Open paradozed opened 2 years ago
timrettop
commented
2 years ago I'm running into this issue as well, in this post, it suggests to use:
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 However I'm still looking into whether this value can be set manually, as it looks like it gets overwritten when the container starts.
timrettop
commented
2 years ago It seems line 106 from here https://github.com/binhex/arch-int-vpn/blob/master/run/root/wireguard.sh is what sets the AllowedIPs to 0.0.0.0/0 each time the container starts.
@binhex would you support a PR to make that a configurable option? I can try working on it if so.
timrettop
commented
2 years ago I've created a branch supporting this parameter support, however after testing further its not helpful, the wireguard connection is not reliably working which is also reported here: https://github.com/runfalk/synology-wireguard/issues/124#issuecomment-1057495451
I think its almost impossible to use wireguard on synology unless you have an older version of DSM :(
DevinCampbell
commented
2 years ago I'm having this same issue on a Ubuntu 21.10 host using docker-compose.
docker-compose.yml file:
networks:
br0:
driver: bridge
services:
deluge:
container_name: deluge
env_file: deluge.env
hostname: deluge
image: binhex/arch-delugevpn
networks:
- br0
ports:
- 8112:8112
- 58846:58846
- 58946:58946
privileged: true
restart: unless-stopped
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- '/data:/data'
- '/config:/config'
- '/etc/localtime:/etc/localtime:ro'deluge.env file:
VPN_ENABLED=yes
VPN_USER=username
VPN_PASS=password
VPN_PROV=pia
VPN_CLIENT=wireguard
STRICT_PORT_FORWARD=yes
ENABLE_PRIVOXY=no
LAN_NETWORK=192.168.0.0/23
NAME_SERVERS=84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1
DELUGE_DAEMON_LOG_LEVEL=none
DELUGE_WEB_LOG_LEVEL=none
DEBUG=false
UMASK=002
PUID=1004
PGID=1001Log:
Created by...
___. .__ .__
\_ |__ |__| ____ | |__ ____ ___ ___
| __ \| |/ \| | \_/ __ \\ \/ /
| \_\ \ | | \ Y \ ___/ > <
|___ /__|___| /___| /\___ >__/\_ \
\/ \/ \/ \/ \/
https://hub.docker.com/u/binhex/
2022-05-22 17:51:52.784451 [info] System information Linux deluge 5.13.0-41-generic #46-Ubuntu SMP Thu Apr 14 20:06:04 UTC 2022 x86_64 GNU/Linux
2022-05-22 17:51:52.831901 [info] OS_ARCH defined as 'x86-64'
2022-05-22 17:51:52.882476 [info] PUID defined as '1004'
2022-05-22 17:51:52.933319 [info] PGID defined as '1001'
2022-05-22 17:51:52.996518 [info] UMASK defined as '002'
2022-05-22 17:51:53.044002 [info] Permissions already set for '/config'
2022-05-22 17:51:53.093873 [info] Deleting files in /tmp (non recursive)...
2022-05-22 17:51:53.145371 [info] VPN_ENABLED defined as 'yes'
2022-05-22 17:51:53.196439 [info] VPN_CLIENT defined as 'wireguard'
2022-05-22 17:51:53.237144 [info] VPN_PROV defined as 'pia'
2022-05-22 17:51:53.505036 [info] WireGuard config file (conf extension) is located at /config/wireguard/wg0.conf
2022-05-22 17:51:53.575221 [info] VPN_REMOTE_SERVER defined as 'nl-amsterdam.privacy.network'
2022-05-22 17:51:53.668834 [info] VPN_REMOTE_PORT defined as '1337'
2022-05-22 17:51:53.711749 [info] VPN_DEVICE_TYPE defined as 'wg0'
2022-05-22 17:51:53.747307 [info] VPN_REMOTE_PROTOCOL defined as 'udp'
2022-05-22 17:51:53.797309 [info] LAN_NETWORK defined as '192.168.0.0/23'
2022-05-22 17:51:53.853409 [info] NAME_SERVERS defined as '84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1'
2022-05-22 17:51:53.935298 [info] VPN_USER defined as 'username'
2022-05-22 17:51:53.986547 [info] VPN_PASS defined as 'password'
2022-05-22 17:51:54.030382 [info] STRICT_PORT_FORWARD defined as 'yes'
2022-05-22 17:51:54.112460 [info] ENABLE_PRIVOXY defined as 'no'
2022-05-22 17:51:54.167445 [info] VPN_INPUT_PORTS not defined (via -e VPN_INPUT_PORTS), skipping allow for custom incoming ports
2022-05-22 17:51:54.209453 [info] VPN_OUTPUT_PORTS not defined (via -e VPN_OUTPUT_PORTS), skipping allow for custom outgoing ports
2022-05-22 17:51:54.250036 [info] DELUGE_DAEMON_LOG_LEVEL defined as 'none'
2022-05-22 17:51:54.297110 [info] DELUGE_WEB_LOG_LEVEL defined as 'none'
2022-05-22 17:51:54.347256 [info] Starting Supervisor...
2022-05-22 17:51:54,677 INFO Included extra file "/etc/supervisor/conf.d/delugevpn.conf" during parsing
2022-05-22 17:51:54,678 INFO Set uid to user 0 succeeded
2022-05-22 17:51:54,680 INFO supervisord started with pid 7
2022-05-22 17:51:55,683 INFO spawned: 'shutdown-script' with pid 159
2022-05-22 17:51:55,685 INFO spawned: 'start-script' with pid 160
2022-05-22 17:51:55,687 INFO spawned: 'watchdog-script' with pid 161
2022-05-22 17:51:55,687 INFO reaped unknown pid 8 (exit status 0)
2022-05-22 17:51:55,695 DEBG 'start-script' stdout output:
[info] VPN is enabled, beginning configuration of VPN
2022-05-22 17:51:55,695 INFO success: shutdown-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2022-05-22 17:51:55,695 INFO success: start-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2022-05-22 17:51:55,695 INFO success: watchdog-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2022-05-22 17:51:55,699 DEBG 'start-script' stdout output:
[info] Adding 84.200.69.80 to /etc/resolv.conf
2022-05-22 17:51:55,704 DEBG 'start-script' stdout output:
[info] Adding 37.235.1.174 to /etc/resolv.conf
2022-05-22 17:51:55,707 DEBG 'start-script' stdout output:
[info] Adding 1.1.1.1 to /etc/resolv.conf
2022-05-22 17:51:55,711 DEBG 'start-script' stdout output:
[info] Adding 37.235.1.177 to /etc/resolv.conf
2022-05-22 17:51:55,715 DEBG 'start-script' stdout output:
[info] Adding 84.200.70.40 to /etc/resolv.conf
2022-05-22 17:51:55,719 DEBG 'start-script' stdout output:
[info] Adding 1.0.0.1 to /etc/resolv.conf
2022-05-22 17:51:55,884 DEBG 'start-script' stdout output:
[info] Attempting to load iptable_mangle module...
2022-05-22 17:51:55,886 DEBG 'start-script' stderr output:
modprobe: FATAL: Module iptable_mangle not found in directory /lib/modules/5.13.0-41-generic
2022-05-22 17:51:55,886 DEBG 'start-script' stdout output:
[warn] Unable to load iptable_mangle module using modprobe, trying insmod...
2022-05-22 17:51:55,888 DEBG 'start-script' stderr output:
insmod: ERROR: could not load module /lib/modules/iptable_mangle.ko: No such file or directory
2022-05-22 17:51:55,888 DEBG 'start-script' stdout output:
[warn] Unable to load iptable_mangle module, you will not be able to connect to the applications Web UI or Privoxy outside of your LAN
2022-05-22 17:51:55,889 DEBG 'start-script' stdout output:
[info] unRAID/Ubuntu users: Please attempt to load the module by executing the following on your host: '/sbin/modprobe iptable_mangle'
[info] Synology users: Please attempt to load the module by executing the following on your host: 'insmod /lib/modules/iptable_mangle.ko'
2022-05-22 17:51:56,267 DEBG 'start-script' stdout output:
[info] Token generated for PIA wireguard authentication
2022-05-22 17:51:56,316 DEBG 'start-script' stdout output:
[info] Trying to connect to the PIA WireGuard API on 'nl-amsterdam.privacy.network'...
2022-05-22 17:51:56,919 DEBG 'start-script' stdout output:
[info] Default route for container is 172.18.0.1
2022-05-22 17:51:56,941 DEBG 'start-script' stdout output:
[info] Docker network defined as 172.18.0.0/16
2022-05-22 17:51:56,947 DEBG 'start-script' stdout output:
[info] Adding 192.168.0.0/23 as route via docker eth0
2022-05-22 17:51:56,949 DEBG 'start-script' stderr output:
RTNETLINK answers: Operation not permitted
2022-05-22 17:51:56,949 DEBG 'start-script' stdout output:
[info] ip route defined as follows...
--------------------
2022-05-22 17:51:56,952 DEBG 'start-script' stdout output:
default via 172.18.0.1 dev eth0
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.6
2022-05-22 17:51:56,952 DEBG 'start-script' stdout output:
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.18.0.0 dev eth0 table local proto kernel scope link src 172.18.0.6
local 172.18.0.6 dev eth0 table local proto kernel scope host src 172.18.0.6
broadcast 172.18.255.255 dev eth0 table local proto kernel scope link src 172.18.0.6
2022-05-22 17:51:56,952 DEBG 'start-script' stdout output:
--------------------
2022-05-22 17:51:56,964 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,970 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,973 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,979 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,981 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,987 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,990 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,996 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:56,998 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,000 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,008 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,010 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,013 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,014 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,016 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,022 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,028 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,031 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,036 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,038 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,044 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,047 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,053 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,055 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,057 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,065 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,067 DEBG 'start-script' stderr output:
getsockopt failed strangely: Operation not permitted
2022-05-22 17:51:57,069 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,071 DEBG 'start-script' stderr output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,071 DEBG 'start-script' stdout output:
[info] iptables defined as follows...
--------------------
2022-05-22 17:51:57,073 DEBG 'start-script' stdout output:
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
2022-05-22 17:51:57,075 DEBG 'start-script' stdout output:
--------------------
2022-05-22 17:51:57,079 DEBG 'start-script' stdout output:
[info] Attempting to bring WireGuard interface 'up'...
2022-05-22 17:51:57,094 DEBG 'start-script' stderr output:
Warning: `/config/wireguard/wg0.conf' is world accessible
2022-05-22 17:51:57,101 DEBG 'start-script' stderr output:
[#] ip link add wg0 type wireguard
2022-05-22 17:51:57,103 DEBG 'start-script' stderr output:
RTNETLINK answers: Operation not permitted
2022-05-22 17:51:57,105 DEBG 'start-script' stderr output:
Unable to access interface: Operation not permitted
2022-05-22 17:51:57,106 DEBG 'start-script' stderr output:
[#] ip link delete dev wg0
2022-05-22 17:51:57,108 DEBG 'start-script' stderr output:
Cannot find device "wg0"
2022-05-22 17:51:57,108 DEBG 'start-script' stdout output:
[warn] WireGuard interface failed to come 'up', exit code is '1'Did you attempt to load the modules?
2022-05-22 17:51:55,889 DEBG 'start-script' stdout output: [info] unRAID/Ubuntu users: Please attempt to load the module by executing the following on your host: '/sbin/modprobe iptable_mangle' [info] Synology users: Please attempt to load the module by executing the following on your host: 'insmod /lib/modules/iptable_mangle.ko'
DevinCampbell
commented
2 years ago /sbin/modprobe iptable_mangle
That works actually. Thanks.
Siel
commented
2 years ago @timrettop did you manage to get it working?, I'm using a Synology DS220+ with DSM 7.1 and I'm stuck exactly at the same point you reported in your comment :(
rumblemumble
commented
2 years ago on 7.1 and 7.0x I use this:
my peers get IPs in 10.10.20.x
my IP range for local devices is 10.10.10.x
if I add 10.10.10.0/24, 10.10.20.0/24 in the conf instead of 0.0.0.0/1 it works for me
krizzo
commented
2 years ago Make sure the container's host machine has the wireguard module installed.
For RHEL/Centos/Rocky
sudo dnf install elrepo-release epel-release
sudo dnf install kmod-wireguard wireguard-tools
adamkhalaf
commented
1 year ago Make sure the container's host machine has the wireguard module installed.
This is not possible in Synology's DSM
SnowDrifterr
commented
1 year ago Make sure the container's host machine has the wireguard module installed.
This is not possible in Synology's DSM
Install wireguard for DSM https://github.com/runfalk/synology-wireguard
Install the PIA-WG container https://github.com/thrnz/docker-wireguard-pia
Pass deluge through like this
Services deluge: image: binhex/arch-delugevpn container_name: deluge network_mode: service:piavpn environment:
VPN_ENABLED=no
depends_on: mediadownload: condition: service_healthy . . . piavpn: image: thrnz/docker-wireguard-pia container_name: piavpn ports:
And you're set to go
alllexx88
commented
1 year ago I got this sorted out for DS923+ with DSM 7.1. I had to additionally build and load (together with iptable_mangle) the following kernel modules:
iptable_raw.ko
xt_comment.ko
xt_connmark.koHere're short instructions on doing this:
iptable_raw.c, xt_comment.c and xt_connmark.c to source dir in your chroot (in my case it was build_env/ds.r1000-7.1/source) from then kernel source code (https://cdn.kernel.org/pub/linux/kernel) according to your kernel version (can check it with uname -a on your NAS). For me it was
linux-4.4.180/net/ipv4/netfilter/iptable_raw.c
linux-4.4.180/net/netfilter/xt_comment.c
linux-4.4.180/net/netfilter/xt_connmark.csource dir create a file named Makefile with the following content (adjust KSRC=... according to the path in your chroot):
.PHONY: all cleankernel_mod = iptable_raw.ko xt_comment.ko xt_connmark.ko
all: $(kernel_mod)
obj-m := iptable_raw.o xt_comment.o xt_connmark.o
KSRC=/usr/local/x86_64-pc-linux-gnu/x86_64-pc-linux-gnu/sys-root/usr/lib/modules/DSM-7.1/build
$(kernel_mod): make -C $(KSRC) M=$(PWD) modules
clean: rm -rf .o $(kernel_mod) .cmd
4. Chroot and build the modules:chroot build_env/ds.r1000-7.1 # adjust in accordance to your platform name cd /source make
This will build `iptable_raw.ko xt_comment.ko xt_connmark.ko`, copy them to your NAS and load each with `insmod`. And don't forget to `modprobe iptable_mangle`. Now docker should start fine. I only tested this on my NAS, but the approach should work for other NASes and DSM versions.
TopNugs
commented
1 year ago No Synology here (no idea what that even is) but I am receiving an error, I think the main error is this: Warning: `/config/wireguard/wg0.conf' is world accessible I have changed my wireguard conf file to chmod 600 like asked to but then it changes itself back every time delugevpn is run...
Please help me.
text error warn system array login
iptable_mangle 16384 1 ip_tables 28672 4 iptable_filter,iptable_raw,iptable_nat,iptable_mangle x_tables 45056 19 ip6table_filter,xt_conntrack,iptable_filter,ip6table_nat,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,xt_comment,ip6_tables,ipt_REJECT,xt_connmark,iptable_raw,ip_tables,iptable_nat,ip6table_mangle,xt_MASQUERADE,iptable_mangle,xt_mark
2023-04-30 13:50:28,491 DEBG 'start-script' stdout output: [info] iptable_mangle support detected, adding fwmark for tables
2023-04-30 13:50:28,528 DEBG 'start-script' stdout output: -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -s 198.55.124.114/32 -i eth0 -j ACCEPT -A INPUT -s 208.94.148.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.124.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.126.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.125.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.127.2/32 -i eth0 -j ACCEPT -A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 8112 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 8112 -j ACCEPT -A INPUT -s 192.168.254.0/24 -d 172.17.0.0/16 -i eth0 -p tcp -m tcp --dport 58846 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i wg0 -j ACCEPT -A OUTPUT -d 198.55.124.114/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.94.148.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.124.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.126.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.125.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.127.2/32 -o eth0 -j ACCEPT -A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --sport 8112 -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --sport 8112 -j ACCEPT -A OUTPUT -s 172.17.0.0/16 -d 192.168.254.0/24 -o eth0 -p tcp -m tcp --sport 58846 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o wg0 -j ACCEPT
2023-04-30 13:50:28,539 DEBG 'start-script' stdout output: [info] Attempting to bring WireGuard interface 'up'...
2023-04-30 13:50:28,560 DEBG 'start-script' stderr output: Warning: `/config/wireguard/wg0.conf' is world accessible
2023-04-30 13:50:28,567 DEBG 'start-script' stderr output: [#] ip link add wg0 type wireguard
2023-04-30 13:50:28,569 DEBG 'start-script' stderr output: [#] wg setconf wg0 /dev/fd/63
2023-04-30 13:50:28,578 DEBG 'start-script' stderr output: [#] ip -4 address add 172.16.227.221/32 dev wg0
2023-04-30 13:50:28,584 DEBG 'start-script' stderr output: [#] ip link set mtu 1420 up dev wg0
2023-04-30 13:50:28,587 DEBG 'start-script' stderr output: [#] resolvconf -a wg0 -m 0 -x
2023-04-30 13:50:28,597 DEBG 'start-script' stderr output: could not detect a useable init system
2023-04-30 13:50:28,686 DEBG 'start-script' stderr output: [#] wg set wg0 fwmark 51820
2023-04-30 13:50:28,687 DEBG 'start-script' stderr output: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
2023-04-30 13:50:28,688 DEBG 'start-script' stderr output: [#] ip -4 rule add not fwmark 51820 table 51820
2023-04-30 13:50:28,690 DEBG 'start-script' stderr output: [#] ip -4 rule add table main suppress_prefixlength 0
2023-04-30 13:50:28,693 DEBG 'start-script' stderr output: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
2023-04-30 13:50:28,697 DEBG 'start-script' stderr output: [#] iptables-restore -n
2023-04-30 13:50:28,700 DEBG 'start-script' stderr output: [#] '/root/wireguardup.sh'
Brandoskey
commented
11 months ago No Synology here (no idea what that even is) but I am receiving an error, I think the main error is this: Warning: `/config/wireguard/wg0.conf' is world accessible I have changed my wireguard conf file to chmod 600 like asked to but then it changes itself back every time delugevpn is run...
Please help me.
text error warn system array login
iptable_mangle 16384 1 ip_tables 28672 4 iptable_filter,iptable_raw,iptable_nat,iptable_mangle x_tables 45056 19 ip6table_filter,xt_conntrack,iptable_filter,ip6table_nat,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,xt_comment,ip6_tables,ipt_REJECT,xt_connmark,iptable_raw,ip_tables,iptable_nat,ip6table_mangle,xt_MASQUERADE,iptable_mangle,xt_mark
2023-04-30 13:50:28,491 DEBG 'start-script' stdout output: [info] iptable_mangle support detected, adding fwmark for tables
2023-04-30 13:50:28,527 DEBG 'start-script' stdout output:
[info] iptables defined as follows... 2023-04-30 13:50:28,528 DEBG 'start-script' stdout output: -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -s 198.55.124.114/32 -i eth0 -j ACCEPT -A INPUT -s 208.94.148.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.124.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.126.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.125.2/32 -i eth0 -j ACCEPT -A INPUT -s 208.80.127.2/32 -i eth0 -j ACCEPT -A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 8112 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 8112 -j ACCEPT -A INPUT -s 192.168.254.0/24 -d 172.17.0.0/16 -i eth0 -p tcp -m tcp --dport 58846 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i wg0 -j ACCEPT -A OUTPUT -d 198.55.124.114/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.94.148.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.124.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.126.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.125.2/32 -o eth0 -j ACCEPT -A OUTPUT -d 208.80.127.2/32 -o eth0 -j ACCEPT -A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --sport 8112 -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --sport 8112 -j ACCEPT -A OUTPUT -s 172.17.0.0/16 -d 192.168.254.0/24 -o eth0 -p tcp -m tcp --sport 58846 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o wg0 -j ACCEPT
2023-04-30 13:50:28,529 DEBG 'start-script' stdout output:
2023-04-30 13:50:28,539 DEBG 'start-script' stdout output: [info] Attempting to bring WireGuard interface 'up'...
2023-04-30 13:50:28,560 DEBG 'start-script' stderr output: Warning: `/config/wireguard/wg0.conf' is world accessible
2023-04-30 13:50:28,567 DEBG 'start-script' stderr output: [#] ip link add wg0 type wireguard
2023-04-30 13:50:28,569 DEBG 'start-script' stderr output: [#] wg setconf wg0 /dev/fd/63
2023-04-30 13:50:28,578 DEBG 'start-script' stderr output: [#] ip -4 address add 172.16.227.221/32 dev wg0
2023-04-30 13:50:28,584 DEBG 'start-script' stderr output: [#] ip link set mtu 1420 up dev wg0
2023-04-30 13:50:28,587 DEBG 'start-script' stderr output: [#] resolvconf -a wg0 -m 0 -x
2023-04-30 13:50:28,597 DEBG 'start-script' stderr output: could not detect a useable init system
2023-04-30 13:50:28,686 DEBG 'start-script' stderr output: [#] wg set wg0 fwmark 51820
2023-04-30 13:50:28,687 DEBG 'start-script' stderr output: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
2023-04-30 13:50:28,688 DEBG 'start-script' stderr output: [#] ip -4 rule add not fwmark 51820 table 51820
2023-04-30 13:50:28,690 DEBG 'start-script' stderr output: [#] ip -4 rule add table main suppress_prefixlength 0
2023-04-30 13:50:28,693 DEBG 'start-script' stderr output: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
2023-04-30 13:50:28,697 DEBG 'start-script' stderr output: [#] iptables-restore -n
2023-04-30 13:50:28,700 DEBG 'start-script' stderr output: [#] '/root/wireguardup.sh'
Did you ever get it working? I too have the issue where the container stalls out at [#] '/root/wireguardup.sh'
occasionally it'll eventually start but without any networking. I'm getting the impression wireguard just doesn't work with this container.
I'm using Synology DSM 7.0 and a custom wireguard server. The wireguard interface fails to come up inside the container. It looks like an error with iptables.
Here is the log :