search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.71k stars 559 forks source link

wireguard: cannot connect to server (configuration issue) #6388

Closed luckylinux closed 2 months ago

luckylinux commented 3 months ago

Description

Describe the bug Wireguard cannot connect to external Server. Apparently (looking at my OPNSense Router/Firewall=, there is (ALMOST) no attempt at even trying to connect to the Remote Server. I think there was like 1 connection attempt within a Day or so (and not sure if I was playing with some sysctls or what at that point).

I had setup some Wireguard stuff in my Homelab between 2 Debian Machines (without firejail & with apparmor disabled) and no problems there. Connection occurs immediately.

I don't blame it all on firejail, it might be a combination with apparmor (missing) Rules.

There is definitively some cryptic apparmor Entry in dmesg with DENIED status.

Steps to Reproduce

Steps to reproduce the behavior

This is probably not only firejail related, since the wg Program appears to be resolving to /usr/bin/wg, NOT /usr/local/bin/wg. I don't even know if there is a Wireguard Profile ...

root@HOST:/# which wg
/usr/bin/wg

Expected behavior

What you expected to happen Wireguard connecting successfully to Remote Server.

Actual behavior

What actually happened Wireguard failing / not even trying to connect to Remote Server.

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_ Probably not relevant (see above).

Additional context

Any other detail that may help to understand/debug the problem Output of sysctl -a attached.

Environment

Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Consumed 27ms CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit wg-quick@wg0.service completed and consumed the indicated resources.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Will spawn child (service_enter_start): /usr/bin/wg-qui>
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Passing 0 fds to service
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: About to execute: /usr/bin/wg-quick up wg0
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Forked /usr/bin/wg-quick as 297436
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Changed dead -> start
Jun 19 18:51:35 HOST systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
░░ Subject: A start job for unit wg-quick@wg0.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wg-quick@wg0.service has begun execution.
░░ 
░░ The job identifier is 114526.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Child 297436 belongs to wg-quick@wg0.service.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=0/SUCCESS (suc>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStart= process belonging to unit wg-quick@wg0.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 0.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Changed start -> exited
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Job 114526 wg-quick@wg0.service/start finished, result=>
Jun 19 18:51:35 HOST systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.
░░ Subject: A start job for unit wg-quick@wg0.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wg-quick@wg0.service has finished successfully.
░░ 
░░ The job identifier is 114526.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Failed to send unit change signal for wg-quick@wg0.serv>
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Control group is empty.

Checklist

Log

Output of LC_ALL=C firejail /path/to/program

``` output goes here ```

Output of LC_ALL=C firejail --debug /path/to/program

``` output goes here ```

luckylinux commented 3 months ago

sysctl.txt

kmk3 commented 3 months ago

There is definitively some cryptic apparmor Entry in dmesg with DENIED status.

This looks like a potential duplicate of #6389.

Does the problem still happen after running sudo firecfg --clean and rebooting?

This is probably not only firejail related, since the wg Program appears to be resolving to /usr/bin/wg, NOT /usr/local/bin/wg. I don't even know if there is a Wireguard Profile ...

There isn't.

root@HOST:/# which wg
/usr/bin/wg

What is the output of the following commands:

which -a wg
ls -l /usr/bin/wg
luckylinux commented 3 months ago

What is the output of the following commands:

which -a wg
ls -l /usr/bin/wg
root@HOST:/# which -a wg
/usr/bin/wg
/bin/wg
root@HOST:/# ls -l /usr/bin/wg
-rwxr-xr-x 1 root root 101672 Apr  8 18:22 /usr/bin/wg
kmk3 commented 2 months ago 
root@HOST:/# which -a wg
/usr/bin/wg
/bin/wg
root@HOST:/# ls -l /usr/bin/wg
-rwxr-xr-x 1 root root 101672 Apr  8 18:22 /usr/bin/wg

So wireguard does not have a profile and is not using any symlinks either.

Does the problem still happen after running sudo firecfg --clean and rebooting?

This question still remains.

If you can demonstrate that the issue is indeed caused by firejail, feel free to add a comment.

Closing as a likely duplicate of #6389.

luckylinux commented 2 months ago

@kmk3: Sorry for the Trouble :disappointed:.

Actually this specific Issue one was neither caused by firejail neither by System Hardening.

I needed to add this to the end of /etc/wireguard/wg0.conf on both Server and Client at the End of the [Peer] Section:

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

Then it works like a Charm :+1:.