search

linuxserver / docker-wireguard

GNU General Public License v3.0
2.9k stars 359 forks source link

[BUG] PersistentKeepalive not added to peerX.conf file #285

Closed snagytx closed 1 year ago

snagytx commented 1 year ago

Is there an existing issue for this?

Current Behavior

Even though PERSISTENTKEEPALIVE_PEERS=all is set, the PersistentKeepalive is not added to the peerX.conf file, it's only added to /config/wg0.conf file

Expected Behavior

PersistentKeepalive = 25 to be added to peerX.conf file as well.

Steps To Reproduce

Based on my testing, if PersistentKeepalive=25 is not set in the peerX.conf file, the client, which is behind a NAT will not connect to the server automatically upon client container startup.

BAD Case:

1) See docker-compose.yml below for server configuration.
2) Start server.

3) See below the docker-compose.yml for client configuration
4) Start client container - it will complain that wg0.cinf is missing.
5) Copy the content of cong/peerX/peerX.conf from the WG server to the WG client into wg0.conf file.
6) Restart client container - it would startup without any issues.

7) Use docker commands to start a ping from the WG server container to WS client container - you have the IP on the wg0..conf - Note that you will not get a response to pint - let it run.

8) Use docker commands to start a ping from the WG client container to WS server container - 10.13.13.1 - Note that it will work.

9) Switch back to the session where you executed step 7 and note that now you get a response to the ping.

GOOD Case:

1) See docker-compose.yml below for server configuration.
2) Start server.

3) See below the docker-compose.yml for client configuration
4) Start client container - it will complain that wg0.cinf is missing.
5) Copy the content of cong/peerX/peerX.conf from the WG server to the WG client into wg0.conf file.
6) Add `PersistentKeepalive = 25` at the end of wg0.conf
6) Restart client container - it would startup without any issues.

7) Use docker commands to start a ping from the WG server container to WS client container - you have the IP on the wg0..conf - Note that you will get a response to the ping.

The purpose of the change is for steps 7 to work without any intervention in the good case.

Environment

- OS: Rocky 9 & baleaOS on raspberry Pi 4
- How docker service was installed:

CPU architecture

x86-64

Docker creation

Server docker-compose.yml:

version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
      - SERVERURL=173.11.164.93 #optional
      - SERVERPORT=51820 #optional
      - PEERS=6 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS=all #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules #optional
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Client docker-compose.yml:

version: "2.1"
volumes:
  config:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
    volumes:
      - config:/config
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Container logs

nothing relevant
github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 1 year ago

You don't need to post in multiple places. Some of this was already explained in response to your forum post.

From the readme:

-e PERSISTENTKEEPALIVE_PEERS=
Set to all or a list of comma separated peers (ie. 1,4,laptop) for the wireguard server to send keepalive packets to listed peers every 25 seconds.
Useful if server is accessed via domain name and has dynamic IP. Used only in server mode.

That directive is used only for the server to send keepalive packets to the peer(s).

What you're asking for is for the peer to send keepalive packets to the server, which is done by adding the directive to the peer's conf.

Those are two separate things.

Keepalive is off by default because it is not always wanted (drains battery on mobile devices) and should only be set when needed.

Closing as it's not a bug.