I'm trying to switch over from iptables based FW to nftables.

I have a basic ruleset

flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
ip protocol icmp limit rate 10/second accept
ip protocol icmp drop
ip6 nexthdr icmpv6 limit rate 10/second accept
ip6 nexthdr icmpv6 drop
iif lo accept
ct state established,related accept
ct state invalid drop
tcp dport { 22 } ct state new accept
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
counter drop

but it does not allow me to initiate VPN with a vpn provider (i'm the client, so I initiate the connection).

I suspect it has something to do with virtual interface ppp0 being given an int reference by the kernel when it is created - and - we don't know what that int will be until we instantiate vpn. Thus if we tell nftables about if ppp0 it will not know what to do with it nftables is instantiated before vpn - thus ppp0 will be null.

The same behavior is observed with openvpn, where a virtual interface 'tun0' is created by the kernel.

Any guidance would be really valuable.

Thank you

what VPN type are you using? i would avoid pppd completely if i could (and by running my own VPNs i can ... no pppds in any of my 38 VPNs)

Hi

I will edit my post to include your suggestion about using OPENVPN. In brief, using openvpn under debian creates a virtual interface, tun0. The exact same behavior is observed. Syslog shows that the openvpn client receives response from the server but then cannot connect.

Disable nftables allows it to connect.