[BUG] dosent work in ubuntu server

[thetiana]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Client shows as connected but cannot ping the server's WireGuard IP (10.13.13.1). Server (wg show) returns allowed IPs: (none), indicating that no allowed IPs are configured for the peer. Ping Command on the client shows "Destination Host Unreachable." Network Traffic: On the client, wg command shows TX traffic but zero RX traffic. WireGuard Module: Loaded on the host (lsmod | grep wireguard shows the module), but no wg interface is visible.

Analysis:

Configuration Error: There may be a mismatch between the public/private keys or a misconfigured AllowedIPs entry. Network Forwarding: IP forwarding is enabled on the host, but there might be an issue with the Docker container networking setup or iptables rules. Docker Networking: Running the container with --network host should ensure proper port forwarding but hasn’t resolved the issue. WireGuard Module: Despite the module being loaded, no wg interface appears on the host, suggesting a potential issue with permissions or Docker's ability to manage interfaces on the host.

Expected Behavior

The client should be able to establish a VPN connection with the server, allowing traffic to be routed through the server’s network. The client should be able to ping the server’s internal VPN IP address.

Actual Result: Attempts to establish a WireGuard VPN connection between the server and the client consistently fail. Despite correctly setting up the configuration files and forwarding the necessary UDP ports on the router, the client cannot ping the server, and the server does not show any incoming connections.

Steps To Reproduce

forward ports from external router address to host machine, in the proper port copy past the composefile, adjust, and run scan the QR and connect on my phone nothing happen, except no connection

Environment

Host system:Linux  6.5.0-1020-raspi #23-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 24 13:20:44 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
Docker version 26.0.0, build 2ae903e

CPU architecture

arm64

Docker creation

wireguard:
    image: linuxserver/wireguard:latest
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
#        max_replicas_per_node: 1
        constraints:
          - node.hostname == N00
          - node.role == manager
          - node.labels.rack == true
#      labels:
      update_config:
        parallelism: 1
        delay: 10s
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000 # Replace with your user id
      - PGID=1003 # Replace with your group id
      - TZ=Europe/Sofia # Replace with your timezone
      - SERVERURL=auto # Replace with your domain name or public IP
#      - SERVERPORT=51820 # Replace with the port you want WireGuard to listen on
      - PEERS=5 # Number of peers to create on setup
#      - PEERDNS=auto # Use auto to set DNS to the server's IP
#      - INTERNAL_SUBNET=123.123.123.0/24 # Replace with the subnet you want to use
#      - ALLOWEDIPS=0.0.0.0/0 # Replace with IPs you want to allow
#      - POSTUP=iptables -t nat -A POSTROUTING -s 10.13.13.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
#      - POSTDOWN=iptables -t nat -D POSTROUTING -s 10.13.13.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT

    volumes:

      - type: bind
        source: /home/ubuntu/wg
        target: /config
#        read_only: false
      - /lib/modules:/lib/modules:ro
    ports:
      - target: 51820
        published: 51820
        protocol: udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    network_mode: "host"

Container logs

To support the app dev(s) visit:

WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:

https://www.linuxserver.io/donate/

───────────────────────────────────────

GID/UID

───────────────────────────────────────

User UID:    1000

User GID:    1003

───────────────────────────────────────

Linuxserver.io version: 1.0.20210914-r4-ls44

Build-date: 2024-07-18T11:25:03+00:00

───────────────────────────────────────

Uname info: Linux 85d9aa88c87e 6.5.0-1020-raspi #23-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 24 13:20:44 UTC 2024 aarch64 GNU/Linux

**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****

**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****

****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****

**** Server mode is selected ****

**** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of ***.***.***.*** ****

**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****

**** Internal subnet is set to 10.13.13.0 ****

**** AllowedIPs for peers 0.0.0.0/0, ::/0 ****

**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****

**** Server mode is selected ****

**** No changes to parameters. Existing configs are used. ****

[custom-init] No custom files found, skipping...

.:53

CoreDNS-1.11.1

linux/arm64, go1.22.5, 

**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****

**** Activating tunnel /config/wg_confs/wg0.conf ****

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

Warning: AllowedIP has nonzero host part: 10.13.13.2/24

Warning: AllowedIP has nonzero host part: 10.13.13.3/24

Warning: AllowedIP has nonzero host part: 10.13.13.4/24

Warning: AllowedIP has nonzero host part: 10.13.13.5/24

Warning: AllowedIP has nonzero host part: 10.13.13.6/24

[#] ip -4 address add 10.13.13.1 dev wg0

[#] ip link set mtu 1420 up dev wg0

[#] ip -4 route add 10.13.13.0/24 dev wg0

[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE

**** All tunnels are now active ****

[ls.io-init] done.

[github-actions[bot]]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

You have an incorrect (likely previously generated and manually modified) wg0.conf. Delete that and restart.

[thetiana]

only manual change in the config is the subnet mask, i change it from 32 to 24, but doesn't work with both, i think there have some issue with the certificates, i delete the configs after every try, and use the data from newly generated configs. i inspect the keys after every new start, it look like good. the other option is something related with the host system may be cannot connect to the kernel or cannot change the needed thinks on the host computer

[aptalca]

As shown in the log, the issue is the change from 32 to 24. Don't edit it and it will work out of the box.

[thetiana]

if it works i not gonna try to spend time to change, its not work with both

[thetiana]

fixed with installing wireguard tools on the host system

[thetiana]

fix steps:

1. delete all previous configs in the container persistent storage
2. install wireguard on the host system
3. install wireguard-tools on the host system
4. reboot the host system to load the new kernel