I created a wireguard server on a raspberry, to secure access this rpi from 2 locations. Then, added one windows 11 pc in same location and lan as the server (let’s say L1) and two more devices in different location and lan (let’s say L2) a pc and another raspberry as clients. The pc in L2 handshake and works fine with L1 server,no problem at all, so, there is no problem with router ports., but the raspberry in this same location, L2, can’t handshake.
This raspberry client in L2 have wireguard in a docker, with the same docker-compose.yaml as the server, except the PEERS environment variable, that is not set , as instructions say. Then I copied the peer_homerpi.conf file to /config/wg_confs/ folder and up de container. This is the wg show of this client
interface: peer_rpihome
public key: <publickey>
private key: (hidden)
listening port: 51820
fwmark: 0x336c
peer: <peer>
preshared key: (hidden)
endpoint: serverIP:51820
allowed ips: 0.0.0.0/0
The log
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/peer_rpihome.conf, adding to list ****
**** Activating tunnel /config/wg_confs/peer_rpihome.conf ****
[#] ip link add peer_rpihome type wireguard
[#] wg setconf peer_rpicasa /dev/fd/63
[#] ip -4 address add 10.13.13.7 dev peer_rpihome
[#] ip link set mtu 1420 up dev peer_rpihome
[#] resolvconf -a peer_rpihome -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
[#] wg set peer_rpihome fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev peer_rpihome table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
**** All tunnels are now active ****
[ls.io-init] done.
And the docker-compose.yaml file of this client
version: "2.1"
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Madrid
- SERVERURL=MYSERVERURL #optional
- SERVERPORT=51820 #optional
- PEERS=
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.13.13.0 #optional
- ALLOWEDIPS=0.0.0.0/0 #optional
- PERSISTENTKEEPALIVE_PEERS= #optional
- LOG_CONFS=true #optional
volumes:
- /DOCKERS/WIREGUARD/appdata/config:/config
- /lib/modules:/lib/modules #optional
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
What must I’m doing wrong?
Thanks
What you posted looks fine, but I did notice that the conf name you’re giving us is represented 3 different ways (peer_rpihome
, peer_rpicasa
and peer_homerpi
) so clearly you’ve edited the logs and the confs when you posted here. I’m not sure about the extent of those edits and perhaps the error is due to something that’s edited out of these which we can’t see.
Also, try renaming the conf file to just wg0.conf
and restart the container. See if that works.
Fisrt, THANKS for your answer…
Yes, I edited the file, because I thought the file name peer_rpihome.conf would be more readable in English than peer_rpicasa.conf. I didn’t pay much attention on it, so the errors…Anyway, the conf file is ok, I copied it from the server directly and pasted it to the client folder. I tried changing the name to wg0.conf and restarted the container, but the problem is the same…
No edited (only the keys and server IP) wg show and unedited log looks like:
wg show:
interface: wg0
public key: <PUBLICKEY>
private key: (hidden)
listening port: 51820
fwmark: 0xcc5c
peer:<PKEY>
preshared key: (hidden)
endpoint: <MYSERVERPUBLICIP>:51820
allowed ips: 0.0.0.0/0
root@813739b3a8cb:/#
Log
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1000
User GID: 1000
───────────────────────────────────────
Uname info: Linux 813739b3a8cb 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.13.7 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
**** All tunnels are now active ****
[ls.io-init] done.
Handshake done. It seems there was a problem with my router, maybe. After take it off and on, I can see my “location2” raspberry on “location1” server handshake. I can see the server public IP with “curl ifconfig.me” command executed in the wireguard docker. But still get the client public IP executing the command outside the docker, in raspbian OS console…
Now I must deal with a new problem, I can’t access to my location2 (client) LAN devices by its local IP when connected to wireguard tunnel. I can access to location1 LAN devices (server side) from the client (server side devices range is 192.168.0.XXX) but can’t access to client LAN devices (client side devices range is 192.168.1.XXX)
Any advice to start searching for a solution?
THANKS