Debian 10 / Wireguard connect and get DNS answer but no data :(
clementperon opened this issue · 3 comments
Hi,
I have already installed this docker on Ubuntu 20.04 and it's working fine.
No I'm testing it on debian 10 but doesn't seems to work.
The client is connected and have an IP.
But i tried to ping multiple random domains and the DNS is working fine but I don't have any PING answer.
Do you know how I can debug this?
Is there a missing iptables rule?
Thanks for your help
On the server
I have installed backported wireguard
$> sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
$> sudo apt-get update
$> sudo apt-get install -y wireguard
Check that ipv4/ipv6 forward are set and modules loaded
$> sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$> sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
$> lsmod | grep -E "wireguard|ip.?table_nat"
wireguard 225280 0
ip6_udp_tunnel 16384 1 wireguard
udp_tunnel 16384 1 wireguard
iptable_nat 16384 1
nf_nat_ipv4 16384 3 ipt_MASQUERADE,nft_chain_nat_ipv4,iptable_nat
ip6table_nat 16384 1
nf_nat_ipv6 16384 2 ip6table_nat,ip6t_MASQUERADE
ip6_tables 32768 2 ip6table_filter,ip6table_nat
ip_tables 28672 2 iptable_filter,iptable_nat
$> wg --version
wireguard-tools v1.0.20200827 - https://git.zx2c4.com/wireguard-tools/
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.99.97.1 netmask 255.255.255.0 destination 10.99.97.1
inet6 fd00::10:97:1 prefixlen 112 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 202 bytes 37976 (37.0 KiB)
RX errors 170 dropped 0 overruns 0 frame 170
TX packets 93 bytes 13336 (13.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Client (wg0 is used for my Ubuntu 20.04 server)
$> wg --version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/
wg1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.99.97.3 netmask 255.255.255.0 destination 10.99.97.3
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 35 bytes 5148 (5.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 172 bytes 20500 (20.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Hi,
Looks like Debian 10 moves to iptables-nft
The rules are however in iptables-legacy.
Moving it to iptables make wireguard works perfectly :)
sudo iptables-legacy -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.99.97.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Hi,
Looks like Debian 10 moves to iptables-nft
The rules are however in iptables-legacy.
Moving it to iptables make wireguard works perfectly :)sudo iptables-legacy -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.99.97.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
$ sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/sbin/iptables-nft 20 auto mode
1 /usr/sbin/iptables-legacy 10 manual mode
2 /usr/sbin/iptables-nft 20 manual mode
Press <enter> to keep the current choice[*], or type selection number:1
Same on Ubuntu 22.04 LTS
Updating alternatives to iptables-legacy works, but it doesnt look like a best solution. And it should be documented somewhere.
There is iptables-nft
binary in the container, so shouldn't it be used instead? I assume it is better to change alternatives in the container than on host.
bash-5.0# ls -al /sbin/iptables*
lrwxrwxrwx 1 root root 20 Jul 15 2020 /sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Jul 15 2020 /sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 1 root root 17 Jul 15 2020 /sbin/iptables-nft -> xtables-nft-multi