Wireguard error

I am trying to set up wireguard docker on a proxmox server using docker compose.

Docker version 23.0.2, build 569dd73
Docker Compose version v2.17.2
Proxmox version: pve-manager/7.4-3/9002ab8a (running kernel: 5.15.102-1-pve)

Here is my docker-compose.yaml.

version: "3"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - SERVERURL=example.com # Not actual url used 
      - SERVERPORT=51820 #optional
      - PEERS=myPhone #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - LOG_CONFS=true #optional
    volumes:
      - /home/paul/appdata/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: always

When run I get the following error in docker compose logs wireguard:

wireguard  | [migrations] started
wireguard  | [migrations] no migrations found
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  |       ██╗     ███████╗██╗ ██████╗ 
wireguard  |       ██║     ██╔════╝██║██╔═══██╗
wireguard  |       ██║     ███████╗██║██║   ██║
wireguard  |       ██║     ╚════██║██║██║   ██║
wireguard  |       ███████╗███████║██║╚██████╔╝
wireguard  |       ╚══════╝╚══════╝╚═╝ ╚═════╝ 
wireguard  | 
wireguard  |    Brought to you by linuxserver.io
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  | To support the app dev(s) visit:
wireguard  | WireGuard: https://www.wireguard.com/donations/
wireguard  | 
wireguard  | To support LSIO projects visit:
wireguard  | https://www.linuxserver.io/donate/
wireguard  | 
wireguard  | ───────────────────────────────────────
wireguard  | GID/UID
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  | User UID:    1000
wireguard  | User GID:    1000
wireguard  | ───────────────────────────────────────
wireguard  | 
wireguard  | Uname info: Linux 955d60f0ddc4 5.15.102-1-pve #1 SMP PVE 5.15.102-1 (2023-03-14T13:48Z) x86_64 x86_64 x86_64 GNU/Linux
wireguard  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
wireguard  | **** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
wireguard  | mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument
wireguard  | ln: failed to create symbolic link '/etc/wireguard/wg0.conf': No such file or directory
wireguard  | **** Server mode is selected ****
wireguard  | **** External server address is set to example.com ****
wireguard  | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
wireguard  | **** Internal subnet is set to 10.13.13.0 ****
wireguard  | **** AllowedIPs for peers 0.0.0.0/0 ****
wireguard  | **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
wireguard  | **** Server mode is selected ****
wireguard  | **** No changes to parameters. Existing configs are used. ****
wireguard  | [custom-init] No custom files found, skipping...
wireguard  | .:53
wireguard  | CoreDNS-1.10.1
wireguard  | linux/amd64, go1.20, 055b2c3
wireguard  | wg-quick: `/etc/wireguard/wg0.conf' does not exist
wireguard  | s6-rc: warning: unable to start service svc-wireguard: command exited 1

Why is it trying to create /etc/wireguard/wg0.conf when it successfully creates /home/paul/appdata/wireguard/wg0.conf?

I have tried the same config on an a laptop running ubuntu 22.04 and I don’t get this error.

Thanks,
Paul

We do not test or support proxmox, but something related to it is preventing folder creation which causes the failure. You could start by verifying ls -asnl /home/paul/appdata/wireguard is owned by 1000:1000 . Beyond that, I’ve never touched proxmox and can’t venture a guess.

The issue is your container cannot create a folder inside of the container, as root (and thus can’t create a symlink in that folder). Which suggests your docker install has unexpected limitations. Maybe lxc issues if you’re using that?

I was wondering that but here is the output of ls -asnl /home/paul/appdata/wireguard

9 drwxr-xr-x  6 1000 1000   8 Mar 29 12:02 .
9 drwxr-xr-x 21 1000 1000  21 Mar 29 12:02 ..
1 drwxr-xr-x  2 1000 1000   3 Mar 29 12:02 coredns
5 -rw-------  1 1000 1000 192 Mar 29 12:02 .donoteditthisfile
9 drwx------  2 1000 1000   7 Mar 29 12:02 peer_myPhone
1 drwxr-xr-x  2 1000 1000   4 Mar 29 12:02 server
1 drwxr-xr-x  2 1000 1000   4 Mar 29 12:02 templates
5 -rw-------  1 1000 1000 552 Mar 29 12:02 wg0.conf

Would that affect all docker containers?
As I have got 18 other containers running fine

The issue is likely if it’s a LXC container that the wireguard container isn’t able to get access to all the functions it needs.

I not running it as an LXC container. If I run docker ps

68444ee10244   lscr.io/linuxserver/wireguard:latest          "/init"                  35 minutes ago   Up 35 minutes   0.0.0.0:51820->51820/udp, :::51820->51820/udp                                                                                     wireguard
4e196231cf2d   lscr.io/linuxserver/plex:latest               "/init"                  13 hours ago     Up 13 hours                                                                                                                                       plex
66d4eaf8adde   lscr.io/linuxserver/overseerr:latest          "/init"                  13 hours ago     Up 13 hours     0.0.0.0:5055->5055/tcp, :::5055->5055/tcp                                                                                         overseerr
992524e24ccf   lscr.io/linuxserver/unifi-controller:latest   "/init"                  13 hours ago     Up 13 hours                                                                                                                                       unifi-controller

---------------------------------------- Rest cut off--------------------------------------------------------------------------------

thanks

Then what are you running docker in? How did you install docker?

I thought docker was an alternative to LXC.

I installed the docker engine using the instructions on https://docs.docker.com/engine/install/debian/
I believe Proxmox is based on debian.

cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

If I am misunderstanding is there a link you can refer me to?
Thanks

I’m not too familiar with proxmox, but I’m pretty sure they recommend installing docker in a VM (other option is in LXC, but they recommend against it).

I ran into the same issue on latest docker on debian 11.

I am having the same problem, but as people have mentioned earlier, i think it is because i use lxc containers instead of virtual machine. I will be trying to do it on a virtual machine and hopefully it will work

Running into the same issue. I don’t think it has anything to do with LXC containers.
My setup:
Proxmox 8 → LXC container → docker

I see that the commands to create /etc/wireguard and create symlink are inside root/etc/s6-overlay/s6-rc.d/init-wireguard-confs/run

# prepare symlinks
rm -rf /etc/wireguard
mkdir -p /etc/wireguard
ln -s /config/wg0.conf /etc/wireguard/wg0.conf

I confirmed that the docker process is running as root with sudo ps aux | grep docker on the host machine (the LXC container in this case)

I then cloned the github docker-wireguard repo to build the image manually. Edited the ... /init-wireguard-confs/run file to add whoami right before the above commands. Resulting log:

Uname info: Linux f2c80a274cff 6.2.16-4-pve #1 SMP PREEMPT_DYNAMIC PVE 6.2.16-4 (2023-07-07T04:22Z) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
root
mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument
ln: failed to create symbolic link '/etc/wireguard/wg0.conf': No such file or directory
**** Client mode selected. ****

So, it is definitely root. I opened a shell into the running container at that point to try and manually mkdir inside /etc/.
This works just fine:

mkdir -p /etc/any-random-name

When I try to create a directory named wireguard specifically, it gives the invalid argument error:

root@f2c80a274cff:/etc# mkdir wireguard
mkdir: cannot create directory ‘wireguard’: Invalid argument
root@f2c80a274cff:/etc# cd ..
root@f2c80a274cff:/# mkdir /etc/wireguard
mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument
root@f2c80a274cff:/# mkdir /etc/wireguard2
root@f2c80a274cff:/# ls -l /etc
total 242
-rw-r--r--  1 root root       7 Jun 14 07:28 alpine-release
drwxr-xr-x  1 root root       3 Jul 26 17:33 apk
drwxr-xr-x  2 root root       3 Jul 22 06:29 bash
drwxr-xr-x  3 root root       3 Jul 22 06:29 ca-certificates
-rw-r--r--  1 root root    5594 May  6 05:14 ca-certificates.conf
drwxr-xr-x  2 root root       2 Jul 22 06:29 conf.d
drwxr-xr-x  2 root root       2 Jul 26 17:33 cont-init.d
drwxr-xr-x  2 root root       2 Jul 26 17:33 coredns
drwxr-xr-x  2 root root       3 Jul 22 06:29 crontabs
-rw-r--r--  1 root root      97 Jun 27  2022 environment
-rw-r--r--  1 root root    1362 Jun 10  2022 ethertypes
-rw-r--r--  1 root root      89 Nov  4  2022 fstab
-rw-r--r--  1 root root     736 Jul 26 17:33 group
-rw-r--r--  1 root root     736 Jul 26 17:33 group-
-rw-r--r--  1 root root      13 Jul 26 17:33 hostname
-rw-r--r--  1 root root     175 Jul 26 17:33 hosts
drwxr-xr-x  2 root root       2 Jul 22 06:29 init.d
-rw-r--r--  1 root root     570 Nov  4  2022 inittab
-rw-r--r--  1 root root    1748 Sep 27  2022 inputrc
drwxr-xr-x  2 root root      11 Jul 26 17:33 iproute2
drwxr-xr-x  2 root root       2 Jul 26 17:33 iptables
-rw-r--r--  1 root root      54 Jun 14 07:28 issue
-rw-r--r--  1 root root      20 Nov  9  2022 login.defs
drwxr-xr-x  1 root root       3 Jul 26 17:33 logrotate.d
drwxr-xr-x  2 root root       6 Jul 22 06:29 modprobe.d
-rw-r--r--  1 root root      25 Jul 26 17:33 modules
drwxr-xr-x  2 root root       2 Jul 22 06:29 modules-load.d
-rw-r--r--  1 root root     284 Nov  4  2022 motd
lrwxrwxrwx  1 root root      12 Jul 26 17:33 mtab -> /proc/mounts
drwxr-xr-x  8 root root       8 Jul 22 06:29 network
-rw-r--r--  1 root root     205 Nov  4  2022 nsswitch.conf
drwxr-xr-x  2 root root       3 Jul 26 17:33 openldap
drwxr-xr-x  2 root root       2 Jul 22 06:29 opt
-rw-r--r--  1 root root     188 Jun 14 07:28 os-release
drwxr-xr-x  2 root root      20 Jul 22 06:29 pam.d
-rw-r--r--  1 root root    1262 Jul 26 17:33 passwd
-rw-r--r--  1 root root    1261 Jul 26 17:33 passwd-
drwxr-xr-x  7 root root       7 Jul 22 06:29 periodic
drwxr-xr-x  2 root root       3 Jul 26 17:33 pkcs11
-rw-r--r--  1 root root     846 Nov  4  2022 profile
drwxr-xr-x  2 root root       5 Jul 22 06:29 profile.d
-rw-r--r--  1 root root    3144 Nov  4  2022 protocols
-rw-r--r--  1 root root      57 Jul 26 17:33 resolv.conf
-rw-r--r--  1 root root     255 Jun 25  2022 resolvconf.conf
drwxr-xr-x  1 root root       3 Jul 26 16:58 s6-overlay
drwxr-xr-x  2 root root       3 Jul 22 06:29 secfixes.d
-rw-r--r--  1 root root      98 Nov 19  2022 securetty
drwxr-xr-x  4 root root      12 Jul 22 06:29 security
-rw-r--r--  1 root root   12813 Nov  4  2022 services
drwxr-xr-x  2 root root       2 Jul 26 17:33 services.d
-rw-r-----  1 root shadow   469 Jul 26 17:33 shadow
-rw-r-----  1 root shadow   440 Jul 22 06:29 shadow-
-rw-r--r--  1 root root      48 Jul 22 06:29 shells
drwxr-xr-x  1 root root       3 Jul 22 06:29 ssl
drwxr-xr-x  2 root root       4 Jul 22 06:29 ssl1.1
-rw-r--r--  1 root root      53 Nov  4  2022 sysctl.conf
drwxr-xr-x  2 root root       2 Jul 22 06:29 sysctl.d
drwxr-xr-x 13 root root      13 Jul 22 06:29 terminfo
-rw-r--r--  1 root root    5636 Nov 19  2022 udhcpd.conf
drwxr-xr-x  2 root root       2 Jul 26 17:56 wireguard2

Any idea why this specific word doesn’t act like a normal directory path argument or is somehow invalid?

edit: removed github link - flagged for spam

Unfortunately, as the devs of proxmox do not recommend running docker in an lxc container (they recommend docker in a vm) and we do not test lxc at all, this isn’t something we’re going to spend time on unless it can be reproduced by pure docker in a vm or on bare metal.

Note, whether we want to help or not, none of us use proxmox or lxc.

I understand. However the OP wasn’t running it inside LXC containers anyway, from what I understood they were running docker directly on the proxmox host machine.

Also same issue here, no proxmox involved:
github /linuxserver/docker-wireguard/issues/282

I will try it on a VM regardless, but that’s not solving this peculiar problem, even if it works on a VM. Where would one look to try and figure out a solution or a workaround?

edit: removed github link - flagged for spam

to be perfectly honest, I’m not sure. We’ve never been able to reproduce the issue internally which makes it quite challenging to tshoot. It could be related to the storage driver being used… I don’t recall what that looks like in terms of errors/logs.

Thanks for the response. It sounds like it’s way more involved to dig into than I initially thought. For now I am using the workaround that itsnotv posted above:

(Can’t post a link to github anymore I guess, my previous posts were flagged/hidden too. For posterity, just go to post 11 above and apply the changes in the commit before manually building the docker image.)

I hope the workaround will still be implemented. I also still have the issue.
As a workaround I first start normally. It crashes. Then I add this line in the volumes:

• $VOLDIR/wg/config/wg0.conf:/etc/wireguard/wg0.conf
  And I restart.

Any of you using zfs?

I am… And my solutions still doesnt work as the file is not accurate anynore after it…