Closed tkdrob closed 2 years ago
Could you please provide your system information? ha info
?
My 0.5.0 snapshot saved the day.
crashed after yesterday's update. Has it happened to anyone else?
ERROR:(wg0) 2021/04/11 16:12:44 Failed to write packet to TUN device: write : input/output error ERROR: (wg0) 2021/04/11 16:12:46 peer(uYkl…F9h4) - Failed to send handshake initiation: no known endpoint for peer
I am having the same problem, which breaks the tunnel after the upgrade.
$ ha info
arch: amd64
channel: stable
docker: 20.10.5
features:
- reboot
- shutdown
- services
- network
- hostname
hassos: null
homeassistant: 2021.4.3
hostname: server
logging: info
machine: qemux86-64
operating_system: Debian GNU/Linux 10 (buster)
state: running
supervisor: 2021.03.9
supported: true
supported_arch:
- amd64
- i386
timezone: Europe/Berlin
Log for 0.5.1:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...
-----------------------------------------------------------
Add-on: WireGuard
Fast, modern, secure VPN tunnel
-----------------------------------------------------------
Add-on version: 0.5.1
You are running the latest version of this add-on.
System: Debian GNU/Linux 10 (buster) (amd64 / qemux86-64)
Home Assistant Core: 2021.4.3
Home Assistant Supervisor: 2021.03.9
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:23:28] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌───────────────────────────────────────────────────┐
│ │
│ Running this software on Linux is unnecessary, │
│ because the Linux kernel has built-in first │
│ class support for WireGuard, which will be │
│ faster, slicker, and better integrated. For │
│ information on installing the kernel module, │
│ please visit: <https://wireguard.com/install>. │
│ │
└───────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/fd/63
Log for 0.5.0:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...
-----------------------------------------------------------
Add-on: WireGuard
Fast, modern, secure VPN tunnel
-----------------------------------------------------------
Add-on version: 0.5.0
There is an update available for this add-on!
Latest add-on version: 0.5.1
Please consider upgrading as soon as possible.
System: Debian GNU/Linux 10 (buster) (amd64 / qemux86-64)
Home Assistant Core: 2021.4.3
Home Assistant Supervisor: 2021.03.9
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:24:48] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌───────────────────────────────────────────────────┐
│ │
│ Running this software on Linux is unnecessary, │
│ because the Linux kernel has built-in first │
│ class support for WireGuard, which will be │
│ faster, slicker, and better integrated. For │
│ information on installing the kernel module, │
│ please visit: <https://wireguard.com/install>. │
│ │
└───────────────────────────────────────────────────┘
INFO: (wg0) 2021/04/12 09:24:48 Starting wireguard-go version 0.0.20201118
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.27.66.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
as @tkdrob mentioned, I checked the container and noticed (0.5.1):
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: wg0: <POINTOPOINT,MULTICAST,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 500
link/none
68: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:1e:21:06 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.30.33.6/23 brd 172.30.33.255 scope global eth0
valid_lft forever preferred_lft forever
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ ps aux | grep resolvconf
839 root 0:00 grep resolvconf
after executing the commands from 0.5.0 (ip, resolvconf, iptables) the tunnel becomes usable.
Got the same issue on my nuc. I am able to solve it with the proposed solution ( running the 5.0 commands )
cant run iptables -L, still not working here after update to 0.51
It seems like all cases here involve Debian 10. Have you guys installed the kernel modules for WireGuard on your host system?
Parece que todos os casos aqui envolvem Debian 10. Vocês instalaram os módulos do kernel para WireGuard em seu sistema host?
I just installed the plugin. I went back to version 0.50.
? Ok, thanks for letting us know @pedrware... I guess 🤷♂️
I used the google translator, it was not well translated. I have been using an addon on HA for more than 4 months. I only had problems with version 0.51. What can I do to solve the problem?
Thanks
? Ok, thanks for letting us know @pedrware... I guess
Indeed installing wireguard on the Host system solved the issue. I followed https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard since wireguard was not installable directly.
The log now correctly shows the 5 commands from the PostUp and does not complain about the missing kernel modules any more:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...
-----------------------------------------------------------
Add-on: WireGuard
Fast, modern, secure VPN tunnel
-----------------------------------------------------------
Add-on version: 0.5.1
You are running the latest version of this add-on.
System: Debian GNU/Linux 10 (buster) (amd64 / qemux86-64)
Home Assistant Core: 2021.4.4
Home Assistant Supervisor: 2021.04.0
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[12:19:29] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.27.66.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Not sure what changed from 0.5.0 to 0.5.1 so that the "additional" kernel module is now required. But this resolves the issue for me. Thanks @frenck !
Hehe, well it should not be required, but it is a lot better when doing that (faster).
Wonder what goes wrong with the fallback method. Maybe it ain't a bad thing to remove the fallback and make the kernel module required to start with.
Ok, a little more information on this, since i was trying to troubleshoot it
Seems like the problem is with wireguard and secure boot
Checking instalation
# apt list wireguard
Listing... Done
wireguard/buster-backports,now 1.0.20210223-1~bpo10+1 all [installed]
When checking for kernel module:
# /sbin/modinfo wireguard
filename: /lib/modules/4.19.0-16-amd64/updates/dkms/wireguard.ko
intree: Y
alias: net-pf-16-proto-16-family-wireguard
alias: rtnl-link-wireguard
version: 1.0.20210219
author: Jason A. Donenfeld <Jason@zx2c4.com>
description: WireGuard secure network tunnel
license: GPL v2
srcversion: 768ECDF7EFCFA2F491F6008
depends: udp_tunnel,ip6_udp_tunnel
retpoline: Y
name: wireguard
vermagic: 4.19.0-16-amd64 SMP mod_unload modversions
trying to add the module manually gives me the output
# sudo modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Required key not available
I'm experiencing the same issue, but did selected to create a snapshot prior updating to 0.5.1. Now my question is, how can I restore this snapshot while the issue is being resolved?
I'm experiencing the same issue, but did selected to create a snapshot prior updating to 0.5.1. Now my question is, how can I restore this snapshot while the issue is being resolved?
Eventually managed to restore it but issue persists
I can confirm going from 5.0 to 5.1 broke my tunnels as well. I see the client sending packets, the server receives the packets but does not sent packets, other than keepalives. I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported" which is my goal. Backing down to a 5.0 snapshot fixed it.
System Health
version: core-2021.4.6
installation_type: Home Assistant Supervised
dev: false
hassio: true
docker: true
virtualenv: false
python_version: 3.8.7
os_name: Linux
os_version: 4.19.0-14-amd64
arch: x86_64
timezone: America/Chicago
GitHub API: ok
Github API Calls Remaining: 4924
Installed Version: 1.12.3
Stage: running
Available Repositories: 777
Installed Repositories: 11
host_os: Debian GNU/Linux 10 (buster)
update_channel: stable
supervisor_version: supervisor-2021.04.0
docker_version: 20.10.2
disk_total: 218.1 GB
disk_used: 10.3 GB
healthy: true
supported: true
supervisor_api: ok
version_api: ok
installed_addons: Backup Hassio to Google Drive (1.7.2), Dropbox Sync (1.3.0), Duck DNS (1.12.5), File editor (5.3.0), Log Viewer (0.10.2), RPC Shutdown (2.2), WireGuard (0.5.1), Mosquitto broker (5.1.1), SSH & Web Terminal (8.2.0), Samba share (9.3.1), TasmoAdmin (0.15.0), motionEye (0.12.0), AdGuard Home (4.0.0), Portainer (1.4.0), Glances (0.12.0), Check Home Assistant configuration (3.7.0), DHCP server (1.2), Network UPS Tools (0.6.2), Samba Backup (4.5.0)
dashboards: 1
resources: 4
views: 16
mode: storage
I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported"
The previous reports show that installing the kernel module resolves the issue, as the addon wraps Wireguard, not sure what can be done. If you are concerned about support I would suggest using HassOS which has the support installed.
Indeed installing wireguard on the Host system solved the issue. I followed https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard since wireguard was not installable directly.
I did the same on my Debian 10 and for me it did not solve the issue. The kernel modules are not "seen" from the container - like @vdiogo wrote above: the modprobe gives the following error:
# sudo modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Required key not available
In the logs I found this error:
[ERROR] plugin/errors: 2 a0d7b954-wireguard.local.hass.io. A: plugin/forward: no next plugin found
and also this one (but only if you connect from a device to the server):
ERROR: (wg0) Failed to write packet to TUN device: write : input/output error
I downgraded to 0.5.0 with a snapshot from march and with 0.5.0 everything works like a charme.
0.5.1 did break something.
[Edit] in the meanwhile I did found out what is needed to get the TUN-device on the host-system running:
This problem only exists when using SecureBoot. You need to sign the wireguard driver to use it as kernel module as explained here: Signing 3rd-party kernel modules
The question is: what has been changed from 0.5.0 to 0.5.1 that breaks the add-on whithout a) having wireguard on the host installed and b) signing the wireguard kernel module ?
I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported"
The previous reports show that installing the kernel module resolves the issue, as the addon wraps Wireguard, not sure what can be done. If you are concerned about support I would suggest using HassOS which has the support installed.
My concern stems from the fact that the goal is to work toward a stable product. Falling back and only being able to install one way is a step backwards not forwards. I am running 0.5.0 and will as long as I can and then will install it on a standalone Pi.
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
Is there a way to install the 0.5.0 version again in HA? I have the 0.5.1 installed and would like to rollback but I don't have a backup. (In the version 0.5.1 I can connect but I can't get access to any local device.)
chiming in to say I've encountered this issues as well, I can access my local network but I cant load any webpages other than say youtube.com and the google home page (cant do a search because it just times out).
I'd have to say I agree with the latter, ease of use within Home Assistant goes a long way
I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported"
The previous reports show that installing the kernel module resolves the issue, as the addon wraps Wireguard, not sure what can be done. If you are concerned about support I would suggest using HassOS which has the support installed.
My concern stems from the fact that the goal is to work toward a stable product. Falling back and only being able to install one way is a step backwards not forwards. I am running 0.5.0 and will as long as I can and then will install it on a standalone Pi.
I definitely think its a step backwards if the end user has to perform additional setup, outside of clicking to install wireguard and doing the basic conf file.
Having to install other packages to make everything work can really be a bother.
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
Lately I had to connect to my always-working-wireguard-addon-VPN from remote and noticed even tho it connected, communication was dead (pings, DNS). Didn't touch Wireguard since ages as it was backup, only updating add-on.
Can confirm, it was dead because lack of (base system) kernel module - Debian 10 Supervised. (What's even more - on Debian 11 wireguard is in base system so providing that module is even easier, works like a charm)
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
Don't think it should be stale but I don't know if Debian 11 changes anything as I can't test it.
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
Problem does still exist.
I have fresh VM install of HA using the qcow2 image inside Proxmox. Everything works great. Now trying Wireguard and have same issue as described here. Default config. Just changed host to my domain. Port forwarded and I can connect to client on my phone or on my laptop. But I can not access internet or ping any device inside my home network.
Not sure what I could try to solve this. What additional steps can I try to debug this?
Edit: Installed Wireguard using this guide (https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-ubuntu-18-04/) in one of my Ubuntu 18.04 LXC containers. There is working great. But I think Wireguard version is a bit old (1.0.20200513-1~18.04.2).
Same problem for me too, the automatic update reported me a new update and after doing it the tunnels no longer work. The connection happens regularly.
Windows 10 Pro 21H1 64bit
Updating to 0.6.0 seems to have resolved this issue.
Problem/Motivation
Tunnel does not work with the latest upgrade.
Expected behavior
Some configurations should be showing in the logs:
Actual behavior
The above logs do not show and I assume are not being setup.
Steps to reproduce
Upgrade
Proposed changes
OS: Debian 10 HA: 2021.4.3 Hardware: Intel NUC Supervisor: 2021.04.0