Why does Nekoray in TUN mode not proxy requests from Windsurf IDE?
I recently switched to NixOS 25.11 and installed Windsurf IDE. I enabled Nekoray in TUN mode, and it works normally (tested via curl and in the browser), but when I try to make a request to a neural network in Windsurf, I get an error ‘country not allowed’. There’s no issue with the VPN server - it works correctly on Windows. In Nekoray, I can see traffic from Windsurf and its language_server, which is responsible for the AI functionality, but for some reason, this traffic is not going through the proxy.
Nekoray logs are available at: https://pastebin.com/StT6mTqJ
Main Problem
The main issue is that Nekoray in TUN mode does not correctly handle traffic routing from specific processes such as Windsurf IDE and its language_server. This is related to the specifics of process-filtering configuration and routing rules in NixOS.
Contents
- Basic Issues
- Process Filtering Configuration in Nekoray
- Routing Configuration for NixOS
- Step-by-Step Solution
- Alternative Approaches
- Verification and Diagnosis
Basic Issues
Based on analysis of logs and common issues with Nekoray in NixOS, the main causes are:
-
Incorrect process filtering configuration - Windsurf IDE and language_server may have different process names than those specified in the routing rules.
-
Missing necessary privileges - In NixOS, due to the immutability of the filesystem, special setuid configuration is required for TUN mode to work.
-
DNS issues - As mentioned in research, for TUN mode to work in NixOS,
services.resolvedneeds to be enabled. -
Routing conflicts - The ‘country not allowed’ issue indicates that traffic from Windsurf is not passing through the proxy but is going directly.
Process Filtering Configuration in Nekoray
To solve the traffic routing issue from Windsurf IDE, you need to properly configure process filtering:
Determining Process Names
First, you need to determine the exact process names for Windsurf and language_server:
-
Open a terminal and run:
bashps aux | grep windsurf ps aux | grep language_server
-
Start Windsurf and check how its processes are named in the system.
Configuring Routing Rules
In Nekoray, configure routing through the JSON editor:
- Go to
Settings → Routing → Rule Editor - Add the following rules:
{
"route": {
"final": "proxy",
"rules": [
{
"process_name": ["windsurf", "language_server"],
"outbound": "proxy"
},
{
"ip_is_private": true,
"outbound": "direct"
}
]
}
}
Important: Make sure the process names match the actual names in your system. If the process is named differently, adjust the rules accordingly.
Routing Configuration for NixOS
Enabling resolved
As mentioned in documentation, add to your configuration.nix:
services.resolved.enable = true;
Configuring Access Rights for TUN Mode
In NixOS, special configuration is required for TUN mode to work:
programs.nekoray.tunMode = {
enable = true;
setuid = true;
};
Creating Necessary Symlinks
Due to the immutability of the filesystem in NixOS, you may need to create symlinks:
sudo mkdir -p /usr/local/bin
sudo ln -s /run/current-system/sw/bin/nekoray /usr/local/bin/
sudo ln -s /run/current-system/sw/bin/nekobox_core /usr/local/bin/
Step-by-Step Solution
Step 1: Check and Determine Process Names
# Start Windsurf and in another terminal run:
ps aux | grep -i windsurf
ps aux | grep -i language
Write down the exact process names.
Step 2: Configure Nekoray
- Open Nekoray
- Go to
Settings → Routing → Rule Editor - Paste the configured rules with the correct process names
- Save and restart Nekoray
Step 3: Check Routing
Add a test domain to Settings → Routing → Direct Domains for testing:
api.openai.com
Step 4: Enable Strict Routing Mode
In Settings → TUN Settings, enable:
Strict RouteFake DNS
Alternative Approaches
Using System Proxy Instead of TUN Mode
If TUN mode continues to work incorrectly, try:
- Disable TUN mode
- Enable
System Proxy - Configure Windsurf to use system proxy settings
Using vopono
For complex scenarios, you can use vopono:
sudo nix-channel --add https://github.com/jamesmcm/vopono/archive/main.tar.gz vopono
sudo nix-channel --update
sudo nix-env -iA nixos.vopono
# Start Windsurf through vopono
vopono -r nekoray windsurf
Verification and Diagnosis
Checking Process Routing
# View iptables rules
sudo iptables -L -n -v
sudo ip6tables -L -n -v
# Check active connections
ss -tulpn | grep windsurf
Testing Proxy Connection
# Check via curl
curl -x socks5h://127.0.0.1:1080 http://api.openai.com
# Check for DNS leaks
nslookup api.openai.com
Logging for Diagnosis
Enable detailed logging in Nekoray:
Settings → Logging → Level: Debug- Make a test request in Windsurf
- Analyze logs for routing errors
Conclusion
The main issue with Nekoray in TUN mode for Windsurf IDE in NixOS is related to incorrect process filtering configuration and specific features of NixOS operation. Key solutions include:
- Precise process filtering configuration with correct process names for Windsurf and language_server
- Enabling services.resolved for DNS operation in TUN mode
- Configuring setuid rights for proper TUN interface operation
- Using strict routing mode to prevent traffic leaks
If standard solutions don’t work, consider alternative approaches like using System Proxy or external tools like vopono for isolated application launching through proxy.