:41:22 Ping attempt 5/5 failed: failed to read ICMP packet: i/o timeout WARN: 2025/10/10 08:41:22 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout ``` ### Environment - OS Type & Version: termux pkg (non-root Android Phone) - Pangolin Version: latest - Gerbil Version: latest - Traefik Version: 3.4 - Newt Version: latest - Olm Version: (Not applicable) ### To Reproduce used a very simple docker compose with udocker: ``` u0_a177@localhost:~/Termux-Udocker$ cat newt/docker-compose.yml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped environment: PANGOLIN_ENDPOINT: https://pangolin.example.org NEWT_ID: <Redacted> NEWT_SECRET: <Redacted> DNS: 1.1.1.1 MTU: 1500 LOG_LEVEL: DEBUG KEEP_INTERFACE: true ``` But simple --env arguments for udocker should also be enough instead of a compose file ### Expected Behavior A working newt client?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
good first issue
help wanted
Improvement
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#66
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?