Skip to content

Wireguard: support userspace mode (Rootless Android/Termux) #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dpurnam wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Wireguard: support userspace mode (Rootless Android/Termux) #212

dpurnam wants to merge 2 commits into from

Conversation

@dpurnam
Copy link

@dpurnam dpurnam commented Dec 18, 2025
edited
Loading

Description

This PR fixes Newt running in userspace WireGuard environments
(e.g. Termux on a non-root Android).

Problem:

  • dev.Up() fails with "permission denied"
  • ICMP-based health checks always fail
  • Tunnel never becomes usable despite UDP connectivity working

Solution:

  • Introduce TRUE_USERSPACE_WG=1
  • Skip dev.Up() when running in userspace mode (for ex. rootless androids or termux)
  • Do not treat initial ICMP ping failure as fatal in userspace mode

Verified working:

  • Android (Termux, non-root)
  • Pangolin endpoint reachable
  • Sites and Resources successfully created and accessible

Reference:
#161 (comment)

Additional Comments:
sing-box WireGuard works in the same environment when system=false, which matches this change.

How to test?

export TRUE_USERSPACE_WG=1;
newt --id .... --secret ....

OR simply use an arg --true-userspace-wg with newt command

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

@dpurnam
Wireguard: support userspace mode (Rootless Android/Termux)
d8fbdfd 
Skip dev.Up() and ICMP-based health checks when running in
userspace WireGuard environments where TUN control is not
permitted (e.g. Termux on a Rootless Android).
@dpurnam
Wireguard: support userspace mode (Rootless Android/Termux)
575c99a 
Skip dev.Up() and ICMP-based health checks when running in
userspace WireGuard environments where TUN control is not
permitted (e.g. Termux on a Rootless Android).
@dpurnam dpurnam marked this pull request as draft December 18, 2025 10:14
@dpurnam dpurnam marked this pull request as ready for review December 18, 2025 10:18
@oschwartz10612
Copy link
Member

oschwartz10612 commented Dec 18, 2025

Hi! Thanks for the PR!

I am a little confused how this fixes things because dev.Up() should be occurring in the netstack network stack all in newt and not on the host. Newt should / can be run without sudo. I am kind of shocked it still works without bringing up the internal device.

Would you be able to let me know what kind of errors you were experiencing prior to this fix?

@dpurnam
Copy link
Author

dpurnam commented Dec 18, 2025
edited
Loading

Hi! Thanks for the PR!

I am a little confused how this fixes things because dev.Up() should be occurring in the netstack network stack all in newt and not on the host. Newt should / can be run without sudo. I am kind of shocked it still works without bringing up the internal device.

Would you be able to let me know what kind of errors you were experiencing prior to this fix?

#161 (comment)

and

#161 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dpurnam @oschwartz10612