Wireguard fails to come up

jjbrunton commented 1 year ago

I am having an issue with the container, it isn't bringing the Wireguard interface up. I have given it Privileged mode as well as setting the sysctl line required in the documentation.

What am I missing?

023-01-24 21:48:01,788 DEBG 'start-script' stdout output:

[warn] WireGuard interface failed to come 'up', exit code is '1'

2023-01-24 21:48:31,792 DEBG 'start-script' stdout output:

[info] Attempting to bring WireGuard interface 'up'...

2023-01-24 21:48:31,799 DEBG 'start-script' stderr output:

Warning: `/config/wireguard/wg0.conf' is world accessible

2023-01-24 21:48:31,805 DEBG 'start-script' stderr output:

[#] ip link add wg0 type wireguard

2023-01-24 21:48:31,807 DEBG 'start-script' stderr output:

[#] wg setconf wg0 /dev/fd/63

2023-01-24 21:48:31,809 DEBG 'start-script' stderr output:

[#] ip -4 address add 10.29.144.218 dev wg0

2023-01-24 21:48:31,814 DEBG 'start-script' stderr output:

[#] ip link set mtu 1420 up dev wg0

2023-01-24 21:48:31,823 DEBG 'start-script' stderr output:

[#] wg set wg0 fwmark 51820

2023-01-24 21:48:31,823 DEBG 'start-script' stderr output:

[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820

2023-01-24 21:48:31,825 DEBG 'start-script' stderr output:

[#] ip -4 rule add not fwmark 51820 table 51820

2023-01-24 21:48:31,826 DEBG 'start-script' stderr output:

[#] ip -4 rule add table main suppress_prefixlength 0

2023-01-24 21:48:31,829 DEBG 'start-script' stderr output:

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

2023-01-24 21:48:31,830 DEBG 'start-script' stderr output:

sysctl: permission denied on key "net.ipv4.conf.all.src_valid_mark"

2023-01-24 21:48:31,834 DEBG 'start-script' stderr output:

[#] ip -4 rule delete table 51820

2023-01-24 21:48:31,839 DEBG 'start-script' stderr output:

[#] ip -4 rule delete table main suppress_prefixlength 0

2023-01-24 21:48:31,846 DEBG 'start-script' stderr output:

[#] ip link delete dev wg0

2023-01-24 21:48:32,004 DEBG 'start-script' stdout output:

[warn] WireGuard interface failed to come 'up', exit code is '1'

davemint commented 1 year ago

I am having the same issue.

`2023-02-01 14:06:43,223 DEBG 'start-script' stderr output:

sysctl: permission denied on key "net.ipv4.conf.all.src_valid_mark"

2023-02-01 14:06:43,224 DEBG 'start-script' stderr output:

[#] resolvconf -d wg0 -f

2023-02-01 14:06:43,228 DEBG 'start-script' stderr output:

could not detect a useable init system

2023-02-01 14:06:43,248 DEBG 'start-script' stderr output:

[#] ip -4 rule delete table 51820

2023-02-01 14:06:43,251 DEBG 'start-script' stderr output:

[#] ip -4 rule delete table main suppress_prefixlength 0

2023-02-01 14:06:43,255 DEBG 'start-script' stderr output:

[#] ip link delete dev wg0

2023-02-01 14:06:43,434 DEBG 'start-script' stdout output:

[warn] WireGuard interface failed to come 'up', exit code is '1'`

Will try OpenVPN for now.

Brandoskey commented 1 year ago

Same issue for me, using airvpn

elforesto commented 1 year ago

Same problem here. I suspect that it may be an issue with user permissions. Launching the container via CLI with sudo/root might work around it, but I haven't taken the time to test yet.

irishj commented 1 year ago

Same issue here, using PIA.

[info] VPN is enabled, beginning configuration of VPN

2023-04-11 20:54:35,143 INFO success: start-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2023-04-11 20:54:35,143 INFO success: watchdog-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2023-04-11 20:54:35,145 DEBG 'start-script' stdout output:
[info] Adding 9.9.9.9 to /etc/resolv.conf

2023-04-11 20:54:35,147 DEBG 'start-script' stdout output:
[info] Adding 149.112.112.112 to /etc/resolv.conf

2023-04-11 20:54:35,660 DEBG 'start-script' stdout output:
[info] Token generated for PIA wireguard authentication

2023-04-11 20:54:35,685 DEBG 'start-script' stdout output:
[info] Trying to connect to the PIA WireGuard API on 'nl-amsterdam.privacy.network'...

2023-04-11 20:54:36,110 DEBG 'start-script' stdout output:
[info] Default route for container is 172.17.0.1

2023-04-11 20:54:36,206 DEBG 'start-script' stdout output:
[info] Docker network defined as    172.17.0.0/16

2023-04-11 20:54:36,208 DEBG 'start-script' stdout output:
[info] Adding 192.168.0.0/24 as route via docker eth0

2023-04-11 20:54:36,209 DEBG 'start-script' stdout output:
[info] ip route defined as follows...
--------------------

2023-04-11 20:54:36,210 DEBG 'start-script' stdout output:
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3 
192.168.0.0/24 via 172.17.0.1 dev eth0 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 

2023-04-11 20:54:36,210 DEBG 'start-script' stdout output:
broadcast 172.17.0.0 dev eth0 table local proto kernel scope link src 172.17.0.3 
local 172.17.0.3 dev eth0 table local proto kernel scope host src 172.17.0.3 
broadcast 172.17.255.255 dev eth0 table local proto kernel scope link src 172.17.0.3 
unreachable default dev lo proto kernel metric 4294967295 error 4294967195 pref medium
unreachable default dev lo proto kernel metric 4294967295 error 4294967195 pref medium

2023-04-11 20:54:36,210 DEBG 'start-script' stdout output:
--------------------

2023-04-11 20:54:36,213 DEBG 'start-script' stdout output:
iptable_mangle          1656  1
ip_tables              13914  7 iptable_filter,iptable_mangle,iptable_nat
x_tables               16976  21 ip6table_filter,xt_ipvs,xt_iprange,xt_mark,xt_recent,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_geoip,xt_limit,xt_state,xt_conntrack,xt_LOG,xt_mac,xt_nat,xt_multiport,iptable_filter,xt_REDIRECT,iptable_mangle,ip6_tables,xt_addrtype

2023-04-11 20:54:36,213 DEBG 'start-script' stdout output:
[info] iptable_mangle support detected, adding fwmark for tables

2023-04-11 20:54:36,231 DEBG 'start-script' stdout output:
[info] iptables defined as follows...
--------------------

2023-04-11 20:54:36,232 DEBG 'start-script' stdout output:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 181.214.206.58/32 -i eth0 -j ACCEPT
-A INPUT -s 181.214.206.216/32 -i eth0 -j ACCEPT
-A INPUT -s 212.102.35.150/32 -i eth0 -j ACCEPT
-A INPUT -s 104.18.14.49/32 -i eth0 -j ACCEPT
-A INPUT -s 104.18.15.49/32 -i eth0 -j ACCEPT
-A INPUT -s 104.17.107.63/32 -i eth0 -j ACCEPT
-A INPUT -s 104.17.108.63/32 -i eth0 -j ACCEPT
-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8112 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 8112 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 172.17.0.0/16 -i eth0 -p tcp -m tcp --dport 58846 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 172.17.0.0/16 -i eth0 -p tcp -m tcp --dport 8118 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A OUTPUT -d 181.214.206.58/32 -o eth0 -j ACCEPT
-A OUTPUT -d 181.214.206.216/32 -o eth0 -j ACCEPT
-A OUTPUT -d 212.102.35.150/32 -o eth0 -j ACCEPT
-A OUTPUT -d 104.18.14.49/32 -o eth0 -j ACCEPT
-A OUTPUT -d 104.18.15.49/32 -o eth0 -j ACCEPT
-A OUTPUT -d 104.17.107.63/32 -o eth0 -j ACCEPT
-A OUTPUT -d 104.17.108.63/32 -o eth0 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8112 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 8112 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 192.168.0.0/24 -o eth0 -p tcp -m tcp --sport 58846 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 192.168.0.0/24 -o eth0 -p tcp -m tcp --sport 8118 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT

2023-04-11 20:54:36,233 DEBG 'start-script' stdout output:
--------------------

2023-04-11 20:54:36,235 DEBG 'start-script' stdout output:
[info] Attempting to bring WireGuard interface 'up'...

2023-04-11 20:54:36,242 DEBG 'start-script' stderr output:
Warning: `/config/wireguard/wg0.conf' is world accessible

2023-04-11 20:54:36,245 DEBG 'start-script' stderr output:
[#] ip link add wg0 type wireguard

2023-04-11 20:54:36,246 DEBG 'start-script' stderr output:
RTNETLINK answers: Operation not supported

2023-04-11 20:54:36,247 DEBG 'start-script' stderr output:
Unable to access interface: Protocol not supported

2023-04-11 20:54:36,247 DEBG 'start-script' stderr output:
[#] ip link delete dev wg0

2023-04-11 20:54:36,249 DEBG 'start-script' stderr output:
Cannot find device "wg0"

2023-04-11 20:54:36,249 DEBG 'start-script' stdout output:
[warn] WireGuard interface failed to come 'up', exit code is '1'

Brandoskey commented 11 months ago

If you set AllowedIPs to 0.0.0.0/1 or practically anything but 0.0.0.0/0 it will come up. I still have the issue that my port forward on airvpn isn't connectable and I'm not sure how to get that working. Openvpn works fine

binhex / arch-delugevpn

Wireguard fails to come up #348