Issue with wireguard container. All containers loose connection

steakhutzeee · Aug 3rd 2020

Hi

It's days i'm trying to figure out this issue but without luck.

On my Odroid HC2 i tried to setup wireguard container with this compose:

Code

version: "2.1"
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=100
      - TZ=Europe/Rome
      - SERVERURL=myhiddendomain.duckdns.org
      - SERVERPORT=51820
      - PEERS=2
      - PEERDNS=1.1.1.1
      - INTERNAL_SUBNET=10.13.13.0
    volumes:
      - /srv/dev-disk-by-label-HC2/AppData/Wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Display More

As soon as i start the container, the whole network of the containers breaks. If i try to "curl 1.1.1.1" from inside a container, i have no response. Basically all the containers lose their network.

An user from linuxserver community reproduced my same config on OMV in an x86:64 VM and had no issue. All parameters where the same.

Do you have any idea why?

steakhutzeee · Aug 7th 2020

Actually i did some tests, with tcpdump, doing a "curl 1.1.1.1" from the inside of another container".

192.169.1.197 is my Odroid HC2 eth ip post-nat.

172.18.0.4 = container IP no-nat

The following with wireguard up, so not working:

Code

root@DK:/srv/dev-disk-by-label-HC2/DockerCompose/wireguard# tcpdump -i enx001e06328f28 -c 100 -n src 1.1.1.1 or dst 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enx001e06328f28, link-type EN10MB (Ethernet), capture size 262144 bytes
22:36:27.134741 IP 172.18.0.4.55440 > 1.1.1.1.80: Flags [S], seq 3880654192, win 29200, options [mss 1460,sackOK,TS val 3856157367 ecr 0,nop,wscale 7], length 0
22:36:28.153752 IP 172.18.0.4.55440 > 1.1.1.1.80: Flags [S], seq 3880654192, win 29200, options [mss 1460,sackOK,TS val 3856158386 ecr 0,nop,wscale 7], length 0
22:36:30.169768 IP 172.18.0.4.55440 > 1.1.1.1.80: Flags [S], seq 3880654192, win 29200, options [mss 1460,sackOK,TS val 3856160402 ecr 0,nop,wscale 7], length 0
22:36:33.722209 IP 172.18.0.4.55448 > 1.1.1.1.80: Flags [S], seq 277366197, win 29200, options [mss 1460,sackOK,TS val 3856163955 ecr 0,nop,wscale 7], length 0
22:36:34.671531 IP 172.18.0.4.55452 > 1.1.1.1.80: Flags [S], seq 3704919641, win 29200, options [mss 1460,sackOK,TS val 3856164904 ecr 0,nop,wscale 7], length 0
22:36:35.473943 IP 172.18.0.4.55454 > 1.1.1.1.80: Flags [S], seq 267325050, win 29200, options [mss 1460,sackOK,TS val 3856165706 ecr 0,nop,wscale 7], length 0

The following without wireguard, so connection restored:

Code

root@DK:~# tcpdump -i enx001e06328f28 -c 100 -n src 1.1.1.1 or dst 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enx001e06328f28, link-type EN10MB (Ethernet), capture size 262144 bytes
22:22:19.648961 IP 192.168.1.197.55002 > 1.1.1.1.80: Flags [S], seq 1229207546, win 29200, options [mss 1460,sackOK,TS val 3855309881 ecr 0,nop,wscale 7], length 0
22:22:19.673176 IP 1.1.1.1.80 > 192.168.1.197.55002: Flags [S.], seq 1911975272, ack 1229207547, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
22:22:19.673778 IP 192.168.1.197.55002 > 1.1.1.1.80: Flags [P.], seq 1:72, ack 1, win 229, length 71: HTTP: GET / HTTP/1.1
22:22:19.673830 IP 192.168.1.197.55002 > 1.1.1.1.80: Flags [.], ack 1, win 229, length 0
22:22:19.698648 IP 1.1.1.1.80 > 192.168.1.197.55002: Flags [.], ack 72, win 64, length 0
22:22:19.698651 IP 1.1.1.1.80 > 192.168.1.197.55002: Flags [.], ack 72, win 64, length 0
22:22:19.705736 IP 1.1.1.1.80 > 192.168.1.197.55002: Flags [P.], seq 1:605, ack 72, win 64, length 604: HTTP: HTTP/1.1 301 Moved Permanently
22:22:19.705738 IP 1.1.1.1.80 > 192.168.1.197.55002: Flags [P.], seq 605:610, ack 72, win 64, length 5: HTTP

Display More

The 172... address should be nat'ed to the 192... one.

Any idea?

steakhutzeee · Aug 10th 2020

Solved by switching to iptables-legacy in the Docker section of the OMV docker panel.

Issue with wireguard container. All containers loose connection

steakhutzeee Aug 10th 2020

davidh2k Aug 11th 2020

Participate now!