search

linuxserver / docker-wireguard

GNU General Public License v3.0
2.99k stars 370 forks source link

[BUG] Client Mode: Connection to server is made, but unable to ping in remote network #361

Open rrickfox opened 3 weeks ago

rrickfox commented 3 weeks ago

Is there an existing issue for this?

Current Behavior

When connecting with a wg_config.conf file to a remote wireguard server (happens to be a fritz box), I am unable to ping any devices in the remote network from inside my machine. When connecting with a windows laptop to this network, everything works as expected. I am also able to ping the machine in question from this windows laptop, but connections to http-servers and ssh-requests are denied.

Expected Behavior

The machine should behave naturally in the remote network.

Steps To Reproduce

  1. I am running this with docker compose in portainer, the compose file should be below (I never worked with these issue forms before)
  2. I supply this wg_config.conf file in the specified folder path: 
    
[Interface]
PrivateKey = [...]
Address = 192.168.20.202/24
DNS = 192.168.20.1
DNS = fritz.box

[Peer] PublicKey = [...] PresharedKey = [...] AllowedIPs = 192.168.20.0/24 Endpoint = [...].myfritz.net:58231 PersistentKeepalive = 25

3. I get the log that also should be down below
4. Fritz Box shows the machine as connected
5. The following commands are from the machine in question:

// Test to see if general Internet is working ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=18.9 ms ...

// Router (fritz box) on remote network ping 192.168.20.1 PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data. From 192.168.16.1 icmp_seq=1 Destination Host Unreachable ...

// Windows laptop that is vpn-ed into same remote network ping 192.168.20.201 PING 192.168.20.201 (192.168.20.201) 56(84) bytes of data. From 192.168.16.1 icmp_seq=1 Destination Host Unreachable ...

6. Following is from windows laptop:

// Ping remote router ping 192.168.20.1 Ping wird ausgeführt für 192.168.20.1 mit 32 Bytes Daten: Antwort von 192.168.20.1: Bytes=32 Zeit=22ms TTL=64 ...

// Ping machine in question ping 192.168.20.202 Ping wird ausgeführt für 192.168.20.202 mit 32 Bytes Daten: Antwort von 192.168.20.202: Bytes=32 Zeit=130ms TTL=63 ...

// curl http server curl 192.168.20.202 curl : Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.

// try ssh ssh user@192.168.20.202 ssh: connect to host 192.168.20.202 port 22: Connection refused


### Environment

```markdown
- OS: Debian 12
- How docker service was installed: distro's packagemanager

CPU architecture

x86-64

Docker creation

version: "3.7"

services: 
   wireguard: 
     image: linuxserver/wireguard 
     container_name: wireguard 
     cap_add: 
       - NET_ADMIN 
       - SYS_MODULE 
     environment: 
       - PUID=1000 
       - PGID=1000 
       - TZ=Europe/Berlin
     volumes: 
       - /docker-data/wireguard/config:/config 
       - /usr/src:/usr/src # location of kernel headers 
       - /lib/modules:/lib/modules 
     ports: 
       - 51820:51820/udp 
     sysctls: 
       - net.ipv4.conf.all.src_valid_mark=1 
     restart: unless-stopped

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls55
Build-date: 2024-10-10T11:23:38+00:00
───────────────────────────────────────

Uname info: Linux 5bb20dd72f21 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg_config.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg_config.conf ****
Warning: `/config/wg_confs/wg_config.conf' is world accessible
[#] ip link add wg_config type wireguard
[#] wg setconf wg_config /dev/fd/63
[#] ip -4 address add 192.168.20.202/24 dev wg_config
[#] ip link set mtu 1420 up dev wg_config
[#] resolvconf -a wg_config -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
**** All tunnels are now active ****
[ls.io-init] done.
github-actions[bot] commented 3 weeks ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

rrickfox commented 3 weeks ago

One thing I also noticed is the line s6-rc: fatal: unable to take locks: Resource busy in the logs, which I thought would explain the issue, but the issue #290 says that it should be resolved upstream?

rrickfox commented 3 weeks ago

Update: I have now switched to running wireguard on bare metal, which now works. If the issue is therefore not needed anymore, please just close it, I would leave it open for others to see