No Internet access with wireguard LXC

[duschkopf]

Hi there,

I have another qeuestion One of the first things I wanted to set up with my new Proxmox installation is wireguard.
But I had a lot of problems with my own LXC and manuall installation, so skipped this one moved to the next services. Now that basic things are running, I am back to get wireguard running.

Now I have installed the wireguard LXC helper script on default port and added a user. I scanned the QR code with my android wireguard client and connection is successful. But I dont have neither access to internet, nor to my local network. Wireguard client show only sent data but nothing received.
So first thinks I check while searching on the net were the firewall settings. As posted on multiple places, I have added:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

to

/etc/wireguard/wg0.conf

with

ip addr

I see the device eth0@if93.

I can reach the internet and my local network form within the LXC wireguard container.
Port forwarding is enabled on my router.

What am I missing?
Thank in advance

best greetings

 

[hd--]

Hello
You are probably missing to set net.ipv4.ip_forward=1 in your /etc/sysctl.conf ?

 

[duschkopf]

yes, I did not set it, but it does not make a difference. You mean the /etc/syctl.conf within the wireguard container and not the host?
I think I got something completely wrong with the network settings for the wg0 configuration.

 

[hd--]

You mean the /etc/syctl.conf within the wireguard container and not the host?

Yes

can you print /etc/network/interfaces of your host system and also of your wireguard container ?

 

[duschkopf]

Host:

auto lo
iface lo inet loopback

iface enp1s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.178.222/24
gateway 192.168.178.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0

wireguard:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

 

[hd--]

Have you also set this at the end of your lxc.conf ?

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

and did you reboot after editing /etc/syctl.conf ?

 

[duschkopf]

I have added thos two lines now in /etc/pve/nodes/host1/lxc/106.conf. Same result.
I restart the container after every change and do a daemon-reload on the host.

 

[hd--]

Have you enabled # chown 100000:100000 /dev/net/tun on your host ?
Also using dhcp for your wireguard server might not be the best idea, as the address can change and then your won't be able to reach the server anymore.
Hope you checked these instructions in advance, as many steps are the same for OpenVPN and wireguard ?

 

[duschkopf]

/dev/nut/tun

was not set to according rights.

I have those lines in my config:

 lxc.cgroup.devices.allow: c 10:200 rwm
 lxc.mount.entry: /dev/net dev/net none bind,create=dir

in you the link it is stated "cgroup2" abd "cgroup" for proxmox <7.

How is it possible that I can connect with my wireguard client even when the wireguard LXC is shutdown?

 

[hd--]

in you the link it is stated "cgroup2" abd "cgroup" for proxmox <7.

sorry, my mistake !
So is it working now ?

 

[duschkopf]

still not working, I am confused. I can connect with the client, even the wireguard server is shutdown. Or is this normal behaviour?

 

[hd--]

Then you probably connect to another server or your client is broken ?

 

[duschkopf]

I had wireguard configured in my fritz.box for testing it. So the client is OK. Will take another look this evening..

 

[skouna]

Hi did you find any solution? I am trying to install wireguard and i have the same problem. Tryied lxc with ubuntu and debian, through ubuntu vm, ubuntu vm and docker, nothing works all the same behaviour, client connected but no access anywhere. The only suspect remaining is proxmox

 

[duschkopf]

Hi sorry fcor the late answer. I was not reporting back, because I made a stupid mistake. I assumed that the endpoint IP address parameter in the config was ma actual IP adress, because it was true at the moment of container creation and frist setup. So I somehow I assumed that wireguard knows my external IP. I set my DynDNS hosthame and then it worked.
Right now I am struggleing with "routing". The DNS setting gets ignored and I want to point either to my AP/Router for DNS or to adguard which has an upstream to my Router.
BUT wireguard ignores this setting.

 

[hd--]

The only suspect remaining is proxmox

Can you please describe your steps taken.

 

[robsalasco]

Hi! Any update about this issue?

 

[Mark-A]

I have several setup and all work.
In my set-up instructions I noted that the firewall was UDP, you may want to check that.

 

[hd--]

Hi! Any update about this issue?

if you run into any errors with your setup, feel free to describe them