wireguard times out

tonitonnae2021 · 11 November 2021 01:41

Hi all.

I am trying to migrate all the self-hosted software that I am currently running in my NAS to a RPI4 running DietPi.

In the NAS I had a bunch of docker containers that I have already migrated to the RPI4. So far so good. Additionally, I had a VM in the NAS running DietPi in which I have Pihole + Unbound and Wireguard.

I have migrated pihole to the RPI4 and it is working smoothly. However, I am having hell of a time with wireguard. First, I tried to move my old config from the NAS VM to the RPI4. It did not work directly as the PRE and POST rules differ in both installs (there are references in the NAS config file to files that do not exist in the RPI4; do not know if this is due to being different architectures or to a different version of the software). Anyway, what I have done is to keep everything from the old install (that is still working) except PRE and POST rules, which I have copied from the default config created when installing the software. I restart the service, connect from the client and… timeout. The weird thing is that DNS queries are sent to the Pihole running on the RPi4 and that the wireguard handshake is done and the connection is established. However, all the queries time out.

My second chance was to fresh reinstall and keep the default config. Just changed DNS server to use my local server. Same result.

This is what I see when I run wg:

root@DietPi:/etc# wg
interface: wg0
  public key: <key>
  private key: (hidden)
  listening port: 51820

peer: <key>
  endpoint: <cell phone IP>:1466
  allowed ips: 10.9.0.2/32
  latest handshake: 3 seconds ago
  transfer: 20.98 KiB received, 1.71 KiB sent

Any clues on what I might been missing? Networking works on the cell phone both on 5G without the VPN and on WiFi, so the problem might be in my configuration.

As I mentioned previously, I have several Docker containers and networks (and, thus, iptables rules). I do not know if that might be interferring somehow ???

Finally, where should I look for wireguard logs. I don not seem to find where they are located and searching for info I see that they must be activated with kernel dynamic logging (or a similar name) but the paths referred in those guides do not seem to work on my install (they are not DietPi specific but Debian’s or Ubuntu’s).

Thanks in advance for your help!

Joulinar · 11 November 2021 06:16

The issue is with Docker as Docker creates some iptables rules preventing forwarding data on network level.

https://docs.docker.com/network/iptables/#docker-on-a-router

Basically you would need to create an additional iptables

You could try to add this as PRE command to Wireguard config or use iptables-persistent to recover settings on reboot.

tonitonnae2021 · 11 November 2021 07:13

Hi Joulinar.

Thnaks from the prompt reply.

I understand where the problem is, but I am not pretty sure what you meant when you said:

Basically you would need to create an additional iptables

I have never managed iptables myself so I am unsure on what to do. I ran the command in the Dropbox docs as:

iptables -I DOCKER-USER -i wg0 -o eth0 -j ACCEPT

No difference.

I also tried:

iptables -I DOCKER-USER -i any -o any -j ACCEPT

Again, no difference.

Mostly sure I am not doing things as I should, but, as I said, I am not proficient at all with iptables.

I will keep looking at it, but any help is welcome.

Thanks again!

tonitonnae2021 · 11 November 2021 10:00

Well… I finally switched to the wireguard docker image and now everything is working. Maybe docker is managing iptables rules automatically, but now no time outs and I can also access the services I am running in Docker.

My docker-compose file just in case it is useful for anybody else:

version: '3.3'
services:
    wireguard:
        container_name: wireguard
        environment:
            - PUID=whatever
            - PGID=whatever
            - TZ=your time zone
            - SERVERURL=your public URL
            - SERVERPORT=51820
            - PEERS=peer1 peer2 peer3...
            - PEERDNS=your DNS (I use my pihole container running on the same machine, everything ok)
            - INTERNAL_SUBNET=10.X.0.0
        ports:
            - '51820:51820/udp'
        volumes:
            - '/docker/wireguard:/config'
            - '/lib/modules:/lib/modules'
        cap_add:
            - NET_ADMIN
            - SYS_MODULE
        sysctls:
            - net.ipv4.conf.all.src_valid_mark=1
        restart: unless-stopped
        image: linuxserver/wireguard

Regarding PEERS, it could also be a number and then they are named consecutively. It is important to add those capabilities so that the wireguard kernel module is exposed to the container (if not, it tries to download and compile from sources and it did not work for me…).

No need to deal with iptables nor any extra configuration: just go to the config path, retrieve the config for your device and apply.

Hope this is useful for someone else.

Cheers!

Joulinar · 11 November 2021 12:25

Of course using Docker is a workable solution but you could have simply submitted following

iptables -I DOCKER-USER -i eth0 -o wg0 -j ACCEPT

You mixed the interfaces on your command.

To get the setting persistent on reboot, simply install iptables-persistent

apt install iptables-persistent

DONE

tonitonnae2021 · 11 November 2021 12:40

Thanks Joulinar again for your reply.

My mistake with the interfaces Could been solved in seconds and I spent a good time working out the docker solution…

Do you expect any significant difference in the performance between both approaches? I have been testing it a little bit and it seems no work fine, no noticeable delays.

If I have time I will stop the container, reinstall the package, copy the configuration and test. It should not take much time.

One final question regarding iptables-persistent, as I have never used it. What does it exactly do? Does it save the current iptables rules and then restore them at boot time (at some point)? As most of the rules in my iptables are added by docker when starting, would not this be a problem or generate duplicate rules? Additionally: when should I run iptables-persistent? Once after running the command you suggest? At boot up, in a script?

Sorry for the dumb questions, but I prefer to understand what I am doing better than just copying and pasting.

Thanks!

Joulinar · 11 November 2021 13:14

installing iptables-persistent will automatically ask if you like to store current settings and it will restore them automatically on reboot. Usually it “should” not conflict with Docker. I would do as last step once you have setup all container and apps. To create an updated config, just do

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

tonitonnae2021 · 11 November 2021 13:16

OK, thanks. I will give it a try.

Cheers!

Joulinar · 11 November 2021 13:20

keep in mind to disable the WireGuard container first. Otherwise you could get issues with duplicate ports as both apps try to use same one (probably)

tonitonnae2021 · 11 November 2021 14:34

Yes, of course, but thanks for pointing it out

Anyway, I assume somebody would complain when binding to that port (a different story is how clear the error message is )

I will report back the results of my test.

Thanks one more time!