Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current implementation of nftables rules breaks Wireguard service on CentOS 7 #389

Open
Rebelllious opened this issue Apr 17, 2023 · 6 comments
Open

Current implementation of nftables rules breaks Wireguard service on CentOS 7 #389

Rebelllious opened this issue Apr 17, 2023 · 6 comments

Comments

@Rebelllious
Copy link
Contributor 

Apr 17 15:33:06 wireguard.home wg-quick[14278]: Warning: `/etc/wireguard/wg0.conf' is world accessible
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip link add wg0 type wireguard
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info>  [1681759986.3219] manager: (wg0): new WireGuard device (/org/freedesktop/NetworkManager/Devices/4)
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] wg setconf wg0 /dev/fd/63
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip -4 address add 10.0.0.1/8 dev wg0
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip -6 address add fd00:00:00::1/8 dev wg0
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip link set mtu 1420 up dev wg0
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] sysctl --write net.ipv4.ip_forward=1; sysctl --write net.ipv6.conf.all.forwarding=1; nft add table inet wireguard-wg0; nft add chain inet wireguard-wg0 wireguard_chain {type nat hook post
routing priority srcnat\; policy accept\;}; nft add rule inet wireguard-wg0 wireguard_chain oifname ens192 masquerade
Apr 17 15:33:06 wireguard.home wg-quick[14278]: net.ipv4.ip_forward = 1
Apr 17 15:33:06 wireguard.home wg-quick[14278]: net.ipv6.conf.all.forwarding = 1
Apr 17 15:33:06 wireguard.home wg-quick[14278]: Error: syntax error, unexpected string, expecting - or number
Apr 17 15:33:06 wireguard.home wg-quick[14278]: add chain inet wireguard-wg0 wireguard_chain {type nat hook postrouting priority srcnat; policy accept;}
Apr 17 15:33:06 wireguard.home wg-quick[14278]: ^^^^^^
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info>  [1681759986.3816] device (wg0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip link delete dev wg0
Apr 17 15:33:06 wireguard.home systemd[1]: wg-quick@wg0.service: main process exited, code=exited, status=1/FAILURE
Apr 17 15:33:06 wireguard.home systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
-- Subject: Unit wg-quick@wg0.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wg-quick@wg0.service has failed.
--
-- The result is failed.
Apr 17 15:33:06 wireguard.home systemd[1]: Unit wg-quick@wg0.service entered failed state.
Apr 17 15:33:06 wireguard.home systemd[1]: wg-quick@wg0.service failed.
Apr 17 15:33:06 wireguard.home polkitd[9321]: Unregistered Authentication Agent for unix-process:14272:179239 (system bus name :1.35, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info>  [1681759986.4995] keyfile: add connection /var/run/NetworkManager/system-connections/wg0.nmconnection (e421d624-f43a-4865-a16f-b1681b3cceae,"wg0")
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info>  [1681759986.5140] device (wg0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info>  [1681759986.5156] device (wg0): Activation: starting connection 'wg0' (e421d624-f43a-4865-a16f-b1681b3cceae)
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info>  [1681759986.5175] device (wg0): state change: disconnected -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')

This might be related to too low version of nftables available in CentOS 7 (0.8.14, which is about 5 years old as of now).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rebelllious and others