QNAP QTS 5.0 "iptables-restore v1.8.8 (legacy): iptables-restore: unable to initialize table 'raw'"

[kosgitcat]

I have recently upgraded my home server to a QNAP TVS-h1688X NAS/Server and am currently porting over all of my docker containers, however I am running into an issue getting this docker container running on the new server.

Here is my compose.yml

---
version: '3'
services:
  vpn:
    image: thrnz/docker-wireguard-pia
    container_name: vpn
    cap_add:
      - NET_ADMIN
    volumes:
      - '/share/Docker/config/vpn/pia:/pia'
      - '/share/Docker/config/vpn/wireguard:/etc/wireguard'
      - '/dev/net/tun:/dev/net/tun'
    environment:
      - PUID=(redacted)
      - GUID=(redacted)
      - TZ=America/Chicago
      - LOC=ca_ontario
      - USER=(redacted)
      - PASS=(redacted)
      - PORT_FORWARDING=1
      - FIREWALL=1
      - KEEPALIVE=25
      - EXIT_ON_FATAL=1
      - LOCAL_NETWORK=192.168.0.0/16
      - PORT_FILE=/pia/forwarded_port
    ports:
      - '(redacted)' #deluge
      - '(redacted)' #delugedaemon
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    privileged: true
    healthcheck:
      test: ping -c 1 www.google.com || exit 1
      interval: 30s
      timeout: 10s
      retries: 3
    restart: always

Here is the error that I am encountering when spinning the container up:

Warning: `/etc/wireguard/wg0.conf' is world accessible
wg-quick: `wg0' is not a WireGuard interface
Fetching next-gen PIA server list
Verified OK
Verified server list
Registering public key with PIA endpoint; id: ca_ontario, cn: ontario411, ip: (redacted)
Generating /etc/wireguard/wg0.conf
Using PIA DNS servers: 10.0.0.243,10.0.0.242
Port forwarding is available at this location
Successfully generated /etc/wireguard/wg0.conf
Sun Jun  5 15:24:06 UTC 2022: Bringing up WireGuard interface wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add (redacted) dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
iptables-restore v1.8.8 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
Sun Jun  5 15:24:06 UTC 2022: Fatal error

While the compose file hasn't changed from one server to the next, and it was running successfully on the old server, nevertheless I've tried using - NFTABLES=1, WG_USERSPACE=1 and even - ALLOWEDIPS=0.0.0.0/1,128.0.0.0/1 even though I do not think that latter is implemented here. I've also tried multiple other potential solutions outside modifying the compose.yml file, of which I couldn't begin to remember, none of which had any change on the results here.

I'm afraid I'm at a complete loss as to where to go from here.

Edit: Additional info: I'm running this through ContainerStation v2.6.0.483 on QNAP firmware QTS 5.0.1.2034

[thrnz]

This is probably the same as issue #39. wg-quick requires a missing kernel module to do its thing. Apart from making sure the missing module is available, I'm afraid I'm not sure how else to suggest working around it.

AllowedIPs in the generated wg0.conf can't be set using an env var in this container at this stage, though if it's something that people need to modify I could probably add it as an option. You would otherwise need to modify wg-gen.sh directly to change it.

[kosgitcat]

Thanks for the response. I looked into trying to install the legacy iptables modules, but it doesn't look like it's possible with this company's NAS devices. At least, not through any means that someone with beginner knowledge would be able to accomplish.

I did consider modifying the wg-gen.sh, but I'm not exactly sure what I need to change to get it to work. My assumption was the part where it was requesting 0.0.0.0/0, but that's just a wild guess on my part and I am the aforementioned beginner.

[kosgitcat]

Okay, so I modified the wg-gen.sh to replace the AllowedIPs to = 0.0.0.0/1, 128.0.0.0/1 and got a little further along, but I am running into a new issue:

Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link delete dev wg0
[#] resolvconf -d wg0 -f
Fetching next-gen PIA server list
Verified OK
Verified server list
Registering public key with PIA endpoint; id: ca_ontario, cn: ontario409, ip: (redacted)
Generating /etc/wireguard/wg0.conf
Using PIA DNS servers: 10.0.0.243,10.0.0.242
Port forwarding is available at this location
Successfully generated /etc/wireguard/wg0.conf
Mon Jun  6 00:19:31 UTC 2022: Bringing up WireGuard interface wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add (redacted) dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 128.0.0.0/1 dev wg0
[#] ip -4 route add 0.0.0.0/1 dev wg0

interface: wg0
  public key: (redacted)
  private key: (hidden)
  listening port: 53989

peer: (redacted)
  endpoint: (redacted)
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds

Mon Jun  6 00:19:31 UTC 2022: WireGuard successfully started
Mon Jun  6 00:19:31 UTC 2022: Allowing network access to 172.(redacted)/22 on eth0
iptables v1.8.8 (legacy): mark: bad integer value for option "--mark", or out of range.

Try `iptables -h' or 'iptables --help' for more information.
Mon Jun  6 00:19:31 UTC 2022: Firewall enabled: Blocking non-WireGuard traffic
Mon Jun  6 00:19:31 UTC 2022: Allowing network access to 192.168.0.0/16
Mon Jun  6 00:19:31 UTC 2022: Adding route to 192.168.0.0/16
Mon Jun  6 00:19:31 UTC 2022: Starting port forward script
Mon Jun  6 00:19:31 UTC 2022: Verifying API requests. CN: ontario409
Mon Jun  6 00:19:31 UTC 2022: Getting PF token
curl: (28) Connection timed out after 15000 milliseconds
curl: (28) Connection timed out after 15000 milliseconds
curl: (28) Connection timed out after 15000 milliseconds
curl: (28) Connection timed out after 15000 milliseconds
curl: (28) Connection timed out after 15000 milliseconds
curl: (28) Connection timed out after 15000 milliseconds
Mon Jun  6 00:22:16 UTC 2022: getSignature error

Mon Jun  6 00:22:16 UTC 2022: Fatal error

[kosgitcat]

It's this line right here in the run script that's having a problem: iptables -I OUTPUT -m mark --mark "$(wg show wg0 fwmark)" -j ACCEPT Running that manually in the terminal gives the same output error of iptables v1.8.8 (legacy): mark: bad integer value for option "--mark", or out of range.

When I check the output of wg show wg0 fwmark, this is the result I get:

bash-5.1# wg show wg0 fwmark
off

[thrnz]

The container uses wg-quick to do all the basic network setup for Wireguard and assumes it was all successful (wg-quick hard fails if something goes wrong). It looks like when AllowedIPs doesn't contain a /0, this is never run, so networking in the container won't be working as the container expects it to.

That particular error is one of the firewall rules that the container uses to prevent any non-wireguard traffic from leaving throwing an error as wg-quick didn't set things up as expected. Running the container with FIREWALL=0 may prevent it from happening, but I'd imagine there could well be other issues too.

I'm not sure how best to work around this.

I've added an untested ALLOWEDIPS env var to the testing branch to override what AllowedIPs is set to that may or may not be useful. You can either build it yourself or use thrnz/docker-wireguard-pia:testing from docker hub.

[kosgitcat]

Thanks for the update. I'll give the testing branch a go and report back the results.

[kosgitcat]

With the testing build, same iptables v1.8.8 (legacy): mark: bad integer value for option "--mark", or out of range. error as when I manually entered the AllowedIPs

[mfizz1]

With the testing build, same iptables v1.8.8 (legacy): mark: bad integer value for option "--mark", or out of range. error as when I manually entered the AllowedIPs

Can you try with FIREWALL=0

I have got to a point where the system states wireguard successfully started. However even though it says it is connected it cannot ping anything or connect to the internet

Fetching next-gen PIA server list
Verified OK
Verified server list
Registering public key with PIA endpoint; id: uk_southampton, cn: southampton406, ip: 143.244.38.70
Generating /etc/wireguard/wg0.conf
Using PIA DNS servers: 10.0.0.243,10.0.0.242
Using custom AllowedIPs: 0.0.0.0/1, 128.0.0.0/1
Port forwarding is available at this location
Successfully generated /etc/wireguard/wg0.conf
Sun Jun 12 10:43:31 UTC 2022: Bringing up WireGuard interface wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.142.109 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 128.0.0.0/1 dev wg0
[#] ip -4 route add 0.0.0.0/1 dev wg0
interface: wg0
  public key: Cb9Y2bspGpLNa7DtgkScCM8tTiKVhokCuEkBvknjbno=
  private key: (hidden)
  listening port: 58039
peer: CDHh8w3rFkCrSJ16SdOflg5GQRQQwX+eR7QFU/H5jG8=
  endpoint: 143.244.38.70:1337
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
Sun Jun 12 10:43:31 UTC 2022: WireGuard successfully started

Whilst the docker has been running, I have copied the wg0.conf across and tested it on my android and it doesn't work there either. I am not sure as to why. If I generate a wg0.conf using pia-foss and stick it in my android phone, it works.

[kosgitcat]

With the Firewall set to 0, I no longer get the error stated in my last reply, but I'm still getting curl: (28) Connection timed out after 15000 milliseconds during the Sun Jun 12 21:03:04 UTC 2022: Getting PF token step

[mfizz1]

With the Firewall set to 0, I no longer get the error stated in my last reply, but I'm still getting curl: (28) Connection timed out after 15000 milliseconds during the Sun Jun 12 21:03:04 UTC 2022: Getting PF token step

I would maybe try to establish a connection without any PF or custom routes etc. Like I mentioned above, I did it but the conf generated isn't working in my android setup.

[Nicras]

Hello, did you find a solution to this problem?

[kosgitcat]

No. I ended up switching from QNAP's OS to Truenas Scale, so any alternatives I'm now using wouldn't apply to this issue.

[Nicras]

Thank you. I'm running docker on a Synology and had a NordVPN container running before. With NordVPN I had to set allowed IPs to /1 and then run the following script as "PostUP":

#!/bin/bash ip route add $(wg | awk -F'[: ]' '/endpoint/ {print $5}') via $(ip route | awk '/default/ {print $3}')

With both settings the VPN worked well but NordVPN doesn't offer Port Forwarding. I have no clue about wireguard or networking but someone else may understand what the script does?

[jvgreenaway]

I've started to experience this issue having migrated a bunch of my docker containers from a Debian system to a Synology.

Experimenting with FIREWALL env and thrnz/docker-wireguard-pia:testing image gives me the same results.

I am able to run the linuxserver/wireguard on the system successfully however I don't think it applies any special traffic-blocking rules - which I gather is causing this issue.