Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reboot host or restart services leads to network unavailability #241

Open
Sarevok933219 opened this issue Apr 4, 2024 · 7 comments
Open

Comments

@Sarevok933219
Copy link

Hello. I continue testing v2.0.0-alpha.2. Many bugs are fixed, thanks. Then wireguard is up, it works stable. But i found one problem. Rebooting host, or restarting containers by docker compose down && docker compose up -d leads wireguard to network unavailability (although no changes have been made to the config files. Even the external IP does not change). There is no traffic via clients and server (even icmp packets don't get through). Restarting services doesn't take any effect. The only way is to log in web, to go to server config (chapter Peer Defaults) and, without making any changes, to press button APPLY PEER Defauts . Аfter that, everything is work normal (until the next reboot host or restart services). What is it that causes such incorrect behavior of services???

@h44z
Copy link
Owner

h44z commented Apr 4, 2024

Hi,

So you are using the host's WireGuard interface, which becomes functional once you restart the Docker container?
Can you please enable trace logging and post the container startup logs?

You could also test whether the interface still works while the container is stopped and check whether the connections break due to the startup process.

@Sarevok933219
Copy link
Author

Hi,

So you are using the host's WireGuard interface, which becomes functional once you restart the Docker container? Can you please enable trace logging and post the container startup logs?

You could also test whether the interface still works while the container is stopped and check whether the connections break due to the startup process.
Good day. I'm starting all services in one docker-compose.yaml file. As a service of Wireguard I use image from lscr.io/linuxserver/wireguard. In wireguard logs there is nothing interesting:

.:53
CoreDNS-1.11.1
linux/amd64, go1.21.8,
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Warning: AllowedIP has nonzero host part: 10.13.13.5/24
Warning: AllowedIP has nonzero host part: 10.13.13.2/24
Warning: AllowedIP has nonzero host part: 10.13.13.3/24
Warning: AllowedIP has nonzero host part: 10.13.13.4/24
[#] ip -4 address add 10.13.13.1/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 192.168.50.0/24 dev wg0
[#] ip -4 route add 172.21.0.0/24 dev wg0
[#] ip -4 route add 10.13.13.0/24 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT;iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE;iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
**** All tunnels are now active ****
[ls.io-init] done.

seems it's all ok. In logs of wg-portal service I alse didn't find anything suspicious (errors). In UI I see status "connected". I will try to add more information. Could I send my docker-compose.yaml file?

@h44z
Copy link
Owner

h44z commented Apr 5, 2024

Just post the contents of the docker-compose.yml file here and remove any sensitive information like passwords, hostnames or public IP addresses.

@Sarevok933219
Copy link
Author

Just post the contents of the docker-compose.yml file here and remove any sensitive information like passwords, hostnames or public IP addresses.

version: "3.6"

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL=auto #optional 
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS=25 #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./config:/config
      - ./libmodules:/lib/modules
      - ./custom-scripts:/custom-cont-init.d:ro
    networks:
      wireguard:
        ipv4_address: 172.150.88.20
    ports:
      - "127.0.0.1:8123:8123"
      - "51820:51820/udp" 
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: always

  wg-portal:
    image: wgportal/wg-portal:v2.0.0-alpha.2
    container_name: wg-portal
    restart: always
    depends_on:
      - wireguard
    logging:
      options:
        max-size: "20m"
        max-file: "3"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    network_mode: "service:wireguard"
    volumes:
      - ./config:/etc/wireguard
      - ./settings:/app/config  
    environment:
      # WireGuard Settings
      - WG_PORTAL_CONFIG=/app/config/config.yml
networks:
  wireguard:
    external: true

Please, can You tell me what code under button does? Only this button takes effect (helps to restore normal work), if pressed.
image

@Sarevok933219
Copy link
Author

Just post the contents of the docker-compose.yml file here and remove any sensitive information like passwords, hostnames or public IP addresses.

I think I solved it. The problem was that, wg-portal ups wg0 interface and wireguard service could not up it one more time (because it was already started). In config.yaml I changed option restore_state from default true to false and made one more interface wg1 (although I think everything will work with a default one), and used and configured it as main.

@Sarevok933219
Copy link
Author

For some reason it works only on Ubuntu 22.04 lts. On CentOS7 it doesn't take any effect.

@CtrlCdeveloper
Copy link

CtrlCdeveloper commented Jul 17, 2024

@h44z
Hello! Help me please!
The created peers work fine until the interface is restarted. After restarting the interface (systemctl restart wg-quick@wg1.service), peers created through the portal do not connect to the server. The only way to fix this is by pressing the "apply peer defaults" button or "Enable -> Disable -> Enable" in the peer settings.
Changing the "restore_state" parameter does not help.
@Sarevok933219
If you managed to solve the problem, please write the solution steps.

Docker Run

docker run \
  --name=wg_portal \
  --rm=true \
  --network=host \
  --pid=host \
  --cap-add NET_ADMIN \
  --stop-timeout=60 \
  --volume=/srv/wg_portal/data:/app/data \
  --volume=/srv/wg_portal/config:/app/config \
  --volume=/etc/wireguard:/etc/wireguard \
  wgportal/wg-portal:v2.0.0-alpha.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants