HA seems not accessible from inside vpn

[ziriuz84]

Problem/Motivation

I installed latest version of Hassio in my raspberry pi2. I tried to install the addon from HA store using your repo and compiled config as it was before (I already had a HA installation on this rpi2 using docker image). If I try to run the plugin it says that it can't set a variable and it deletes link to route and iptables rules added

Expected behavior

It connect to my wireguard server on my vps and it's accessible from my vpn

Actual behavior

It turns off the connection because it can't set a variable and it says this

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system

This is the complete log

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 

-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.2.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 11.1  (armv7 / raspberrypi2)
 Home Assistant Core: 2023.11.2
 Home Assistant Supervisor: 2023.11.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[21:07:31] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[21:07:32] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add y.y.y.y/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[21:08:02] INFO: Requesting current status from WireGuard Client...
[21:08:32] INFO: Requesting current status from WireGuard Client...

Steps to reproduce

I simply run the addon with this config

interface:
  private_key: <hidden>
  address: y.y.y.y
  dns:
    - y.y.y.z
  post_up: >-
    iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  post_down: >-
    iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  mtu: 1420
peers:
  - public_key: <hidden>
    pre_shared_key: <hidden>
    endpoint: x.x.x.x:51830
    allowed_ips:
      - 0.0.0.0/0
    persistent_keep_alive: "25"

The old config file was

[Interface]
PrivateKey = <hidden>
Address = y.y.y.y/24,<ipv6 address>/64
DNS = y.y.y.z

[Peer]
PublicKey = <hidden>
PresharedKey = <hidden>
Endpoint = x.x.x.x:51830
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepAlive = 25

[ziriuz84]

It seems that the problem is the catch-all on allowed ips, I added defined subnets and it works. May be it's a good idea a note in your howto or on readme

[bigmoby]

Hi @ziriuz84 thank you for your hint and please feel free to contribute to this project with a PR. As you suggested a note in the readme file could be a perfect solution. Thanks