Hi! I am trying to set up a wireguard client in docker. I use the linuxserver image, I it running in server mode on a different machine (exactly the same ubuntu version) and i can login with my laptop to the wireguard server, but the docker wg-client has problems, i hope someone has an idea :)
The client docker container has trouble starting and throws this error:
[___](modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-47-generic ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table ‘raw’ Error occurred at line: 1 Try ‘ip6tables-restore -h’ or ‘ip6tables-restore --help’ for more information. )
I copied the config to the server with the wg server running, it has the same problem with the client.
I can ping google.com from inside the server container, but not from inside the client container.
Here is the output of the ‘route’ cmd from the client:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.18.0.0 * 255.255.0.0 U 0 0 0 eth0
I searched for a solution quite a bit, but cant seem to find something that works. changed the .yml compose file according to some suggestions but without success.
I tried to install the missing module but could not get it working.
Its a completely clean install of ubuntu 24.04.1 LTS, Kernel: Linux 6.8.0-47-generic.
here is the compose file, in case its needed, it should be exact same one as provided by linux-server in their github:
compose file:
services: wireguard: image: lscr.io/linuxserver/wireguard:latest container_name: wireguard-client cap_add: - NET_ADMIN - SYS_MODULE #optional environment: - PUID=1000 - PGID=1000 - TZ=Europe/Berlin # - SERVERURL=wireguard.domain.com #optional # - SERVERPORT=51820 #optional # - PEERS=1 #optional # - PEERDNS=auto #optional # - INTERNAL_SUBNET=10.13.13.0 #optional # - ALLOWEDIPS=0.0.0.0/0 #optional # - PERSISTENTKEEPALIVE_PEERS= #optional # - LOG_CONFS=true #optional volumes: - /srv/wireguard/config:/config # - /lib/modules:/lib/modules #optional ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped
here is the complete error log from the wg-client docker:
error
[migrations] started [migrations] no migrations found usermod: no changes ─────────────────────────────────────── ██╗ ███████╗██╗ ██████╗ ██║ ██╔════╝██║██╔═══██╗ ██║ ███████╗██║██║ ██║ ██║ ╚════██║██║██║ ██║ ███████╗███████║██║╚██████╔╝ ╚══════╝╚══════╝╚═╝ ╚═════╝ Brought to you by linuxserver.io ─────────────────────────────────────── To support the app dev(s) visit: WireGuard: https://www.wireguard.com/donations/ To support LSIO projects visit: https://www.linuxserver.io/donate/ ─────────────────────────────────────── GID/UID ─────────────────────────────────────── User UID: 1000 User GID: 1000 ─────────────────────────────────────── Linuxserver.io version: 1.0.20210914-r4-ls55 Build-date: 2024-10-10T11:23:38+00:00 ─────────────────────────────────────── Uname info: Linux ec3813b50277 6.8.0-47-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 21:40:26 UTC 2024 x86_64 GNU/Linux **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. **** **** Client mode selected. **** [custom-init] No custom files found, skipping… **** Disabling CoreDNS **** **** Found WG conf /config/wg_confs/peer1.conf, adding to list **** **** Activating tunnel /config/wg_confs/peer1.conf **** [#] ip link add peer1 type wireguard [#] wg setconf peer1 /dev/fd/63 [#] ip -4 address add 10.13.13.2 dev peer1 [#] ip link set mtu 1420 up dev peer1 [#] resolvconf -a peer1 -m 0 -x s6-rc: fatal: unable to take locks: Resource busy [#] wg set peer1 fwmark 51820 [#] ip -6 route add ::/0 dev peer1 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip6tables-restore -n modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-47-generic ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table ‘raw’ Error occurred at line: 1 Try `ip6tables-restore -h’ or ‘ip6tables-restore --help’ for more information. [#] resolvconf -d peer1 -f s6-rc: fatal: unable to take locks: Resource busy [#] ip -6 rule delete table 51820 [#] ip -6 rule delete table main suppress_prefixlength 0 [#] ip link delete dev peer1 **** Tunnel /config/wg_confs/peer1.conf failed, will stop all others! **** **** All tunnels are now down. Please fix the tunnel config /config/wg_confs/peer1.conf and restart the container **** [ls.io-init] done.
Thanks a lot. I appreciate every input!
orris@lemmy.world 5 weeks ago
Does your wireguard config have ipv6 addresses? If your not using them you can safely remove them.
For example Change
AllowedIPs = 0.0.0.0/0, ::/0ToAllowedIPs = 0.0.0.0/0WbrJr@lemmy.ml 4 weeks ago
Wow, thanks!! That actually solved it apparently! Why does the wireguard config change if i can ping outside the docker container though? Is it because the wireguard client inside the container opens up ip adresses or something? :) Thanks again! Itried to find a solution for many hours yesterday :D
orris@lemmy.world 4 weeks ago
Thats great! Overly simplistic explanation, the container is in its own little network and when you connect wireguard inside the container it is punching a hole out to where the wireguard server is located.
The allowed ips is a list, off the top of my head it accepts single IPs and cidr blocks. 0.0.0.0/0 is the cidr block that essentially means all ipv4 IPs, ::/0 is the same for ipv6. So to answer directly, the
,is an or, its for any IP in the list.