Wireguard error

scouserontour · 29 March 2023 16:04

I am trying to set up wireguard docker on a proxmox server using docker compose.

Docker version 23.0.2, build 569dd73
Docker Compose version v2.17.2
Proxmox version: pve-manager/7.4-3/9002ab8a (running kernel: 5.15.102-1-pve)

Here is my docker-compose.yaml.

version: "3"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - SERVERURL=example.com # Not actual url used 
      - SERVERPORT=51820 #optional
      - PEERS=myPhone #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - LOG_CONFS=true #optional
    volumes:
      - /home/paul/appdata/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: always

When run I get the following error in docker compose logs wireguard:

wireguard  | [migrations] started
wireguard  | [migrations] no migrations found
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  |       ██╗     ███████╗██╗ ██████╗ 
wireguard  |       ██║     ██╔════╝██║██╔═══██╗
wireguard  |       ██║     ███████╗██║██║   ██║
wireguard  |       ██║     ╚════██║██║██║   ██║
wireguard  |       ███████╗███████║██║╚██████╔╝
wireguard  |       ╚══════╝╚══════╝╚═╝ ╚═════╝ 
wireguard  | 
wireguard  |    Brought to you by linuxserver.io
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  | To support the app dev(s) visit:
wireguard  | WireGuard: https://www.wireguard.com/donations/
wireguard  | 
wireguard  | To support LSIO projects visit:
wireguard  | https://www.linuxserver.io/donate/
wireguard  | 
wireguard  | ───────────────────────────────────────
wireguard  | GID/UID
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  | User UID:    1000
wireguard  | User GID:    1000
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  | Uname info: Linux 955d60f0ddc4 5.15.102-1-pve #1 SMP PVE 5.15.102-1 (2023-03-14T13:48Z) x86_64 x86_64 x86_64 GNU/Linux
wireguard  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
wireguard  | **** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
wireguard  | mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument
wireguard  | ln: failed to create symbolic link '/etc/wireguard/wg0.conf': No such file or directory
wireguard  | **** Server mode is selected ****
wireguard  | **** External server address is set to example.com ****
wireguard  | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
wireguard  | **** Internal subnet is set to 10.13.13.0 ****
wireguard  | **** AllowedIPs for peers 0.0.0.0/0 ****
wireguard  | **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
wireguard  | **** Server mode is selected ****
wireguard  | **** No changes to parameters. Existing configs are used. ****
wireguard  | [custom-init] No custom files found, skipping...
wireguard  | .:53
wireguard  | CoreDNS-1.10.1
wireguard  | linux/amd64, go1.20, 055b2c3
wireguard  | wg-quick: `/etc/wireguard/wg0.conf' does not exist
wireguard  | s6-rc: warning: unable to start service svc-wireguard: command exited 1

Why is it trying to create /etc/wireguard/wg0.conf when it successfully creates /home/paul/appdata/wireguard/wg0.conf?

I have tried the same config on an a laptop running ubuntu 22.04 and I don’t get this error.

Thanks,
Paul

driz · 29 March 2023 16:08

We do not test or support proxmox, but something related to it is preventing folder creation which causes the failure. You could start by verifying ls -asnl /home/paul/appdata/wireguard is owned by 1000:1000 . Beyond that, I’ve never touched proxmox and can’t venture a guess.

aptalca · 29 March 2023 16:14

The issue is your container cannot create a folder inside of the container, as root (and thus can’t create a symlink in that folder). Which suggests your docker install has unexpected limitations. Maybe lxc issues if you’re using that?

scouserontour · 29 March 2023 16:25

I was wondering that but here is the output of ls -asnl /home/paul/appdata/wireguard

9 drwxr-xr-x  6 1000 1000   8 Mar 29 12:02 .
9 drwxr-xr-x 21 1000 1000  21 Mar 29 12:02 ..
1 drwxr-xr-x  2 1000 1000   3 Mar 29 12:02 coredns
5 -rw-------  1 1000 1000 192 Mar 29 12:02 .donoteditthisfile
9 drwx------  2 1000 1000   7 Mar 29 12:02 peer_myPhone
1 drwxr-xr-x  2 1000 1000   4 Mar 29 12:02 server
1 drwxr-xr-x  2 1000 1000   4 Mar 29 12:02 templates
5 -rw-------  1 1000 1000 552 Mar 29 12:02 wg0.conf

scouserontour · 29 March 2023 16:29

Would that affect all docker containers?
As I have got 18 other containers running fine

j0nnymoe · 29 March 2023 16:32

The issue is likely if it’s a LXC container that the wireguard container isn’t able to get access to all the functions it needs.

scouserontour · 29 March 2023 16:43

I not running it as an LXC container. If I run docker ps

68444ee10244   lscr.io/linuxserver/wireguard:latest          "/init"                  35 minutes ago   Up 35 minutes   0.0.0.0:51820->51820/udp, :::51820->51820/udp                                                                                     wireguard
4e196231cf2d   lscr.io/linuxserver/plex:latest               "/init"                  13 hours ago     Up 13 hours                                                                                                                                       plex
66d4eaf8adde   lscr.io/linuxserver/overseerr:latest          "/init"                  13 hours ago     Up 13 hours     0.0.0.0:5055->5055/tcp, :::5055->5055/tcp                                                                                         overseerr
992524e24ccf   lscr.io/linuxserver/unifi-controller:latest   "/init"                  13 hours ago     Up 13 hours                                                                                                                                       unifi-controller

---------------------------------------- Rest cut off--------------------------------------------------------------------------------

thanks

aptalca · 29 March 2023 18:22

Then what are you running docker in? How did you install docker?

scouserontour · 29 March 2023 19:09

I thought docker was an alternative to LXC.

I installed the docker engine using the instructions on https://docs.docker.com/engine/install/debian/
I believe Proxmox is based on debian.

cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

If I am misunderstanding is there a link you can refer me to?
Thanks

aptalca · 29 March 2023 19:26

I’m not too familiar with proxmox, but I’m pretty sure they recommend installing docker in a VM (other option is in LXC, but they recommend against it).

itsnotv · 9 April 2023 19:32

I ran into the same issue on latest docker on debian 11.

github.com/linuxserver/docker-wireguard

Fix init script

linuxserver:master ← itsnotv:patch-1

opened 07:15PM - 09 Apr 23 UTC

itsnotv

+5 -2

[linuxserverurl]: https://linuxserver.io [![linuxserver.io](https://raw.githubu…sercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] ------------------------------ - [x] I have read the [contributing](https://github.com/linuxserver/docker-wireguard/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications ------------------------------ ## Description: The container fails to start. I am running this on latest docker on debian 11, default settings. ``` wireguard | User UID: 1000 wireguard | User GID: 1000 wireguard | Uname info: Linux 30ebfb6d19e9 6.1.0-0.deb11.5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.12-1~bpo11+1 (2023-03-05) x86_64 x86_64 x86_64 GNU/Linux wireguard | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. **** wireguard | mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument wireguard | ln: failed to create symbolic link '/etc/wireguard/wg0.conf': No such file or directory wireguard | **** Server mode is selected **** wireguard | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container **** wireguard | **** Internal subnet is set to 10.0.0.0 **** wireguard | **** AllowedIPs for peers 0.0.0.0/0 **** wireguard | **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.0.0.1 to use wireguard docker host's DNS. **** wireguard | **** Server mode is selected **** wireguard | **** No changes to parameters. Existing configs are used. **** wireguard | [custom-init] No custom files found, skipping... wireguard | wg-quick: `/etc/wireguard/wg0.conf' does not exist wireguard | s6-rc: warning: unable to start service svc-wireguard: command exited 1 ``` docker ``` Server Version: 23.0.3 Storage Driver: overlay2 Kernel Version: 6.1.0-0.deb11.5-amd64 Operating System: Debian GNU/Linux 11 (bullseye) Architecture: x86_64 ``` docker-compose.yaml ``` version: '3.8' services: wireguard: image: linuxserver/wireguard restart: on-failure container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=America/Vancouver - SERVERPORT=51820 - PEERS=macbook - PEERDNS=auto - INTERNAL_SUBNET=10.0.0.0 - ALLOWEDIPS=0.0.0.0/0 volumes: - ./config:/config - /lib/modules:/lib/modules ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 ``` ## Benefits of this PR and context: - By default, the `/etc/wireguard` directory is empty, after installation of wireguard-tools. - This PR checks if the directory exists. If yes, it removes any config files inside, else it creates a new directory. ## How Has This Been Tested? Yes, tested with docker 23.0.3 on debian 11 x86_64. ## Source / References: I found a forum post by someone else who ran into the exact same issue. https://discourse.linuxserver.io/t/wireguard-error/7409

robumb · 26 May 2023 08:11

I am having the same problem, but as people have mentioned earlier, i think it is because i use lxc containers instead of virtual machine. I will be trying to do it on a virtual machine and hopefully it will work