Hello.
I am experiencing a reproducible compatibility issue between LuLu and AmneziaVPN on macOS.
Environment:
macOS: 26.5
Build: 25F71
LuLu: 4.3.1
AmneziaVPN: latest available version
LuLu Network Extension: enabled and active
AmneziaVPN self-hosted server
Self-hosted protocol: AmneziaWG / WireGuard userspace path via wireguard-go
Self-hosted endpoint: :1234/udp
Problem:
When LuLu is enabled, AmneziaVPN self-hosted AmneziaWG does not connect.
When LuLu is fully disabled, the same self-hosted AmneziaVPN profile connects normally.
This issue is reproducible on two different MacBooks with the same macOS version and the same latest AmneziaVPN version.
Important observations:
This does not look like a general UDP, IP, port, router, or server issue.
With LuLu enabled and VPN disabled, manual UDP traffic to the same self-hosted endpoint works:
echo test | nc -u -w1 1234
tcpdump on en0 confirms that the manual UDP packet leaves the Mac.
Amnezia Premium profile works with LuLu enabled.
The self-hosted profile works immediately when LuLu is fully disabled.
Deleting LuLu rules related to Amnezia did not fix the issue.
Passive Mode with “new connections allowed” also did not fix the issue.
Processes observed:
LuLu Network Extension:
/Library/SystemExtensions/.../com.objective-see.lulu.extension.systemextension/Contents/MacOS/com.objective-see.lulu.extension
Amnezia GUI:
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN
Amnezia root service:
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN-service
Self-hosted AmneziaWG path:
/Applications/AmneziaVPN.app/Contents/MacOS/wireguard-go -f utun
Premium mode path:
/Applications/AmneziaVPN.app/Contents/MacOS/tun2socks
local SOCKS proxy on 127.0.0.1
TCP connections from AmneziaVPN-service to Amnezia Premium server on port 443
Observed difference:
Premium mode works with LuLu enabled and uses tun2socks + TCP 443.
Self-hosted mode does not work with LuLu enabled and uses wireguard-go / utun / UDP.
The same self-hosted profile works when LuLu is disabled.
Expected behavior:
If AmneziaVPN / AmneziaVPN-service / wireguard-go are allowed, LuLu should not interfere with the self-hosted AmneziaWG tunnel. Alternatively, LuLu should provide a clear way to exclude these processes from filtering.
Actual behavior:
With LuLu enabled, AmneziaVPN self-hosted AmneziaWG does not complete the handshake.
With LuLu disabled, the same profile connects successfully.
This looks like an interaction between LuLu Network Extension and AmneziaVPN self-hosted AmneziaWG / wireguard-go / utun tunnel path, rather than a normal firewall rule denying a specific IP or port.
Please advise:
Is there a recommended way to fully exclude the following executables from LuLu filtering?
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN-service
/Applications/AmneziaVPN.app/Contents/MacOS/wireguard-go
/Applications/AmneziaVPN.app/Contents/MacOS/tun2socks
Can LuLu currently conflict with VPN clients that use utun / wireguard-go / Network Extension paths?
What logs or diagnostics would you like me to provide?
I can provide:
systemextensionsctl list output
ps aux output
lsof output
tcpdump output
screenshots of LuLu settings/rules
AmneziaVPN logs
Hello.
I am experiencing a reproducible compatibility issue between LuLu and AmneziaVPN on macOS.
Environment:
macOS: 26.5
Build: 25F71
LuLu: 4.3.1
AmneziaVPN: latest available version
LuLu Network Extension: enabled and active
AmneziaVPN self-hosted server
Self-hosted protocol: AmneziaWG / WireGuard userspace path via wireguard-go
Self-hosted endpoint: :1234/udp
Problem:
When LuLu is enabled, AmneziaVPN self-hosted AmneziaWG does not connect.
When LuLu is fully disabled, the same self-hosted AmneziaVPN profile connects normally.
This issue is reproducible on two different MacBooks with the same macOS version and the same latest AmneziaVPN version.
Important observations:
This does not look like a general UDP, IP, port, router, or server issue.
With LuLu enabled and VPN disabled, manual UDP traffic to the same self-hosted endpoint works:
echo test | nc -u -w1 1234
tcpdump on en0 confirms that the manual UDP packet leaves the Mac.
Amnezia Premium profile works with LuLu enabled.
The self-hosted profile works immediately when LuLu is fully disabled.
Deleting LuLu rules related to Amnezia did not fix the issue.
Passive Mode with “new connections allowed” also did not fix the issue.
Processes observed:
LuLu Network Extension:
/Library/SystemExtensions/.../com.objective-see.lulu.extension.systemextension/Contents/MacOS/com.objective-see.lulu.extension
Amnezia GUI:
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN
Amnezia root service:
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN-service
Self-hosted AmneziaWG path:
/Applications/AmneziaVPN.app/Contents/MacOS/wireguard-go -f utun
Premium mode path:
/Applications/AmneziaVPN.app/Contents/MacOS/tun2socks
local SOCKS proxy on 127.0.0.1
TCP connections from AmneziaVPN-service to Amnezia Premium server on port 443
Observed difference:
Premium mode works with LuLu enabled and uses tun2socks + TCP 443.
Self-hosted mode does not work with LuLu enabled and uses wireguard-go / utun / UDP.
The same self-hosted profile works when LuLu is disabled.
Expected behavior:
If AmneziaVPN / AmneziaVPN-service / wireguard-go are allowed, LuLu should not interfere with the self-hosted AmneziaWG tunnel. Alternatively, LuLu should provide a clear way to exclude these processes from filtering.
Actual behavior:
With LuLu enabled, AmneziaVPN self-hosted AmneziaWG does not complete the handshake.
With LuLu disabled, the same profile connects successfully.
This looks like an interaction between LuLu Network Extension and AmneziaVPN self-hosted AmneziaWG / wireguard-go / utun tunnel path, rather than a normal firewall rule denying a specific IP or port.
Please advise:
Is there a recommended way to fully exclude the following executables from LuLu filtering?
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN
/Applications/AmneziaVPN.app/Contents/MacOS/AmneziaVPN-service
/Applications/AmneziaVPN.app/Contents/MacOS/wireguard-go
/Applications/AmneziaVPN.app/Contents/MacOS/tun2socks
Can LuLu currently conflict with VPN clients that use utun / wireguard-go / Network Extension paths?
What logs or diagnostics would you like me to provide?
I can provide:
systemextensionsctl list output
ps aux output
lsof output
tcpdump output
screenshots of LuLu settings/rules
AmneziaVPN logs