Wireguard Clients stopped connecting since last docker update

[jkksanders]

Hi

I had client connecting to my docker wireguard server just fine until recently. I looked at the server settings and noticed a "Pre Down Script" field that was never there before. Do i need to put anything in there? If so do i need to recreate my client connections?

I know all my ports are forwarded just fine but for the life of me i cant figure out why my clients wont communicate properly. Heres a rundown of what happens when a client connects, it shows 0 RX packets transmitted but there is a flow of TX packets so it looks like it is connecting or trying to connect but not communicating properly. If anyone can help that would be great. Cheers.

[karbrueggen1]

Same problem with our installation. Client connection not possible, WireGuard-ui status shows no clients.

docker Log: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE /usr/bin/wg-quick: line 295: iptables: command not found [#] ip link delete dev wg0

edit: with tag 0.5.2 it’s running again, will stay there until update.

ngoduykhanh/wireguard-ui:0.5.2

[ngoduykhanh]

I have just tested the latest image built from commit 45849a2. It works fine for me. @jkksanders No, you don't need to configure the Pre Down Script field if you don't need it. Please try to debug from the shell to see what is current status of your WireGuard server is. Like, the output of the wg command or systemctl status wg-quick@wg0.service.

@karbrueggen1 do you have iptables command available on your host machine? Usually, it is in /usr/sbin/iptables. Please make sure it is available in the PATH environment variable of the user who runs the Wireguard server. You can try to use the absolute path of iptables command as well.

[karbrueggen1]

Hi, yes iptables is available on the host system. Also tried to run the container as root, but got the same error.

I'm using the system compose file btw.

[jkksanders]

What does the Pre Down Script do?

Btw i'm running all of this in portainer, i've checked logs in both wireguard and wireguard ui and nothing out of the ordinary has popped up.

I've updated my PATH but still no further forward /usr/sbin/iptables:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Not sure what else to check

[jkksanders]

Ah just checked and i have this error...

[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /usr/bin/wg-quick: line 295: iptables: command not found

[jkksanders]

Ok i reverted the PATH to the original on Wireguard UI and changed the PATH on the Wireguard Server to include the mentioned iptables directory and i'm getting no errors in my logs so thats a plus but when my clients connect im still getting 0 RX and multiple bytes in the TX and the clients are issued an ip address but theres no full communication and i cannot access resources on my network

[nebulosa2007]

What does the Pre Down Script do?

It do nothing if you leave it empty. It's my PR #480

The problem in something else a lot of commits was added last 2 weeks..

[jkksanders]

What does the Pre Down Script do?

It do nothing if you leave it empty. It's my PR #480

The problem in something else a lot of commits was added last 2 weeks..

Ah gotcha ok so nothing to worry about there. I've noticed some people seemed to have reverted back to a previous version of wire guard and wire guard ui as a work around. Is this a true work around?

Cheers

[jkksanders]

Huzzah!!!

Work around reverted back to wireguard UI version 0.5.2. This version seems to work better than the latest. Not sure whats changed. but it seems to be a bug.

I'll keep running this version until its fixed. Thank you all for you time and happy new year

Cheers

[davidclaeysquinones]

can confirm I had exacttly the same issue. Reverting to the previous image fixed things again

[bitdruid]

Same problem. PATH is set correctly but somehow iptables is not found. I played around a bit and it seems that the container is nearly ignoring PATH.

[lustrant]

@karbrueggen1 do you have iptables command available on your host machine? Usually, it is in /usr/sbin/iptables. Please make sure it is available in the PATH environment variable of the user who runs the Wireguard server. You can try to use the absolute path of iptables command as well.

Hello @ngoduykhanh

The problem is that you need to have the iptables within the image.

Please change the Dockerfile:

change line: RUN apk --no-cache add ca-certificates wireguard-tools jq

to: RUN apk --no-cache add ca-certificates wireguard-tools jq iptables

This should do the trick. Apparently, the latest alpine does not have the iptables within; or it was build before with those, but not anymore.

[bitdruid]

@karbrueggen1 do you have iptables command available on your host machine? Usually, it is in /usr/sbin/iptables. Please make sure it is available in the PATH environment variable of the user who runs the Wireguard server. You can try to use the absolute path of iptables command as well.

Hello @ngoduykhanh

The problem is that you need to have the iptables within the image.

Please change the Dockerfile:

change line: RUN apk --no-cache add ca-certificates wireguard-tools jq

to: RUN apk --no-cache add ca-certificates wireguard-tools jq iptables

This should do the trick. Apparently, the latest alpine does not have the iptables within; or it was build before with those, but not anymore.

confirmed as the solution. alpine 3.19 lacks iptables, while 3.16 includes it.

[ngoduykhanh]

Thanks guys, I added iptables package in PR https://github.com/ngoduykhanh/wireguard-ui/pull/520. Please try the latest image again if it still has an issue with missing iptables

[bitdruid]

Thanks guys, I added iptables package in PR #520. Please try the latest image again if it still has an issue with missing iptables

tested and solved