search

iamckn / wireguard_ansible

Ansible scripts for the set up a typical wireguard VPN connection
https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
322 stars 69 forks source link

iptables rules don't necessarily persist past reboots in Ubuntu 18.04.1 #9

Closed kjgd closed 4 years ago

kjgd commented 5 years ago

Fixing Ubuntu 18.04 DNS in #6 required rebooting the server.

While troubleshooting the resulting total connection failure, I re-ran the playbook.

After doing so, the connection started working again (given the POSTROUTING wg0.conf lines discussed in #6).

The reason for the connection failure therefore appears to be that some of the iptables rules were wiped during reboot.

The following items were changed on the playbook re-run:

TASK [wireguard_ansible/wireguard_role : Enable IPv4 forwarding continued] **********************************************************************************************************************************
changed: [myserver]

TASK [wireguard_ansible/wireguard_role : Track input chain] *************************************************************************************************************************************************
changed: [myserver]

TASK [wireguard_ansible/wireguard_role : Track forward chain] ***********************************************************************************************************************************************
changed: [myserver]

TASK [wireguard_ansible/wireguard_role : Allow incoming wireguard connections] ******************************************************************************************************************************
changed: [myserver]

TASK [wireguard_ansible/wireguard_role : Allow recursive DNS tcp] *******************************************************************************************************************************************
changed: [myserver]

TASK [wireguard_ansible/wireguard_role : Allow recursive DNS udp] *******************************************************************************************************************************************
changed: [myserver]

TASK [wireguard_ansible/wireguard_role : Allow forwarding of packets that stay in the tunnel] ***************************************************************************************************************
changed: [myserver]

...

TASK [wireguard_ansible/wireguard_role : Set up iptables persistence] ***************************************************************************************************************************************
changed: [myserver]

To check whether this was a function of the reboot, or whether these playbook tasks are simply not idempotent, I re-ran the playbook again immediately. This time only the following tasks came back 'changed':

TASK [wireguard_ansible/wireguard_role : Enable IPv4 forwarding continued] **********************************************************************************************************************************
changed: [myserver]

...

TASK [wireguard_ansible/wireguard_role : Set up iptables persistence] ***************************************************************************************************************************************
changed: [myserver]

It looks like quite a few of the iptables rules are not persisting past reboots in Ubuntu 18.04.

iamckn commented 5 years ago

Run the following two commands after a server reboot and share the output:

iptables -S iptables -S -t nat

This should help see what rules are not persisting a reboot in your case.