search

binhex / arch-rtorrentvpn

Docker build script for Arch Linux base with ruTorrent, rTorrent, autodl-irssi, Privoxy and OpenVPN
GNU General Public License v3.0
238 stars 35 forks source link

Container run errors with PIA/Wireguard #166

Closed act28 closed 3 years ago

act28 commented 3 years ago

Wireguard interface did not come up. Device not found.

altairrrr commented 3 years ago

Same error for me when using wireguard and pia:

2020-12-08 16:23:11,506 DEBG 'start-script' stdout output: [info] Attempting to bring WireGuard interface 'up'...

2020-12-08 16:23:11,576 DEBG 'start-script' stderr output: Warning: `/config/wireguard/wg0.conf' is world accessible

2020-12-08 16:23:11,586 DEBG 'start-script' stderr output: [#] ip link add wg0 type wireguard

2020-12-08 16:23:11,589 DEBG 'start-script' stderr output: RTNETLINK answers: Operation not supported

2020-12-08 16:23:11,593 DEBG 'start-script' stderr output: Unable to access interface: Protocol not supported

2020-12-08 16:23:11,595 DEBG 'start-script' stderr output: [#] ip link delete dev wg0

2020-12-08 16:23:11,606 DEBG 'start-script' stderr output: Cannot find device "wg0"

2020-12-08 16:23:11,609 DEBG 'start-script' stdout output: [warn] WireGuard interface failed to come 'up', exit code is '1'

2020-12-08 16:23:13,202 DEBG fd 11 closed, stopped monitoring <POutputDispatcher at 140321434388656 for <Subprocess at 140321434387984 with name pyrocore-script in state RUNNING> (stdout)> 2020-12-08 16:23:13,202 DEBG fd 15 closed, stopped monitoring <POutputDispatcher at 140321434505808 for <Subprocess at 140321434387984 with name pyrocore-script in state RUNNING> (stderr)> 2020-12-08 16:23:13,202 INFO exited: pyrocore-script (exit status 0; expected) 2020-12-08 16:23:13,202 DEBG received SIGCHLD indicating a child quit

binhex commented 3 years ago 
2020-12-08 16:23:11,589 DEBG 'start-script' stderr output:
RTNETLINK answers: Operation not supported

2020-12-08 16:23:11,593 DEBG 'start-script' stderr output:
Unable to access interface: Protocol not supported

this is indicative of old kernel, if you are running kernel older than 5.6 then you will need to load in the required modules to support wireguard.

altairrrr commented 3 years ago

Indeed, I'm trying to run the container on Synology and the kernel is 4.4.59. I managed to load the module using https://github.com/runfalk/synology-wireguard. However there seems to be another problem (sorry for hijacking the thread, I'm not sure if it's related). The version of iptables on my nas is 1.6.0

2020-12-08 17:55:20,039 DEBG 'start-script' stdout output: [info] Attempting to bring WireGuard interface 'up'...

2020-12-08 17:55:20,106 DEBG 'start-script' stderr output: Warning: `/config/wireguard/wg0.conf' is world accessible

2020-12-08 17:55:20,118 DEBG 'start-script' stderr output: [#] ip link add wg0 type wireguard

2020-12-08 17:55:20,123 DEBG 'start-script' stderr output: [#] wg setconf wg0 /dev/fd/63

2020-12-08 17:55:20,131 DEBG 'start-script' stderr output: [#] ip -4 address add 10.11.134.106 dev wg0

2020-12-08 17:55:20,152 DEBG 'start-script' stderr output: [#] ip link set mtu 1420 up dev wg0

2020-12-08 17:55:20,217 DEBG 'start-script' stderr output: [#] wg set wg0 fwmark 51820

2020-12-08 17:55:20,223 DEBG 'start-script' stderr output: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820

2020-12-08 17:55:20,225 DEBG 'start-script' stderr output: [#] ip -4 rule add not fwmark 51820 table 51820

2020-12-08 17:55:20,229 DEBG 'start-script' stderr output: [#] ip -4 rule add table main suppress_prefixlength 0

2020-12-08 17:55:20,236 DEBG 'start-script' stderr output: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

2020-12-08 17:55:20,273 DEBG 'start-script' stderr output: [#] iptables-restore -n

2020-12-08 17:55:20,277 DEBG 'start-script' stderr output: iptables-restore v1.8.5 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2020-12-08 17:55:20,288 DEBG 'start-script' stderr output: [#] ip -4 rule delete table 51820

2020-12-08 17:55:20,305 DEBG 'start-script' stderr output: [#] ip -4 rule delete table main suppress_prefixlength 0

2020-12-08 17:55:20,320 DEBG 'start-script' stderr output: [#] ip link delete dev wg0

2020-12-08 17:55:20,357 DEBG 'start-script' stdout output: [warn] WireGuard interface failed to come 'up', exit code is '1'

ankarhem commented 3 years ago

I have tried this on my 918+ as well. Had the same issue. I gave up on it eventually.

act28 commented 3 years ago

this is indicative of old kernel, if you are running kernel older than 5.6 then you will need to load in the required modules to support wireguard.

Well, that's disappointing that 5.4 LTS isn't supported... even though my distro does have wireguard-dkms enabled...

# dkms install wireguard/1.0.20201112
Module wireguard/1.0.20201112 already installed on kernel 5.4.80-2-MANJARO/x86_64
altairrrr commented 3 years ago

@act28 There may be hope for you yet! I'm using the same distro and same kernel version on my PC, I'm having the same output for the command you mentioned and yet the container is running perfectly fine for me using wireguard !

@binhex if you don't have time, can you point us in a direction to look in the code for synology users? It seems that the script is running fine until one of the last steps, the iptables-restore command.. Thank you for your help. It's a real advantage using wireguard as the speeds are x3-4 faster. Also should we create another ticket as @act28 is trying to run the container on another OS ?

binhex commented 3 years ago

if you don't have time, can you point us in a direction to look in the code for synology users? It seems that the script is running fine until one of the last steps, the iptables-restore command..

is the iptables-restore command shown in your wireguard config file?, if so try removing it.

altairrrr commented 3 years ago

is the iptables-restore command shown in your wireguard config file?, if so try removing it.

If we are talking about the wg0.conf created from the container then no, for the interface there is only the address, private key, postUp and postDown (wireguardup.sh and wireguarddown.sh)

binhex commented 3 years ago

i see it occuring in my log (successfully) too, so it must be part of wireguard init, ok can you confirm you have set the container to privileged and added in the required flag to your docker run command:- --sysctl="net.ipv4.conf.all.src_valid_mark=1"

altairrrr commented 3 years ago

Yes, I've added the required flags in the run command

--sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --privileged=true \

and inside Docker GUI in Synology it's correctly showing as executed using high privilege

binhex commented 3 years ago

im out of ideas for now then, i can confirm it works fine on the vast majority of people's systems, so this has to be something related to synology, perhaps you are still missing certain kernel modules, see here:- https://forums.gentoo.org/viewtopic-t-658895-start-0.html

binhex commented 3 years ago

similar issue for LSIO docker image running wireguard for Synology user:- https://github.com/linuxserver/docker-wireguard/issues/60

altairrrr commented 3 years ago

Ok, thank you! It's really annoying, fingers crossed with DSM 7 there will be some improvements...

ankarhem commented 3 years ago

This seems like a similar issue? (that was resolved) Unfortunately I am to unknowledgeable with this to pursue it further.