Wireguard, handshake working but no internet access

Levin · 21 August 2021 12:37

So I have deployed a wireguard container and everything seems to be working even the handshake between the server and my windows 10 client. But, I have no internet connection when using the VPN.

I am running it in Rancher but here is how the docker compose file would look like.

  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Zurich
      - SERVERURL= ----
      - SERVERPORT=51820 
      - PEERS=laptop,phone
      - PEERDNS=8.8.8.8
    volumes:
      - /path/to/appdata/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

And yes I have port forwarded the necessary port. Any Ideas what could be wrong?

driz · 22 August 2021 21:37

Can you show the handshake from the docker side?

‘docker exec -it wireguard wg show’

Also how are you trying to access things, hopefully by ip

Levin · 28 August 2021 08:41

Here is the handshake, and yes I am trying to access it through my public ip.

interface: wg0
  public key: ---
  private key: (hidden)
  listening port: 51820

peer: ---
  endpoint: 192.168.7.1:51820
  allowed ips: 10.13.13.3/32
  latest handshake: 6 seconds ago
  transfer: 1.64 KiB received, 92 B sent

driz · 28 August 2021 18:26

does rancher properly handle natting the traffic in and out? we do not test or support rancher, so i have no clue how it behaves. This all looks correct though. Are you able to ping an ip, say 8.8.8.8 from a connected client (to check if this is a dns or internet reachability issue)

Levin · 29 August 2021 10:36

The ping was not successful.

levin@DESKTOP-12VKLFP MINGW64 ~
$ ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Sadly I am relatively new to Rancher and cannot say if it behaves correctly.

ChrisKuBa · 29 August 2021 16:56

Simple question: Is port 53 used by any other application? Wireguard has its own DNS service (coredns).

driz · 30 August 2021 23:02

Coredns isn’t used when specifying an upstream dns

I’m inclined to blame rancher, unless you’re able to reproduce the issue using tested platforms (ie a debian deriv with docker )

Levin · 4 September 2021 08:25

levin@Rancher:~$ sudo netstat -tunlp | grep 53
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      852/systemd-resolve
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2330053/docker-prox
tcp6       0      0 :::10014                :::*                    LISTEN      15393/pushprox-clie
udp        0      0 127.0.0.53:53           0.0.0.0:*                           852/systemd-resolve

Levin · 4 September 2021 08:32

I will now attempt to reproduce it using plain docker.

EDIT: I currently don’t think that rancher is to blame since this guy https://www.youtube.com/watch?v=xlyTCuWqDOg got it working on rancher.

EDIT_1: I got it working on pure docker (docker-compose) without any hiccups…

thowitz · 9 March 2022 21:09

A fix for this appears to be to add an init container sidecar that runs a command in the main container on creation.

To add this container through the Rancher cluster explorer UI, (after you’ve created the Wireguard deployment) go to its deployment page and click the kebab menu button (three vertical dots) in the top right corner and then click add sidecar. In the general tab, first enter the image as busybox, select init container and give it a name if you wish. Next, for the command, enter sysctl and for the arguments, enter -w net.ipv4.ip_forward=1. Thirdly, select the security context tab and under privileged, select yes. Lastly, hit save in the bottom right corner and the deployment status at the top should go from active to updating.

You may see an error message at the bottom saying services "wireguard" already exists, but you can ignore it. When the deployment status returns to active, Wireguard should hopefully be running and you should be able to access your local network and the internet. You may have to click cancel to exit the config page.

Credit to u/Mr_Prometius on reddit for finding this solution, you can view the original reddit post here