Wireguard, handshake working but no internet access

So I have deployed a wireguard container and everything seems to be working even the handshake between the server and my windows 10 client. But, I have no internet connection when using the VPN.

I am running it in Rancher but here is how the docker compose file would look like.

    image: linuxserver/wireguard
    container_name: wireguard
      - NET_ADMIN
      - SYS_MODULE
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Zurich
      - SERVERURL= ----
      - SERVERPORT=51820 
      - PEERS=laptop,phone
      - PEERDNS=
      - /path/to/appdata/config:/config
      - /lib/modules:/lib/modules
      - 51820:51820/udp
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped                                                                                         

And yes I have port forwarded the necessary port. Any Ideas what could be wrong?

Can you show the handshake from the docker side?

‘docker exec -it wireguard wg show’

Also how are you trying to access things, hopefully by ip

Here is the handshake, and yes I am trying to access it through my public ip.

interface: wg0
  public key: ---
  private key: (hidden)
  listening port: 51820

peer: ---
  allowed ips:
  latest handshake: 6 seconds ago
  transfer: 1.64 KiB received, 92 B sent

does rancher properly handle natting the traffic in and out? we do not test or support rancher, so i have no clue how it behaves. This all looks correct though. Are you able to ping an ip, say from a connected client (to check if this is a dns or internet reachability issue)

The ping was not successful.

$ ping

Pinging with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Sadly I am relatively new to Rancher and cannot say if it behaves correctly.

Simple question: Is port 53 used by any other application? Wireguard has its own DNS service (coredns).

Coredns isn’t used when specifying an upstream dns

I’m inclined to blame rancher, unless you’re able to reproduce the issue using tested platforms (ie a debian deriv with docker )

levin@Rancher:~$ sudo netstat -tunlp | grep 53
tcp        0      0 *               LISTEN      852/systemd-resolve
tcp        0      0   *               LISTEN      2330053/docker-prox
tcp6       0      0 :::10014                :::*                    LISTEN      15393/pushprox-clie
udp        0      0 *                           852/systemd-resolve

I will now attempt to reproduce it using plain docker.

EDIT: I currently don’t think that rancher is to blame since this guy https://www.youtube.com/watch?v=xlyTCuWqDOg got it working on rancher.

EDIT_1: I got it working on pure docker (docker-compose) without any hiccups…

1 Like

A fix for this appears to be to add an init container sidecar that runs a command in the main container on creation.

To add this container through the Rancher cluster explorer UI, (after you’ve created the Wireguard deployment) go to its deployment page and click the kebab menu button (three vertical dots) in the top right corner and then click add sidecar. In the general tab, first enter the image as busybox, select init container and give it a name if you wish. Next, for the command, enter sysctl and for the arguments, enter -w net.ipv4.ip_forward=1. Thirdly, select the security context tab and under privileged, select yes. Lastly, hit save in the bottom right corner and the deployment status at the top should go from active to updating.

You may see an error message at the bottom saying services "wireguard" already exists, but you can ignore it. When the deployment status returns to active, Wireguard should hopefully be running and you should be able to access your local network and the internet. You may have to click cancel to exit the config page.

Credit to u/Mr_Prometius on reddit for finding this solution, you can view the original reddit post here