search

linuxserver / docker-wireguard

GNU General Public License v3.0
2.98k stars 368 forks source link

[BUG] starting with ~v1.0.20210914-ls116 cannot connect to wireguard #321

Closed CHerSun closed 9 months ago

CHerSun commented 9 months ago

Is there an existing issue for this?

Current Behavior

I'm using a VPS with wireguard server. It was set up ~1 year ago, since then no configs were changed. Configuration was done using wireguard-install.sh script from github, but well, it just works (using the same server on like 10 devices).

At home on ubuntu 22.04 server I have a docker compose stack of this image container + proxy for LAN clients. The only extra config is predown and postup firewall rules to allow LAN traffic.

This was all working with v1.0.20210914-ls96 image since setup.

Recently I've decided to update to the latest. And with the latest image it looked like it didn't even try to reach the VPS wireguard (no recent handshakes from the client). Returned image back to ls96 - everything works finely. I've started moving up. A break is somewhere between ls110 (works) and ls116 (doesn't work).

Not sure how to get useful info. Logs are not really helpful:

ls116 (doesn't work; also killswitch is broken, it won't exit on no connection):

vpn  | Uname info: Linux 57ca5d5268f8 5.15.0-92-generic #102-Ubuntu SMP Wed Jan 10 09:33:48 UTC 2024 x86_64 GNU/Linux
vpn  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
vpn  | **** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
vpn  | **** Client mode selected. ****
vpn  | [custom-init] No custom files found, skipping...
vpn  | **** Disabling CoreDNS ****
vpn  | [#] ip link add wg0 type wireguard
vpn  | [#] wg setconf wg0 /dev/fd/63
vpn  | [#] ip -4 address add 192.168.15.12/32 dev wg0
vpn  | [#] ip link set mtu 1420 up dev wg0
vpn  | [#] resolvconf -a wg0 -m 0 -x
vpn  | [#] wg set wg0 fwmark 51820
vpn  | [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
vpn  | [#] ip -4 rule add not fwmark 51820 table 51820
vpn  | [#] ip -4 rule add table main suppress_prefixlength 0
vpn  | [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
vpn  | sysctl: permission denied on key "net.ipv4.conf.all.src_valid_mark"
vpn  | [#] resolvconf -d wg0 -f
vpn  | [#] ip -4 rule delete table 51820
vpn  | [#] ip -4 rule delete table main suppress_prefixlength 0
vpn  | [#] ip link delete dev wg0
vpn  | s6-rc: warning: unable to start service svc-wireguard: command exited 128

ls110 (works):

vpn  | Uname info: Linux ead6ba897f14 5.15.0-92-generic #102-Ubuntu SMP Wed Jan 10 09:33:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
vpn  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
vpn  | **** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
vpn  | **** Client mode selected. ****
vpn  | [custom-init] No custom files found, skipping...
vpn  | **** Disabling CoreDNS ****
vpn  | [#] ip link add wg0 type wireguard
vpn  | [#] wg setconf wg0 /dev/fd/63
vpn  | [#] ip -4 address add 192.168.15.12/32 dev wg0
vpn  | [#] ip link set mtu 1420 up dev wg0
vpn  | [#] resolvconf -a wg0 -m 0 -x
vpn  | [#] wg set wg0 fwmark 51820
vpn  | [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
vpn  | [#] ip -4 rule add not fwmark 51820 table 51820
vpn  | [#] ip -4 rule add table main suppress_prefixlength 0
vpn  | [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
vpn  | sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
vpn  | [#] iptables-restore -n
vpn  | [#] DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
vpn  | [ls.io-init] done.

Expected Behavior

Steps To Reproduce

tbh, no idea if and how this could be reproduced. The server installed with wireguard-install.sh script + added client via the same thing. Copy-paste the client config. Use above mentioned versions.

Environment

- OS: ubuntu 22.04
- How docker service was installed: docker.io official instruction with their repo

CPU architecture

x86-64

Docker creation

Piece of docker-compose for the vpn (there are a few other services dependent on vpn):

 yaml
version: '3.9'
services:
  vpn:
    container_name: vpn
    image: linuxserver/wireguard:v1.0.20210914-ls110
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
    volumes:
      - ./config:/config
    restart: unless-stopped
    networks:
      - default
    ports:
      - 1080:1080       # microsocks port
    healthcheck:
      test: ping -4 -c 2 www.google.com || exit 1
      interval: 14s
      timeout: 5s
      retries: 3

### Container logs

```bash
see above
github-actions[bot] commented 9 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 9 months ago

We don't have a wireguard-install.sh script You're missing the sysctl in your compose yaml The images you are referring to are from March and April of last year. We put out tons of releases since then

CHerSun commented 9 months ago

We don't have a wireguard-install.sh script

yep, wireguard install comes from https://github.com/angristan/wireguard-install , just mentioned on how I've set up the other side, if that matters.

You're missing the sysctl in your compose yaml

my bad, didn't compare refreshed readme with my config. Added, now latest works finely. Thank you!