Update from 0.5.0 to 0.5.1 breaks tunnel

[tkdrob]

Problem/Motivation

Tunnel does not work with the latest upgrade.

Expected behavior

Some configurations should be showing in the logs:

[#] ip -4 address add 172.27.66.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j

Actual behavior

The above logs do not show and I assume are not being setup.

Steps to reproduce

Upgrade

Proposed changes

(If you have a proposed change, workaround or fix, describe the rationale behind it)

OS: Debian 10 HA: 2021.4.3 Hardware: Intel NUC Supervisor: 2021.04.0

[frenck]

Could you please provide your system information? ha info?

[tkdrob]

My 0.5.0 snapshot saved the day.

[pedrware]

crashed after yesterday's update. Has it happened to anyone else?

ERROR:(wg0) 2021/04/11 16:12:44 Failed to write packet to TUN device: write : input/output error ERROR: (wg0) 2021/04/11 16:12:46 peer(uYkl…F9h4) - Failed to send handshake initiation: no known endpoint for peer

[oli-f]

I am having the same problem, which breaks the tunnel after the upgrade.

$ ha info
arch: amd64
channel: stable
docker: 20.10.5
features:
- reboot
- shutdown
- services
- network
- hostname
hassos: null
homeassistant: 2021.4.3
hostname: server
logging: info
machine: qemux86-64
operating_system: Debian GNU/Linux 10 (buster)
state: running
supervisor: 2021.03.9
supported: true
supported_arch:
- amd64
- i386
timezone: Europe/Berlin

Log for 0.5.1:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: WireGuard
 Fast, modern, secure VPN tunnel
-----------------------------------------------------------
 Add-on version: 0.5.1
 You are running the latest version of this add-on.
 System: Debian GNU/Linux 10 (buster)  (amd64 / qemux86-64)
 Home Assistant Core: 2021.4.3
 Home Assistant Supervisor: 2021.03.9
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:23:28] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌───────────────────────────────────────────────────┐
│                                                   │
│   Running this software on Linux is unnecessary,  │
│   because the Linux kernel has built-in first     │
│   class support for WireGuard, which will be      │
│   faster, slicker, and better integrated. For     │
│   information on installing the kernel module,    │
│   please visit: <https://wireguard.com/install>.  │
│                                                   │
└───────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/fd/63

Log for 0.5.0:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: WireGuard
 Fast, modern, secure VPN tunnel
-----------------------------------------------------------
 Add-on version: 0.5.0
 There is an update available for this add-on!
 Latest add-on version: 0.5.1
 Please consider upgrading as soon as possible.
 System: Debian GNU/Linux 10 (buster)  (amd64 / qemux86-64)
 Home Assistant Core: 2021.4.3
 Home Assistant Supervisor: 2021.03.9
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:24:48] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌───────────────────────────────────────────────────┐
│                                                   │
│   Running this software on Linux is unnecessary,  │
│   because the Linux kernel has built-in first     │
│   class support for WireGuard, which will be      │
│   faster, slicker, and better integrated. For     │
│   information on installing the kernel module,    │
│   please visit: <https://wireguard.com/install>.  │
│                                                   │
└───────────────────────────────────────────────────┘
INFO: (wg0) 2021/04/12 09:24:48 Starting wireguard-go version 0.0.20201118
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.27.66.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

as @tkdrob mentioned, I checked the container and noticed (0.5.1):

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wg0: <POINTOPOINT,MULTICAST,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 500
    link/none 
68: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:1e:21:06 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.30.33.6/23 brd 172.30.33.255 scope global eth0
       valid_lft forever preferred_lft forever
$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
$ ps aux | grep resolvconf
  839 root      0:00 grep resolvconf

after executing the commands from 0.5.0 (ip, resolvconf, iptables) the tunnel becomes usable.

[Pedromanuelsilva]

Got the same issue on my nuc. I am able to solve it with the proposed solution ( running the 5.0 commands )

[poptsot3]

cant run iptables -L, still not working here after update to 0.51

[frenck]

It seems like all cases here involve Debian 10. Have you guys installed the kernel modules for WireGuard on your host system?

[pedrware]

Parece que todos os casos aqui envolvem Debian 10. Vocês instalaram os módulos do kernel para WireGuard em seu sistema host?

I just installed the plugin. I went back to version 0.50.

[frenck]

? Ok, thanks for letting us know @pedrware... I guess 🤷‍♂️

[pedrware]

I used the google translator, it was not well translated. I have been using an addon on HA for more than 4 months. I only had problems with version 0.51. What can I do to solve the problem?

Thanks

? Ok, thanks for letting us know @pedrware... I guess

[oli-f]

Indeed installing wireguard on the Host system solved the issue. I followed https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard since wireguard was not installable directly.

The log now correctly shows the 5 commands from the PostUp and does not complain about the missing kernel modules any more:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: WireGuard
 Fast, modern, secure VPN tunnel
-----------------------------------------------------------
 Add-on version: 0.5.1
 You are running the latest version of this add-on.
 System: Debian GNU/Linux 10 (buster)  (amd64 / qemux86-64)
 Home Assistant Core: 2021.4.4
 Home Assistant Supervisor: 2021.04.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[12:19:29] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.27.66.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Not sure what changed from 0.5.0 to 0.5.1 so that the "additional" kernel module is now required. But this resolves the issue for me. Thanks @frenck !

[frenck]

Hehe, well it should not be required, but it is a lot better when doing that (faster).

Wonder what goes wrong with the fallback method. Maybe it ain't a bad thing to remove the fallback and make the kernel module required to start with.

[Pedromanuelsilva]

Ok, a little more information on this, since i was trying to troubleshoot it

Seems like the problem is with wireguard and secure boot

Checking instalation

# apt list wireguard
Listing... Done
wireguard/buster-backports,now 1.0.20210223-1~bpo10+1 all [installed]

When checking for kernel module:

# /sbin/modinfo wireguard
filename:       /lib/modules/4.19.0-16-amd64/updates/dkms/wireguard.ko
intree:         Y
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        1.0.20210219
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     768ECDF7EFCFA2F491F6008
depends:        udp_tunnel,ip6_udp_tunnel
retpoline:      Y
name:           wireguard
vermagic:       4.19.0-16-amd64 SMP mod_unload modversions

trying to add the module manually gives me the output

# sudo modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Required key not available

[vdiogo]

I'm experiencing the same issue, but did selected to create a snapshot prior updating to 0.5.1. Now my question is, how can I restore this snapshot while the issue is being resolved?

[vdiogo]

I'm experiencing the same issue, but did selected to create a snapshot prior updating to 0.5.1. Now my question is, how can I restore this snapshot while the issue is being resolved?

Eventually managed to restore it but issue persists

[mattlward]

I can confirm going from 5.0 to 5.1 broke my tunnels as well. I see the client sending packets, the server receives the packets but does not sent packets, other than keepalives. I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported" which is my goal. Backing down to a 5.0 snapshot fixed it.

System Health

version: core-2021.4.6
installation_type: Home Assistant Supervised
dev: false
hassio: true
docker: true
virtualenv: false
python_version: 3.8.7
os_name: Linux
os_version: 4.19.0-14-amd64
arch: x86_64
timezone: America/Chicago

GitHub API: ok
Github API Calls Remaining: 4924
Installed Version: 1.12.3
Stage: running
Available Repositories: 777
Installed Repositories: 11

host_os: Debian GNU/Linux 10 (buster)
update_channel: stable
supervisor_version: supervisor-2021.04.0
docker_version: 20.10.2
disk_total: 218.1 GB
disk_used: 10.3 GB
healthy: true
supported: true
supervisor_api: ok
version_api: ok
installed_addons: Backup Hassio to Google Drive (1.7.2), Dropbox Sync (1.3.0), Duck DNS (1.12.5), File editor (5.3.0), Log Viewer (0.10.2), RPC Shutdown (2.2), WireGuard (0.5.1), Mosquitto broker (5.1.1), SSH & Web Terminal (8.2.0), Samba share (9.3.1), TasmoAdmin (0.15.0), motionEye (0.12.0), AdGuard Home (4.0.0), Portainer (1.4.0), Glances (0.12.0), Check Home Assistant configuration (3.7.0), DHCP server (1.2), Network UPS Tools (0.6.2), Samba Backup (4.5.0)

dashboards: 1
resources: 4
views: 16
mode: storage

[sinclairpaul]

I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported"

The previous reports show that installing the kernel module resolves the issue, as the addon wraps Wireguard, not sure what can be done. If you are concerned about support I would suggest using HassOS which has the support installed.

[Def3nder]

Indeed installing wireguard on the Host system solved the issue. I followed https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard since wireguard was not installable directly.

I did the same on my Debian 10 and for me it did not solve the issue. The kernel modules are not "seen" from the container - like @vdiogo wrote above: the modprobe gives the following error:

# sudo modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Required key not available

In the logs I found this error:

[ERROR] plugin/errors: 2 a0d7b954-wireguard.local.hass.io. A: plugin/forward: no next plugin found

and also this one (but only if you connect from a device to the server):

ERROR: (wg0) Failed to write packet to TUN device: write : input/output error

I downgraded to 0.5.0 with a snapshot from march and with 0.5.0 everything works like a charme.

0.5.1 did break something.

[Edit] in the meanwhile I did found out what is needed to get the TUN-device on the host-system running:

This problem only exists when using SecureBoot. You need to sign the wireguard driver to use it as kernel module as explained here: Signing 3rd-party kernel modules

The question is: what has been changed from 0.5.0 to 0.5.1 that breaks the add-on whithout a) having wireguard on the host installed and b) signing the wireguard kernel module ?

[mattlward]

I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported"

The previous reports show that installing the kernel module resolves the issue, as the addon wraps Wireguard, not sure what can be done. If you are concerned about support I would suggest using HassOS which has the support installed.

My concern stems from the fact that the goal is to work toward a stable product. Falling back and only being able to install one way is a step backwards not forwards. I am running 0.5.0 and will as long as I can and then will install it on a standalone Pi.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[rogercrespo]

Is there a way to install the 0.5.0 version again in HA? I have the 0.5.1 installed and would like to rollback but I don't have a backup. (In the version 0.5.1 I can connect but I can't get access to any local device.)

[ock666]

chiming in to say I've encountered this issues as well, I can access my local network but I cant load any webpages other than say youtube.com and the google home page (cant do a search because it just times out).

I'd have to say I agree with the latter, ease of use within Home Assistant goes a long way

I am running supervised on Debian 10 so installing wireguard on the native OS is really not an option to stay "healty and supported"

The previous reports show that installing the kernel module resolves the issue, as the addon wraps Wireguard, not sure what can be done. If you are concerned about support I would suggest using HassOS which has the support installed.

My concern stems from the fact that the goal is to work toward a stable product. Falling back and only being able to install one way is a step backwards not forwards. I am running 0.5.0 and will as long as I can and then will install it on a standalone Pi.

I definitely think its a step backwards if the end user has to perform additional setup, outside of clicking to install wireguard and doing the basic conf file.

Having to install other packages to make everything work can really be a bother.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[andriej]

Lately I had to connect to my always-working-wireguard-addon-VPN from remote and noticed even tho it connected, communication was dead (pings, DNS). Didn't touch Wireguard since ages as it was backup, only updating add-on.

Can confirm, it was dead because lack of (base system) kernel module - Debian 10 Supervised. (What's even more - on Debian 11 wireguard is in base system so providing that module is even easier, works like a charm)

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[andriej]

Don't think it should be stale but I don't know if Debian 11 changes anything as I can't test it.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[MoweME]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

Problem does still exist.

[thehijacker]

I have fresh VM install of HA using the qcow2 image inside Proxmox. Everything works great. Now trying Wireguard and have same issue as described here. Default config. Just changed host to my domain. Port forwarded and I can connect to client on my phone or on my laptop. But I can not access internet or ping any device inside my home network.

Not sure what I could try to solve this. What additional steps can I try to debug this?

Edit: Installed Wireguard using this guide (https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-ubuntu-18-04/) in one of my Ubuntu 18.04 LXC containers. There is working great. But I think Wireguard version is a bit old (1.0.20200513-1~18.04.2).

[mastum]

Same problem for me too, the automatic update reported me a new update and after doing it the tunnels no longer work. The connection happens regularly.

Windows 10 Pro 21H1 64bit

[tkdrob]

Updating to 0.6.0 seems to have resolved this issue.