Skip to content

ERROR: Failed to bring up WireGuard device: permission denied in termux (non-root Android) #161

New issue
New issue
Open
Open
ERROR: Failed to bring up WireGuard device: permission denied in termux (non-root Android)#161
@dpurnam

Description

@dpurnam
dpurnam
opened on Oct 10, 2025

Describe the Bug

I've almost given up on setting up a newt client inside the termux app on a non-root android phone (because newt claims to be userspace).

For now reverted to using a functional cloudflared tunnel, unwillingly.

I've tried using the newt binary for arm64, which had its own issues with CA certs verification for remote (pangolin) server, DNS issues (unable to ping 127.0.0.1:53) et al.

So i switched to using termux-udocker, which got me over with the issues above except the one below.

u0_a177@localhost:~/Termux-Udocker$ ./newt.sh 
PANGOLIN_ENDPOINT=https://pangolin.example.org -e NEWT_ID=704bj4md8u65wui -e NEWT_SECRET=<Redacted> -e DNS=1.1.1.1 -e MTU=1500 -e LOG_LEVEL=DEBUG -e KEEP_INTERFACE=true

Running with image default (built-in) Entrypoint/CMD:
INFO: 2025/10/10 08:40:49 Newt version 1.5.2
DEBUG: 2025/10/10 08:40:50 Config already provided, skipping loading from file
DEBUG: 2025/10/10 08:40:50 Endpoint: https://pangolin.example.org
DEBUG: 2025/10/10 08:40:50 Log Level: DEBUG
DEBUG: 2025/10/10 08:40:50 Docker Network Validation Enabled: false
DEBUG: 2025/10/10 08:40:50 Health Check Certificate Enforcement: false
DEBUG: 2025/10/10 08:40:50 Dns: 1.1.1.1
DEBUG: 2025/10/10 08:40:50 MTU: 1500
DEBUG: 2025/10/10 08:40:50 Creating new health check monitor with certificate enforcement: false
DEBUG: 2025/10/10 08:40:50 Received token: <Redacted>
DEBUG: 2025/10/10 08:40:50 Config has not changed, skipping save
DEBUG: 2025/10/10 08:40:50 Public key: <Redacted>
INFO: 2025/10/10 08:40:50 Websocket connected
DEBUG: 2025/10/10 08:40:50 Requesting exit nodes from server
DEBUG: 2025/10/10 08:40:50 Sending message: newt/wg/register, data: map[backwardsCompatible:true newtVersion:1.5.2 publicKey:2PGpCtS6T16+iIkeOrubeiDVw9VbHl/sWerUTgjBSnU=]
DEBUG: 2025/10/10 08:40:50 Sending message: newt/ping/request, data: map[noCloud:false]
DEBUG: 2025/10/10 08:40:50 Received ping message
DEBUG: 2025/10/10 08:40:50 Only one exit node available, using it directly: pangolin.example.org
DEBUG: 2025/10/10 08:40:50 Sending message: newt/wg/register, data: map[newtVersion:1.5.2 pingResults:[{ExitNodeID:1 LatencyMs:0 Weight:1 Error: Name:Exit Node JwHxjc5q Endpoint:pangolin.example.org WasPreviouslyConnected:true}] publicKey:<Redacted>]
DEBUG: 2025/10/10 08:40:51 Received registration message
DEBUG: 2025/10/10 08:40:51 Received registration message data: map[endpoint:pangolin.example.org:51820 publicKey:JwHxjc5qHIwugLIXvyEx4MAmUYXCRgM4RgjlgpT3+z4= serverIP:100.89.128.1 targets:map[tcp:[] udp:[]] tunnelIP:100.89.128.20]
DEBUG: 2025/10/10 08:40:51 Received: {Type:newt/wg/connect Data:map[endpoint:pangolin.example.org:51820 publicKey:<Redacted> serverIP:100.89.128.1 targets:map[tcp:[] udp:[]] tunnelIP:100.89.128.20]}
INFO: 2025/10/10 08:40:51 Connecting to endpoint: pangolin.example.org
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 3 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 1 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 1 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 1 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 2 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 2 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 3 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 2 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 4 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 4 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 4 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 6 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 6 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 6 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 5 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: event worker - started
DEBUG: wireguard: 2025/10/10 08:40:51 Interface up requested
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: encryption worker 3 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: handshake worker 5 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: decryption worker 5 - started
DEBUG: wireguard: 2025/10/10 08:40:51 Routine: TUN reader - started
ERROR: wireguard: 2025/10/10 08:40:51 Unable to update bind: permission denied
DEBUG: wireguard: 2025/10/10 08:40:51 Interface state was Down, requested Up, now Down
DEBUG: wireguard: 2025/10/10 08:40:51 UAPI: Updating private key
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Created
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Adding allowedip
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Updating endpoint
DEBUG: wireguard: 2025/10/10 08:40:51 peer(JwHx…3+z4) - UAPI: Updating persistent keepalive interval
ERROR: wireguard: 2025/10/10 08:40:51 Unable to update bind: permission denied
DEBUG: wireguard: 2025/10/10 08:40:51 Interface state was Down, requested Up, now Down
ERROR: 2025/10/10 08:40:51 Failed to bring up WireGuard device: permission denied
DEBUG: 2025/10/10 08:40:51 WireGuard device created. Lets ping the server now...
DEBUG: 2025/10/10 08:40:51 Testing initial connection with reliable ping...
DEBUG: 2025/10/10 08:40:51 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:40:56 Ping attempt 1/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:40:56 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:01 Ping attempt 2/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:41:01 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:07 Ping attempt 3/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:41:08 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:14 Ping attempt 4/5 failed: failed to read ICMP packet: i/o timeout
DEBUG: 2025/10/10 08:41:14 Pinging 100.89.128.1
DEBUG: 2025/10/10 08:41:22 Ping attempt 5/5 failed: failed to read ICMP packet: i/o timeout
WARN: 2025/10/10 08:41:22 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout

Environment

  • OS Type & Version: termux pkg (non-root Android Phone)
  • Pangolin Version: latest
  • Gerbil Version: latest
  • Traefik Version: 3.4
  • Newt Version: latest
  • Olm Version: (Not applicable)

To Reproduce

used a very simple docker compose with udocker:

u0_a177@localhost:~/Termux-Udocker$ cat newt/docker-compose.yml 
services:
  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    environment:
      PANGOLIN_ENDPOINT: https://pangolin.example.org
      NEWT_ID: <Redacted>
      NEWT_SECRET: <Redacted>
      DNS: 1.1.1.1
      MTU: 1500
      LOG_LEVEL: DEBUG
      KEEP_INTERFACE: true

But simple --env arguments for udocker should also be enough instead of a compose file

Expected Behavior

A working newt client?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions