wireguard docker client error with ip6_tables
from WbrJr@lemmy.ml to selfhosted@lemmy.world on 20 Oct 2024 00:49
https://lemmy.ml/post/21581617

Hi! I am trying to set up a wireguard client in docker. I use the linuxserver image, I it running in server mode on a different machine (exactly the same ubuntu version) and i can login with my laptop to the wireguard server, but the docker wg-client has problems, i hope someone has an idea :)

The client docker container has trouble starting and throws this error: [___](modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-47-generic ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table ‘raw’ Error occurred at line: 1 Try ‘ip6tables-restore -h’ or ‘ip6tables-restore --help’ for more information. )

I copied the config to the server with the wg server running, it has the same problem with the client. I can ping google.com from inside the server container, but not from inside the client container. Here is the output of the ‘route’ cmd from the client:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.18.0.0 * 255.255.0.0 U 0 0 0 eth0

I searched for a solution quite a bit, but cant seem to find something that works. changed the .yml compose file according to some suggestions but without success.

I tried to install the missing module but could not get it working.

Its a completely clean install of ubuntu 24.04.1 LTS, Kernel: Linux 6.8.0-47-generic.

here is the compose file, in case its needed, it should be exact same one as provided by linux-server in their github:

compose file:

services: wireguard: image: lscr.io/linuxserver/wireguard:latest container_name: wireguard-client cap_add: - NET_ADMIN - SYS_MODULE #optional environment: - PUID=1000 - PGID=1000 - TZ=Europe/Berlin # - SERVERURL=wireguard.domain.com #optional # - SERVERPORT=51820 #optional # - PEERS=1 #optional # - PEERDNS=auto #optional # - INTERNAL_SUBNET=10.13.13.0 #optional # - ALLOWEDIPS=0.0.0.0/0 #optional # - PERSISTENTKEEPALIVE_PEERS= #optional # - LOG_CONFS=true #optional volumes: - /srv/wireguard/config:/config # - /lib/modules:/lib/modules #optional ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped

here is the complete error log from the wg-client docker:

error

[migrations] started [migrations] no migrations found usermod: no changes ─────────────────────────────────────── ██╗ ███████╗██╗ ██████╗ ██║ ██╔════╝██║██╔═══██╗ ██║ ███████╗██║██║ ██║ ██║ ╚════██║██║██║ ██║ ███████╗███████║██║╚██████╔╝ ╚══════╝╚══════╝╚═╝ ╚═════╝ Brought to you by linuxserver.io ─────────────────────────────────────── To support the app dev(s) visit: WireGuard: https://www.wireguard.com/donations/ To support LSIO projects visit: https://www.linuxserver.io/donate/ ─────────────────────────────────────── GID/UID ─────────────────────────────────────── User UID: 1000 User GID: 1000 ─────────────────────────────────────── Linuxserver.io version: 1.0.20210914-r4-ls55 Build-date: 2024-10-10T11:23:38+00:00 ─────────────────────────────────────── Uname info: Linux ec3813b50277 6.8.0-47-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 21:40:26 UTC 2024 x86_64 GNU/Linux **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. **** **** Client mode selected. **** [custom-init] No custom files found, skipping… **** Disabling CoreDNS **** **** Found WG conf /config/wg_confs/peer1.conf, adding to list **** **** Activating tunnel /config/wg_confs/peer1.conf **** [#] ip link add peer1 type wireguard [#] wg setconf peer1 /dev/fd/63 [#] ip -4 address add 10.13.13.2 dev peer1 [#] ip link set mtu 1420 up dev peer1 [#] resolvconf -a peer1 -m 0 -x s6-rc: fatal: unable to take locks: Resource busy [#] wg set peer1 fwmark 51820 [#] ip -6 route add ::/0 dev peer1 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip6tables-restore -n modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-47-generic ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table ‘raw’ Error occurred at line: 1 Try `ip6tables-restore -h’ or ‘ip6tables-restore --help’ for more information. [#] resolvconf -d peer1 -f s6-rc: fatal: unable to take locks: Resource busy [#] ip -6 rule delete table 51820 [#] ip -6 rule delete table main suppress_prefixlength 0 [#] ip link delete dev peer1 **** Tunnel /config/wg_confs/peer1.conf failed, will stop all others! **** **** All tunnels are now down. Please fix the tunnel config /config/wg_confs/peer1.conf and restart the container **** [ls.io-init] done.

Thanks a lot. I appreciate every input!

#selfhosted

threaded - newest

orris@lemmy.world on 20 Oct 2024 01:30 collapse

Does your wireguard config have ipv6 addresses? If your not using them you can safely remove them.

For example Change AllowedIPs = 0.0.0.0/0, ::/0 To AllowedIPs = 0.0.0.0/0

Also could try adding net.ipv6.conf.all.disable_ipv6=1 in the sysctls section

Multiple edits: I’m terrible with formatting while not on a phone.

More edits: just found out i can expand errors and the compose. Looks like it is the AllowedIPs line in peer1.conf. Just removing , ::/0 as above “should” solve it

WbrJr@lemmy.ml on 20 Oct 2024 11:47 collapse

Wow, thanks!! That actually solved it apparently! Why does the wireguard config change if i can ping outside the docker container though? Is it because the wireguard client inside the container opens up ip adresses or something? :) Thanks again! Itried to find a solution for many hours yesterday :D

Oh and is the ‘,’ in the allowed ips meant as an “and” or rather an “or”?

orris@lemmy.world on 20 Oct 2024 15:37 collapse

Thats great! Overly simplistic explanation, the container is in its own little network and when you connect wireguard inside the container it is punching a hole out to where the wireguard server is located. Without knowing your setup its difficult, but that is probably why your ping is acting as it does. The container doesn’t know how to get to where you’re attempting to ping.

The allowed ips is a list, off the top of my head it accepts single IPs and cidr blocks. 0.0.0.0/0 is the cidr block that essentially means all ipv4 IPs, ::/0 is the same for ipv6. So to answer directly, the , is an or, its for any IP in the list.