no internet via wireguard on unprivileged container, but connection successfully established

DerMerowinger

Active Member
Nov 5, 2017
26
0
41
Hej there,

I configure my wireguard according to this tutorial.
I can connect to the wireguard but unfortunately I got no access to the internet via this tunnel.
Can you see my problem?

wg0.conf
[Interface]
Address = 192.168.2.1/24
PrivateKey = ishere
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROU>
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTR>

[Peer]
PublicKey = isthere
AllowedIPs = 192.168.2.2/32

ip route from container
default via 192.168.178.1 dev eth0 proto dhcp src 192.168.178.73 metric 1024
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.1
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.73
192.168.178.1 dev eth0 proto dhcp scope link src 192.168.178.73 metric 1024

Thank you very much in advance
 
hi,

does the container have internet access?

is the CT firewall enabled? it could interfere with your connection.

are you using masqueraded network setup?
 
1. yes, in the container I can ping heise.de
2. I tried it with firewall enabled and firewall disabled and rebooting
3. yes I think so, oh, the config was cut:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 
what about your /etc/network/interfaces config on the PVE host? are containers being portforwarded with masquerade setup?

or maybe the issue is on the wireguard client, have you checked if the routes are added correctly on the client device? can you ping the gateway?
 
in the /etc/network/interfaces I had to uncomment this
"
#auto wg0
#iface wg0 inet static
#address 192.168.42.1
#netmask 255.255.255.0
#pre-up ip link add wg0 type :
#.wireguard
#pre-up wg setconf wg0 :
#./etc/wireguard/wg0.conf
#up ip link set wg0 up
#down ip link delete wg0
#iface wg0 inet6 static
#address fd00:42::1
#netmask 64"

because the network interface could not be started.
so there is nothing else concerning wireguard.
I thought the changes in /etc/sysctl.conf:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1

would suffice concerning forwarding on the host...
 
can you post the whole /etc/network/interfaces (mask your public IP)?

if you have a single public IP and use portforwarding to reach your containers from outside, you might also have to add:
Code:
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

in the /etc/network/interfaces. more info on that here [0]




[0]: https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt
 
this is my /etc/network/interfaces
"auto lo
iface lo inet loopback

iface enp3s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.178.29
netmask 24
gateway 192.168.178.1
bridge-ports enp3s0
bridge-stp off
bridge-fd 0


#auto wg0
#iface wg0 inet static
#address 192.168.42.1
#netmask 255.255.255.0
#pre-up ip link add wg0 type :
#.wireguard
#pre-up wg setconf wg0 :
#./etc/wireguard/wg0.conf
#up ip link set wg0 up
#down ip link delete wg0
#iface wg0 inet6 static
#address fd00:42::1
#netmask 64"

so I added the above mentioned lines. I still cannot reach the internet from the wireguard connection. Maybe you need the config from the connection?

[Interface]
PrivateKey = prkey
Address = 192.168.2.2/24


[Peer]
PublicKey = pukey
Endpoint = domainandporttoreachmachinefrom outside
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
 
Last edited:
did you reboot or reset the network interface after adding the two lines?

what is the output of ip r from the wireguard client? is the gateway added correctly?
 
When just restarting network my machines could not establish any connection, but after rebooting everything worked but internet via wireguard.
ip r
default via 192.168.178.1 dev eth0 proto dhcp src 192.168.178.73 metric 1024
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.1
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.73
192.168.178.1 dev eth0 proto dhcp scope link src 192.168.178.73 metric 1024
 
sorry if i wasn't clear, i meant the wireguard client, like your phone or whichever device you're connecting to the VPN with.

is the route added correctly there?
can you ping the wireguard container for example?
can you ping other hosts in the container network? or the PVE host?

is the firewall enabled on the container? that could also be interfering with the connection.

what about wireguard logs on the client and server? can you check those for errors or warnings?
 
ip r
10.152.210.16/29 dev rmnet_data1 proto kernel scope link src 10.152.210.20
192.168.2.0/24 dev tun0 proto kernel scope link src 192.168.2.2

from this Smartphone I can reach any machine in my home network, as well as the PVE host.
Yes, I also can ping and reach the wireguard machine.

journalctl -u wg-quick@wg0
shows this
May 17 11:52:16 schloss systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
May 17 11:52:16 schloss wg-quick[120]: [#] ip link add wg0 type wireguard
May 17 11:52:16 schloss wg-quick[120]: [#] wg setconf wg0 /dev/fd/63
May 17 11:52:16 schloss wg-quick[120]: [#] ip -4 address add 192.168.2.1/24 dev wg0
May 17 11:52:16 schloss wg-quick[120]: [#] ip link set mtu 1420 up dev wg0
May 17 11:52:16 schloss wg-quick[120]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
your interface is called enp3s0 but in the wireguard config you wrote eth0

edit: nevermind looked at the wrong config
 
from this Smartphone I can reach any machine in my home network, as well as the PVE host.
Yes, I also can ping and reach the wireguard machine.

can you ping 1.1.1.1 or 8.8.8.8?
 
I thought this as well and tested it a while ago, but when I change it I cannot reach internal or external IPs.

and ip r on my smartphone shows
ip r
10.152.210.16/29 dev rmnet_data1 proto kernel scope link src 10.152.210.20
192.168.2.0/24 dev tun0 proto kernel scope link src 192.168.2.2

I just rebooted the wireguard container after changing this but I think it should be enough.

okay, I definitely should have studied information technologies...

with eth0 as interface I can ping 1.1.1.1, but not heise.de
I also can ping 8.8.8.8

just to be clear you meant, change this
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
to
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

Okay, so I just have a DNS problem... I hope simple to solve for someone who has a bit knowledge ;-)
 
just to be clear you meant, change this

no my bad, it should be eth0 since that's the interface name on the container (i edited my previous post after realizing the mistake). leave that as is and it should be fine.

with eth0 as interface I can ping 1.1.1.1, but not heise.de
I also can ping 8.8.8.8
if you can ping 1.1.1.1 from the phone with the vpn connected, then there's internet connectivity. but since you can't ping heise.de , that means you have a DNS problem.

maybe you can just set the DNS server on your phone to 1.1.1.1 or 8.8.8.8

or there might be a config option in wireguard, i'm not too sure.
 
I found this manual and I added
PostUp = echo nameserver 8.8.8.8 | resolvconf -a tun.%i -m 0 -x
PostDown = resolvconf -d tun.%i
to my wg0.conf
I also installed resolvconf and executed dpkg-reconfigure resolvconf and rebooted the container
Still no change.
I cannot ping neither internal nor external host names :-(
IPs internal and external can be pinged
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!