Problems with Wireguard running in Docker container

  • Hey guys,


    I need your help and I hope this is the right forum for it (if not, please move it :)).


    Before I begin, this is my machine:

    • CPU: Intel J3355 (ASRock J3355-ITX board)
    • 8GB RAM
    • 128GB Samsung SSD
    • OMV version: 5.6.8-1 (Usul)
    • Kernel: Linux 5.10.0-0.bpo.5-amd64


    So I'm trying to run a Docker container that has a build-in Wireguard client using Portainer. Unfortunately, this doesn't really work.


    The log file of my container in Portainer shows this at the end:

    Code
    ...
    2021-06-03 20:10:47.739662 [INFO] Starting WireGuard...
    Warning: `/config/wireguard/wg0.conf' is world accessible
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.0.7.83/19 dev wg0
    [#] ip -6 address add 2a0e:1c80:4:2000::754/64 dev wg0
    RTNETLINK answers: Permission denied
    [#] ip link delete dev wg0


    The file wg0.conf was generated by my VPN provider.


    After doing some Google research regarding the error RTNETLINK answers: Permission denied, I found out that it has something to do with Wireguard not being installed on my host system. So I tried to install Wireguard using these commands:

    Code
    echo "deb http://deb.debian.org/debian buster-backports main" | sudo tee /etc/apt/sources.list.d/buster-backports.list
    sudo apt update
    sudo apt -t buster-backports install wireguard wireguard-tools wireguard-dkms linux-headers-$(uname -r)
    sudo apt install openresolv


    This resulted in an error at the end:



    Interestingly, when I execute apt install wireguard I get this:

    Code
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    wireguard is already the newest version (1.0.20210223-1~bpo10+1).
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.


    So, I guess Wireguard has been installed. However, my container still doesn't work, the error is still being thrown. And just executing wg or wg status shows nothing



    Do you know what's wrong here and can help me fix this? I'd really appreciate it!

  • You say you are having trouble with a container but I don't see where you mention what container that is or how you configured it?

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • And just executing wg or wg status shows nothing

    The command should be systemctl status wg0<TAB> (don't remember the rest of the name)

    Or

    wg0 (mybad] It's wg, sorry


    And the command is: systemctl status wg-quick@wg0.service

  • You say you are having trouble with a container but I don't see where you mention what container that is or how you configured it?

    Yeah, I forgot to mention that. The container I want to create is this one: dyonr/qbittorrentvpn

    I used these variables with --privileged:


    And the command is: systemctl status wg-quick@wg0.service

    Thank you, that showed that wg is installed, that's good :)

  • Is using Wireguard a requirement or could you use OpenVPN instead?


    I do not see the reason why you installed Wireguard on your system. Containers of this type already have the VPN code built into them.


    I use this image with Torguard as my VPN provider and it works flawlessly: markusmcnugen/qbittorrentvpn


    You will have to add and properly place an .ovpn file.


    Here is the sanitized stack I used with it in Portainer:


    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • Is using Wireguard a requirement or could you use OpenVPN instead?


    I do not see the reason why you installed Wireguard on your system. Containers of this type already have the VPN code built into them.


    Using WireGuard is optional in this container, but's that's reason why I want to use it: it's supported and I can get higher speeds.


    I just purged WireGuard from my host system again and I found the solution (should have Google'd a little longer :D)


    The solution is: adding to sysctls values in Portainer for my container before creating it:

    - net.ipv4.conf.all.src_valid_mark=1

    - net.ipv6.conf.all.disable_ipv6=0


    After setting these, the container booted and I could login. Damn, that was tricky :D


    Thank you anyways for helping me guys :)

  • caprii

    Added the Label resolved

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!