Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian 10 / Wireguard connect and get DNS answer but no data :( #148

Open
clementperon opened this issue Jan 3, 2021 · 3 comments
Open

Debian 10 / Wireguard connect and get DNS answer but no data :( #148

clementperon opened this issue Jan 3, 2021 · 3 comments

Comments

@clementperon
Copy link

clementperon commented Jan 3, 2021
edited
Loading

Hi,

I have already installed this docker on Ubuntu 20.04 and it's working fine.
No I'm testing it on debian 10 but doesn't seems to work.

The client is connected and have an IP.
But i tried to ping multiple random domains and the DNS is working fine but I don't have any PING answer.

Do you know how I can debug this?
Is there a missing iptables rule?

Thanks for your help

On the server
I have installed backported wireguard

$> sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
$> sudo apt-get update
$> sudo apt-get install -y wireguard

Check that ipv4/ipv6 forward are set and modules loaded

$> sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$> sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
$> lsmod | grep -E "wireguard|ip.?table_nat"
wireguard             225280  0
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             16384  1 wireguard
iptable_nat            16384  1
nf_nat_ipv4            16384  3 ipt_MASQUERADE,nft_chain_nat_ipv4,iptable_nat
ip6table_nat           16384  1
nf_nat_ipv6            16384  2 ip6table_nat,ip6t_MASQUERADE
ip6_tables             32768  2 ip6table_filter,ip6table_nat
ip_tables              28672  2 iptable_filter,iptable_nat

$> wg --version
wireguard-tools v1.0.20200827 - https://git.zx2c4.com/wireguard-tools/

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.99.97.1  netmask 255.255.255.0  destination 10.99.97.1
        inet6 fd00::10:97:1  prefixlen 112  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 202  bytes 37976 (37.0 KiB)
        RX errors 170  dropped 0  overruns 0  frame 170
        TX packets 93  bytes 13336 (13.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Client (wg0 is used for my Ubuntu 20.04 server)

$> wg --version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/

wg1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.99.97.3  netmask 255.255.255.0  destination 10.99.97.3
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 35  bytes 5148 (5.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 172  bytes 20500 (20.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
@clementperon
Copy link
Author

clementperon commented Jan 7, 2021
edited
Loading

Hi,

Looks like Debian 10 moves to iptables-nft
The rules are however in iptables-legacy.
Moving it to iptables make wireguard works perfectly :)

sudo iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.99.97.0/24        anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

@bryanisgreat
Copy link

Hi,

Looks like Debian 10 moves to iptables-nft
The rules are however in iptables-legacy.
Moving it to iptables make wireguard works perfectly :)

sudo iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.99.97.0/24        anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number:1

@p-hash
Copy link

p-hash commented Jul 18, 2023

Same on Ubuntu 22.04 LTS

Updating alternatives to iptables-legacy works, but it doesnt look like a best solution. And it should be documented somewhere.

There is iptables-nft binary in the container, so shouldn't it be used instead? I assume it is better to change alternatives in the container than on host.

bash-5.0# ls -al /sbin/iptables*
lrwxrwxrwx    1 root     root            20 Jul 15  2020 /sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Jul 15  2020 /sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            17 Jul 15  2020 /sbin/iptables-nft -> xtables-nft-multi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clementperon @p-hash @bryanisgreat