What Is Waydroid and UFW

Waydroid is software that enables Android applications to run on Linux via LXC container technology.

As a result of configuring the UFW firewall on Linux, Waydroid may become unable to connect to the internet. This is normal and expected behavior. Waydroid typically sets the necessary permissions in either iptables or nftables. This allows its network interface to connect to the internet. However, manually configuring UFW disrupts Waydroid’s settings.

UFW is a high-level configuration tool for the lower-level Linux firewalls, iptables and nftables. The configurations you provide to UFW are converted to these lower-level configurations. After messing up this configuration with UFW, you will have to manually add the necessary permissions to your firewall configuration. This process requires technical knowledge and an understanding of Waydroid’s needs.

Fortunately, I spent a few hours researching and tinkering with this, and in this article, I will explain how to configure it.

Steps to Configure UFW

1) Let’s examine our network interfaces using the ip a command. Note the waydroid0 and vethXXXXXX@XXX interfaces in the output; vethXXXXXX@XXX is a virtual Ethernet cable. One end is connected to Android. The other end is connected to waydroid0. waydroid0 is the main virtual interface used by Waydroid to connect to the internet. It has its own IP range: 192.168.240.0/24. This is important because when you connect to the internet, for example, your wlp3s0 interface uses the range 192.168.0.0/24. As you can see, these two interfaces have different IP ranges. Therefore, we will need to set up NAT forwarding in the UFW configuration.

2) Enable UFW to allow packet transfer between other interfaces on the device. To do this, go to /etc/default/ufw and set the DEFAULT_FORWARD_POLICY to ACCEPT.

# /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

This is the first step, allowing packet transfer between waydroid0 and wlp3s0. However, we will define how this transfer will occur with the NAT rules.

3) In order to perform NAT forwarding, we first need to enable IP forwarding. Edit the /etc/ufw/sysctl.conf file and add or uncomment the line net/ipv4/ip_forward=1 to enable IP forwarding. Next, configure NAT forwarding.

# /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1

Now, let’s go to the /etc/ufw/before.rules file for configuring NAT forwarding. This file works by entering commands related to that task between the task line and the COMMIT line. For example:

*filter
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

...
COMMIT

This contains a series of commands for the filter task. The filter task list ends with COMMIT. Add a separate list for the NAT task to this file.

# Waydroid NAT rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.240.0/24 -j MASQUERADE
COMMIT
# End Waydroid rules

The final result should look like this:

*filter
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

...
COMMIT

# Waydroid NAT rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.240.0/24 -j MASQUERADE
COMMIT
# End Waydroid rules

Thus, UFW will convert the 192.168.240.0/24 IP range to the 192.168.0.0/24 range used by wlp3s0, for example, via NAT forwarding in both directions.

4) The next step is to enable the protocols that Waydroid requires. Specifically, DNS and DHCP. Since Waydroid has its own network stack, it must obtain an IP address independent from the host machine’s (Linux) network. It obtains this IP address by requesting it locally from your Linux device via the virtual network interface. On your Linux host, the Waydroid service uses dnsmasq as a DHCP server to handle this task. However, if the firewall blocks incoming traffic for waydroid0, responses cannot be sent back, even if outgoing DHCP packets are allowed. This results in an IP assignment failure.

Similarly, dnsmasq on the host system provides DNS resolution. UFW also blocks these requests.

To solve this problem, allow the waydroid0 interface to send and receive all packets freely. Since you are doing NAT forwarding via wlp3s0, the rules applied to wlp3s0 will also indirectly apply to waydroid0. Alternatively, if you prefer a setup that aligns more closely with the zero privilege principle, you can simply allow DHCP and DNS ports.

Here are the commands:

For outgoing traffic:

sudo ufw allow out on waydroid0 to any port 67 proto tcp
sudo ufw allow out on waydroid0 to any port 67 proto udp

For incoming traffic:

sudo ufw allow in on waydroid0 to any port 67 proto tcp
sudo ufw allow in on waydroid0 to any port 67 proto udp

These commands allow DHCP traffic to pass through. UFW will apply them to both IPv4 and IPv6. DHCP actually uses UDP, not TCP. However, I included both just to be sure, since I was unsure.

For outgoing traffic:

sudo ufw allow out on waydroid0 to any port 53 proto tcp
sudo ufw allow out on waydroid0 to any port 53 proto udp

For incoming traffic:

sudo ufw allow in on waydroid0 to any port 53 proto tcp
sudo ufw allow in on waydroid0 to any port 53 proto udp

These commands allow DNS traffic to pass through. DNS uses both TCP and UDP. Be sure to configure both.

Additionally, if you encounter any issues, you can delete the rules created by these commands as follows:

sudo ufw delete allow out on waydroid0 to any port 67 proto tcp
sudo ufw delete allow out on waydroid0 to any port 67 proto udp
sudo ufw delete allow in on waydroid0 to any port 67 proto tcp
sudo ufw delete allow in on waydroid0 to any port 67 proto udp

sudo ufw delete allow out on waydroid0 to any port 53 proto tcp
sudo ufw delete allow out on waydroid0 to any port 53 proto udp
sudo ufw delete allow in on waydroid0 to any port 53 proto tcp
sudo ufw delete allow in on waydroid0 to any port 53 proto udp

After doing this, restart the Waydroid container with the command sudo systemctl restart waydroid-container. Waydroid should now be able to connect to the internet with UFW enabled.

sudo systemctl restart waydroid-container

Waydroid is an impressive tool that combines the power of Linux with the extensive app ecosystem of Android. The purpose of this guide is to help you overcome one of the most common network issues you might encounter. I hope it was helpful!