search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.93k stars 367 forks source link

Bug: [vpn] cannot add Wireguard link: file exists #1669

Closed adyanth closed 1 year ago

adyanth commented 1 year ago

Is this urgent?

~No~ Yes (cannot deploy)

Host OS

Kubernetes (k3s 1.26) over Photon OS 4.0

CPU arch

x86_64

VPN service provider

Windscribe

What are you using to run the container

Kubernetes

What is the version of Gluetun

Running version latest built on 2023-06-08T22:48:56.392Z (commit ea19914)

What's the problem πŸ€”

VPN does not come up. Error seems to be related to netlink. Tried both with and without /dev/net/tun mounted.

Share your logs

2023-06-09T03:56:39Z DEBUG [wireguard] Wireguard server public key: fvmyuUJF8JvjzIts5bROwwZQ0zkSB7lk/q8E4G3+F20=
2023-06-09T03:56:39Z DEBUG [wireguard] Wireguard client private key: 
2023-06-09T03:56:39Z DEBUG [wireguard] Wireguard pre-shared key: 
2023-06-09T03:56:39Z INFO [firewall] allowing VPN connection...
2023-06-09T03:56:39Z INFO [wireguard] Using available kernelspace implementation
2023-06-09T03:56:39Z DEBUG [wireguard] closing controller client...
2023-06-09T03:56:39Z ERROR [vpn] cannot add Wireguard link: file exists
2023-06-09T03:56:39Z INFO [vpn] retrying in 2m0s
2023-06-09T03:58:39Z DEBUG [wireguard] Wireguard server public key:
2023-06-09T03:58:39Z DEBUG [wireguard] Wireguard client private key: 
2023-06-09T03:58:39Z DEBUG [wireguard] Wireguard pre-shared key: 
2023-06-09T03:58:39Z INFO [firewall] allowing VPN connection...
2023-06-09T03:58:39Z DEBUG [firewall] iptables --delete OUTPUT -d <> -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2023-06-09T03:58:39Z DEBUG [firewall] iptables --delete OUTPUT -o tun0 -j ACCEPT
2023-06-09T03:58:39Z DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
2023-06-09T03:58:39Z DEBUG [firewall] iptables --append OUTPUT -d <> -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2023-06-09T03:58:39Z DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-06-09T03:58:39Z DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2023-06-09T03:58:39Z INFO [wireguard] Using available kernelspace implementation
2023-06-09T03:58:39Z DEBUG [wireguard] closing controller client...
2023-06-09T03:58:39Z ERROR [vpn] cannot add Wireguard link: file exists
2023-06-09T03:58:39Z INFO [vpn] retrying in 4m0s

Share your configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wg
spec:
  selector:
    matchLabels:
      app: wg
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: wg
    spec:
      volumes:
        - name: dev-net-tun
          hostPath:
            path: /dev/net/tun
      dnsConfig:
        nameservers:
          - 1.1.1.1
      containers:
        - name: windscribe
          image: qmcgaw/gluetun:latest
          volumeMounts:
            - mountPath: /dev/net/tun
              name: dev-net-tun
          env:
            - name: VPN_SERVICE_PROVIDER
              value: windscribe
            - name: VPN_TYPE
              value: wireguard
            - name: SERVER_REGIONS
              value: US West
            - name: SERVER_CITIES
              value: Los Angeles
            - name: HTTPPROXY
              value: "on"
            - name: LOG_LEVEL
              value: debug
          envFrom:
            - secretRef:
                name: windscribe
          ports:
            - containerPort: 8888
          securityContext:
            capabilities:
              add:
              - NET_ADMIN
          resources:
            requests:
              memory: "8Mi"
              cpu: "1m"
            limits:
              memory: "128Mi"
              cpu: "100m"
          livenessProbe:
            initialDelaySeconds: 5
            periodSeconds: 30
            exec:
              command:
                - sh
                - -c
                - ping -c 1 -W 1 -q 1.1.1.1 >/dev/null
qdm12 commented 1 year ago
  1. Was it working on image tag v3.34?
  2. Have you tried changing the name of the vpn interface, i. e. VPN_INTERFACE=tun5? Maybe there is a tun0 interface already present in the system πŸ€”
adyanth commented 1 year ago

I am setting it up for the first time, new user here :) I tried v3.34.3 and latest. Both failed.

Interesting. Let me check this out. There should not be any tun devices, but there was a VPN container before which used to work with free Windscribe accounts using the windscribe CLI. Maybe that left over something?

adyanth commented 1 year ago

No, it did not help. Same error message with tun5.

adyanth commented 1 year ago

Okay, I did not actually bother checking if the connectivity works because it logged as an ERROR. I just tried it and I do have VPN connectivity. But the logs still show constant retrying with the same message. Thoughts? Edit: Also, every time it retries, it drop the VPN connection too.

adyanth commented 1 year ago

Any thoughts on this? This bug is preventing me from setting up the deployment, since it reconnects to the VPN every 30 seconds.

qdm12 commented 1 year ago

Sorry for the delay; what's the output from:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.18 ip link
qdm12 commented 1 year ago

Pushed commit 4292a500aedd65e6ffac9605f1a1b7c78397a227 for the latest image, this should remove the Wireguard link named tun0 (depending on WIREGUARD_INTERFACE) before trying to add it, maybe also have a try see if it solves it? Even if it solves it, it would be nice to understand why this link exists before, since it could mess up a wireguard link on your host perhaps...

adyanth commented 1 year ago

Here is the output, I don't see a tun0.

❯ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
    - name: alpine
      image: 'alpine:3.18'
      command:
        - ip
      args:
        - link
      securityContext:
        capabilities:
          add:
            - CAP_NET_ADMIN

❯ k apply -f pod.yaml
pod/test created
❯ k logs test
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if123: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 qdisc noqueue state UP 
    link/ether b2:36:f4:b1:38:e9 brd ff:ff:ff:ff:ff:ff
adyanth commented 1 year ago

Also, if you missed my edit above:

I did not actually bother checking if the connectivity works because it logged as an ERROR. I just tried it and I do have VPN connectivity. But the logs still show constant retrying with the same message. Every time it retries, it drop the VPN connection too.

qdm12 commented 1 year ago

Have you tried the latest image (pull it again) to see if it fixes that error you were getting?

Also, if you missed my edit above:

Wait so despite that error you do have connectivity working??? That is so strange...

adyanth commented 1 year ago

I did, still the same issue on the latest tag.

2023-06-11T17:15:44Z INFO [firewall] allowing VPN connection...
2023-06-11T17:15:44Z INFO [wireguard] Using available kernelspace implementation
2023-06-11T17:15:44Z ERROR [vpn] cannot add Wireguard link: file exists
2023-06-11T17:15:44Z INFO [vpn] retrying in 15s
2023-06-11T17:15:44Z INFO [healthcheck] healthy!
2023-06-11T17:15:59Z INFO [firewall] allowing VPN connection...
2023-06-11T17:15:59Z INFO [wireguard] Using available kernelspace implementation
2023-06-11T17:15:59Z ERROR [vpn] cannot add Wireguard link: file exists
2023-06-11T17:15:59Z INFO [vpn] retrying in 30s

Exactly!! I was surprised I have connectivity after an ERROR log. I can use it as usual for 30 seconds or so after which it retries by removing and re adding firewall rules at which point I get disconnected. If just that retry behavior is removed, my problem would be fixed, but I'd rather see why that error shows up in the first place.

qdm12 commented 1 year ago

Sorry the latest image didn't build (due to a linting code quality error), this just got fixed in 83826e125368d7b857109b7eeb4234211e734a2e can you try again pulling the latest image πŸ™ Thanks!

adyanth commented 1 year ago

These are the logs, new behavior now, it never connects?

2023-06-12T14:56:29Z INFO [firewall] allowing VPN connection...
2023-06-12T14:56:29Z INFO [wireguard] Using available kernelspace implementation
2023-06-12T14:56:29Z INFO [wireguard] Connecting to 89.187.187.99:1194
2023-06-12T14:56:29Z ERROR [vpn] setting up IPv6: adding IPv6 rule: %!w(<nil>)
2023-06-12T14:56:29Z INFO [vpn] retrying in 15s
2023-06-12T14:56:35Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)
2023-06-12T14:56:44Z INFO [firewall] allowing VPN connection...
2023-06-12T14:56:44Z INFO [wireguard] Using available kernelspace implementation
2023-06-12T14:56:44Z INFO [wireguard] Connecting to 185.152.67.227:1194
2023-06-12T14:56:44Z ERROR [vpn] setting up IPv6: adding IPv6 rule: %!w(<nil>)
2023-06-12T14:56:44Z INFO [vpn] retrying in 30s
2023-06-12T14:56:46Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)

Looks like something to do with IPv6? When using native Wireguard container, I had to modify the wg config to remove listening on ::0 to disable IPv6. Is there something similar for GlueTun? I did not see anything in the docs that popped out.

adyanth commented 1 year ago

Here are the debug level logs:

2023-06-12T15:10:08Z INFO [routing] default route found: interface eth0, gateway 10.42.5.1, assigned IP 10.42.5.8 and family v4
2023-06-12T15:10:08Z INFO [routing] local ethernet link found: eth0
2023-06-12T15:10:08Z INFO [routing] local ipnet found: 10.42.5.0/24
2023-06-12T15:10:08Z INFO [routing] local ipnet found: fe80::/64
2023-06-12T15:10:08Z INFO [firewall] enabling...
2023-06-12T15:10:08Z DEBUG [firewall] iptables --policy INPUT DROP
2023-06-12T15:10:08Z DEBUG [firewall] iptables --policy OUTPUT DROP
2023-06-12T15:10:08Z DEBUG [firewall] iptables --policy FORWARD DROP
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --policy INPUT DROP
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --policy OUTPUT DROP
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --policy FORWARD DROP
2023-06-12T15:10:08Z DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append INPUT -i lo -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append OUTPUT -o lo -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 10.42.5.8 -d 10.42.5.0/24 -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -s fe80::4013:40ff:fe81:57b2 -d fe80::/64 -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] iptables --append INPUT -i eth0 -d 10.42.5.0/24 -j ACCEPT
2023-06-12T15:10:08Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-06-12T15:10:08Z INFO [firewall] enabled successfully
2023-06-12T15:10:11Z INFO [storage] creating /gluetun/servers.json with 17678 hardcoded servers
2023-06-12T15:10:12Z DEBUG [netlink] IPv6 is supported by link eth0
2023-06-12T15:10:12Z INFO Alpine version: 3.18.0
2023-06-12T15:10:12Z INFO OpenVPN 2.5 version: 2.5.8
2023-06-12T15:10:12Z INFO OpenVPN 2.6 version: 2.6.4
2023-06-12T15:10:12Z INFO Unbound version: 1.17.1
2023-06-12T15:10:12Z INFO IPtables version: v1.8.9
2023-06-12T15:10:12Z INFO Settings summary:
β”œβ”€β”€ VPN settings:
|   β”œβ”€β”€ VPN provider settings:
|   |   β”œβ”€β”€ Name: windscribe
|   |   └── Server selection settings:
|   |       β”œβ”€β”€ VPN type: wireguard
|   |       β”œβ”€β”€ Regions: us west
|   |       β”œβ”€β”€ Cities: los angeles
|   |       β”œβ”€β”€ Hostnames: us-west-040.whiskergalaxy.com, us-west-066.whiskergalaxy.com, us-west-069.whiskergalaxy.com
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       β”œβ”€β”€ Private key: 
|       β”œβ”€β”€ Pre-shared key: 
|       β”œβ”€β”€ Interface addresses:
|       |   └── <>
|       └── Network interface: tun0
|           └── MTU: 1400
β”œβ”€β”€ DNS settings:
|   β”œβ”€β”€ DNS server address to use: 127.0.0.1
|   β”œβ”€β”€ Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       β”œβ”€β”€ Enabled: yes
|       β”œβ”€β”€ Update period: every 24h0m0s
|       β”œβ”€β”€ Unbound settings:
|       |   β”œβ”€β”€ Authoritative servers:
|       |   |   └── cloudflare
|       |   β”œβ”€β”€ Caching: yes
|       |   β”œβ”€β”€ IPv6: no
|       |   β”œβ”€β”€ Verbosity level: 1
|       |   β”œβ”€β”€ Verbosity details level: 0
|       |   β”œβ”€β”€ Validation log level: 0
|       |   β”œβ”€β”€ System user: root
|       |   └── Allowed networks:
|       |       β”œβ”€β”€ 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           β”œβ”€β”€ Block malicious: yes
|           β”œβ”€β”€ Block ads: no
|           β”œβ”€β”€ Block surveillance: no
|           └── Blocked IP networks:
|               β”œβ”€β”€ 127.0.0.1/8
|               β”œβ”€β”€ 10.0.0.0/8
|               β”œβ”€β”€ 172.16.0.0/12
|               β”œβ”€β”€ 192.168.0.0/16
|               β”œβ”€β”€ 169.254.0.0/16
|               β”œβ”€β”€ ::1/128
|               β”œβ”€β”€ fc00::/7
|               β”œβ”€β”€ fe80::/10
|               β”œβ”€β”€ ::ffff:127.0.0.1/104
|               β”œβ”€β”€ ::ffff:10.0.0.0/104
|               β”œβ”€β”€ ::ffff:169.254.0.0/112
|               β”œβ”€β”€ ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
β”œβ”€β”€ Firewall settings:
|   β”œβ”€β”€ Enabled: yes
|   └── Input ports:
|       └── 9091
β”œβ”€β”€ Log settings:
|   └── Log level: DEBUG
β”œβ”€β”€ Health settings:
|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
|   β”œβ”€β”€ Target address: cloudflare.com:443
|   β”œβ”€β”€ Duration to wait after success: 5s
|   β”œβ”€β”€ Read header timeout: 100ms
|   β”œβ”€β”€ Read timeout: 500ms
|   └── VPN wait durations:
|       β”œβ”€β”€ Initial duration: 6s
|       └── Additional duration: 5s
β”œβ”€β”€ Shadowsocks server settings:
|   └── Enabled: no
β”œβ”€β”€ HTTP proxy settings:
|   β”œβ”€β”€ Enabled: yes
|   β”œβ”€β”€ Listening address: :8888
|   β”œβ”€β”€ User: 
|   β”œβ”€β”€ Password: [not set]
|   β”œβ”€β”€ Stealth mode: no
|   β”œβ”€β”€ Log: no
|   β”œβ”€β”€ Read header timeout: 1s
|   └── Read timeout: 3s
β”œβ”€β”€ Control server settings:
|   β”œβ”€β”€ Listening address: :8000
|   └── Logging: yes
β”œβ”€β”€ OS Alpine settings:
|   β”œβ”€β”€ Process UID: 1000
|   └── Process GID: 1000
β”œβ”€β”€ Public IP settings:
|   β”œβ”€β”€ Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-06-12T15:10:12Z INFO [routing] default route found: interface eth0, gateway 10.42.5.1, assigned IP 10.42.5.8 and family v4
2023-06-12T15:10:12Z DEBUG [routing] ip rule add from 10.42.5.8/32 lookup 200 pref 100
2023-06-12T15:10:12Z INFO [routing] adding route for 0.0.0.0/0
2023-06-12T15:10:12Z DEBUG [routing] ip route replace 0.0.0.0/0 via 10.42.5.1 dev eth0 table 200
2023-06-12T15:10:12Z INFO [firewall] setting allowed subnets...
2023-06-12T15:10:12Z INFO [routing] default route found: interface eth0, gateway 10.42.5.1, assigned IP 10.42.5.8 and family v4
2023-06-12T15:10:12Z DEBUG [routing] ip rule add to 10.42.5.0/24 lookup 254 pref 98
2023-06-12T15:10:12Z DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-06-12T15:10:12Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-06-12T15:10:12Z INFO [firewall] setting allowed input port 9091 through interface eth0...
2023-06-12T15:10:12Z DEBUG [firewall] iptables --append INPUT -i eth0 -p tcp --dport 9091 -j ACCEPT
2023-06-12T15:10:12Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -p tcp --dport 9091 -j ACCEPT
2023-06-12T15:10:12Z DEBUG [firewall] iptables --append INPUT -i eth0 -p udp --dport 9091 -j ACCEPT
2023-06-12T15:10:12Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -p udp --dport 9091 -j ACCEPT
2023-06-12T15:10:13Z INFO [http server] http server listening on [::]:8000
2023-06-12T15:10:13Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-06-12T15:10:13Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-06-12T15:10:13Z DEBUG [wireguard] Wireguard server public key: 
2023-06-12T15:10:13Z DEBUG [wireguard] Wireguard client private key: 
2023-06-12T15:10:13Z DEBUG [wireguard] Wireguard pre-shared key: 
2023-06-12T15:10:13Z INFO [firewall] allowing VPN connection...
2023-06-12T15:10:13Z DEBUG [firewall] iptables --append OUTPUT -d 89.187.187.99 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2023-06-12T15:10:13Z INFO [http proxy] listening on :8888
2023-06-12T15:10:13Z DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-06-12T15:10:13Z DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2023-06-12T15:10:13Z INFO [wireguard] Using available kernelspace implementation
2023-06-12T15:10:13Z INFO [wireguard] Connecting to 89.187.187.99:1194
2023-06-12T15:10:13Z DEBUG [wireguard] closing controller client...
2023-06-12T15:10:13Z DEBUG [wireguard] shutting down link...
2023-06-12T15:10:13Z DEBUG [wireguard] deleting link...
2023-06-12T15:10:13Z ERROR [vpn] setting up IPv6: adding IPv6 rule: %!w(<nil>)
2023-06-12T15:10:13Z INFO [vpn] retrying in 15s
Gylesie commented 1 year ago

I had to modify the wg config to remove listening on ::0 to disable IPv6. Is there something similar for GlueTun?

You can try disabling ipv6 in the container by setting the sysctl net.ipv6.conf.all.disable_ipv6=1.

adyanth commented 1 year ago

That needed me to allowlist the sysctls on all nodes (running on k8s here) :) Did not fix it, but new error message, yay! This points to more of an iptables issue?

2023-06-12T16:47:38Z ERROR [vpn] adding IPv4 rule: adding rule ip rule 101: from all to all table 51820: file exists

2023-06-12T16:47:38Z INFO [firewall] allowing VPN connection...
2023-06-12T16:47:38Z DEBUG [firewall] iptables --delete OUTPUT -d 185.152.67.227 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2023-06-12T16:47:38Z DEBUG [firewall] iptables --delete OUTPUT -o tun0 -j ACCEPT
2023-06-12T16:47:38Z DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
2023-06-12T16:47:38Z DEBUG [firewall] iptables --append OUTPUT -d 89.187.185.35 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2023-06-12T16:47:38Z DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-06-12T16:47:38Z DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2023-06-12T16:47:38Z INFO [wireguard] Using available kernelspace implementation
2023-06-12T16:47:38Z INFO [wireguard] Connecting to 89.187.185.35:1194
2023-06-12T16:47:38Z DEBUG [wireguard] closing controller client...
2023-06-12T16:47:38Z DEBUG [wireguard] shutting down link...
2023-06-12T16:47:38Z ERROR [vpn] adding IPv4 rule: adding rule ip rule 101: from all to all table 51820: file exists
2023-06-12T16:47:38Z INFO [vpn] retrying in 30s
2023-06-12T16:47:38Z DEBUG [wireguard] deleting link...
2023-06-12T16:47:40Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)
adyanth commented 1 year ago

https://github.com/qdm12/gluetun/blob/83826e125368d7b857109b7eeb4234211e734a2e/internal/wireguard/run.go#L124

Seems to originate from here, which again is done by the github.com/vishvananda/netlink package interacting with iptables. Not sure why that is.

adyanth commented 1 year ago

Switching to OpenVPN works, so it does not look like anything to do with the tun device or permissions. Not sure what else I can try.

qdm12 commented 1 year ago
  1. If that's not too much to ask, maybe try the latest image again and check what was that error when adding IPv6 rule happens?
  2. Now adding IPv4 rule: adding rule ip rule 101: from all to all table 51820: file exists I could also change this to replace the ip rule, but this is plain strange, why is everything already existing πŸ˜„ And all this always happens on the first wireguard setup try right??
adyanth commented 1 year ago

@qdm12 Yes, it used to happen the very first time too.

It is working just fine now on v3.35.0, thank you!

2023-07-06T01:48:04Z INFO [routing] default route found: interface eth0, gateway ..., assigned IP ... and family v4
2023-07-06T01:48:04Z DEBUG [routing] ip rule add from ... lookup 200 pref 100
2023-07-06T01:48:04Z INFO [routing] adding route for 0.0.0.0/0
2023-07-06T01:48:04Z DEBUG [routing] ip route replace 0.0.0.0/0 via ... dev eth0 table 200
2023-07-06T01:48:04Z INFO [firewall] setting allowed subnets...
2023-07-06T01:48:04Z INFO [routing] default route found: interface eth0, gateway ..., assigned IP ... and family v4
2023-07-06T01:48:04Z DEBUG [routing] ip rule add to ... lookup 254 pref 98
2023-07-06T01:48:04Z INFO [firewall] setting allowed input port 9091 through interface eth0...
2023-07-06T01:48:04Z DEBUG [firewall] iptables --append INPUT -i eth0 -p tcp --dport 9091 -j ACCEPT
2023-07-06T01:48:04Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -p tcp --dport 9091 -j ACCEPT
2023-07-06T01:48:04Z DEBUG [firewall] iptables --append INPUT -i eth0 -p udp --dport 9091 -j ACCEPT
2023-07-06T01:48:04Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -p udp --dport 9091 -j ACCEPT
2023-07-06T01:48:04Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-07-06T01:48:04Z INFO [http proxy] listening on :8888
2023-07-06T01:48:04Z INFO [http server] http server listening on [::]:8000
2023-07-06T01:48:04Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-06T01:48:04Z DEBUG [wireguard] Wireguard server public key: ...
2023-07-06T01:48:04Z DEBUG [wireguard] Wireguard client private key: iIF...Ho=
2023-07-06T01:48:04Z DEBUG [wireguard] Wireguard pre-shared key: kN0...Io=
2023-07-06T01:48:04Z INFO [firewall] allowing VPN connection...
2023-07-06T01:48:04Z DEBUG [firewall] iptables --append OUTPUT -d ... -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2023-07-06T01:48:04Z DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-06T01:48:04Z DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2023-07-06T01:48:04Z INFO [wireguard] Using available kernelspace implementation
2023-07-06T01:48:04Z INFO [wireguard] Connecting to ...
2023-07-06T01:48:04Z INFO [wireguard] Wireguard is up
2023-07-06T01:48:05Z INFO [ip getter] Public IP address is ...
2023-07-06T01:48:05Z INFO [vpn] You are running 5 commits behind the most recent latest
2023-07-06T01:48:05Z INFO [healthcheck] healthy!
qdm12 commented 1 year ago

Oh ok very strange, I might revert the change to replace the existing link in the future.