Wireguard not working out of Box

i am currently struggeling with linuxserver/wireguard.
It is not really working out of the box cause i experience two problems:
The first one is that when i create a client config with the webUI, the config is only working on my mobile device. On the PC (Windows Client of Wireguard) i get the error, that the section of fwmark is wrong/has an error.
The fwmark Line in the Client config is the following:
FwMark = 0xca6c
When i just delete this line in the config, the config will be loaded without problems and i can connect to the VPN.

The second Problem is that then, when i am connected to the VPN, i have no Internet connection.
Not even a simple Ping to is working. I just get a timeout.

Would be nice if someone could help or share a working docker-compose or something…
My docker-compose is the following:

version: "3.7"
    env_file: .env
    image: lscr.io/linuxserver/wireguard:latest
    container_name: ${projectID}-wireguardVPN
      - 8080
      - 51820:51820/udp
    hostname: ${projectID}-wireguardVPN
      - NET_ADMIN
      - SYS_MODULE
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - SERVERURL=${Domain} #optional
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET= #optional
      - ALLOWEDIPS= #optional
      - LOG_CONFS=true #optional
      - ./data/config:/config
#      - /lib/modules:/lib/modules #optional
      - net.ipv4.conf.all.src_valid_mark=1
    restart: always
      - wireguardVPN
      - reverseproxy

    image: ngoduykhanh/wireguard-ui:latest
    container_name: ${projectID}-wireguardVPN-webUI
      - NET_ADMIN
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=password
      - ./config:/app/db
      - ./config:/etc/wireguard
      - 5000
      - traefik.enable=true
      - traefik.http.routers.${projectID}_wireguardVPN.rule=Host(`${Domain}`)
      - traefik.http.routers.${projectID}_wireguardVPN.tls=true
      - traefik.http.routers.${projectID}_wireguardVPN.tls.certresolver=lets-encrypt
      - traefik.port=5000
      - traefik.docker.network=system_reverseproxy
      - wireguardVPN
      - reverseproxy

    name: ${projectID}_wireguardVPN
    external: true
    name: system_reverseproxy

The compose we provide on your readme does work. Though if you’re trying to make that webui container work with ours, it’s not going to.

Please post container logs.

You are right, if i use the wg0.conf from the linuxserver/wireguard container the VPN connection works and the internet connection is also working.
But if i look at https://whatismyipaddress.com/ i see my routers IP and not the IP of the VPN Server.
So my real IP is leaked and something is not working correct.

Here is the log:

2022-12-31 20:58:28.182: [TUN] [test] Starting WireGuard/0.5.3 (Windows 10.0.22621; amd64)
2022-12-31 20:58:28.182: [TUN] [test] Watching network interfaces
2022-12-31 20:58:28.185: [TUN] [test] Resolving DNS names
2022-12-31 20:58:28.185: [TUN] [test] Creating network adapter
2022-12-31 20:58:28.288: [TUN] [test] Using existing driver 0.10
2022-12-31 20:58:28.289: [TUN] [test] Creating adapter
2022-12-31 20:58:28.506: [TUN] [test] Using WireGuardNT/0.10
2022-12-31 20:58:28.507: [TUN] [test] Enabling firewall rules
2022-12-31 20:58:28.465: [TUN] [test] Interface created
2022-12-31 20:58:29.238: [TUN] [test] Dropping privileges
2022-12-31 20:58:29.238: [TUN] [test] Setting interface configuration
2022-12-31 20:58:29.238: [TUN] [test] Peer 1 created
2022-12-31 20:58:29.243: [TUN] [test] Interface up
2022-12-31 20:58:29.250: [TUN] [test] Monitoring MTU of default v6 routes
2022-12-31 20:58:29.266: [TUN] [test] Setting device v6 addresses
2022-12-31 20:58:29.297: [TUN] [test] Monitoring MTU of default v4 routes
2022-12-31 20:58:29.297: [TUN] [test] Setting device v4 addresses
2022-12-31 20:58:29.310: [TUN] [test] Skipping execution of script, because dangerous script execution is safely disabled: `iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE`
2022-12-31 20:58:29.327: [TUN] [test] Startup complete

the sample is to connect a remote asset, such as your phone, to your home. what IP would you expect to see if you vpn to your home outside of your home ip?

if you want your phone to connect to a vpn that “protects” your personal info, you buy service and connect your phone to that. then your ip will be that belonging to the service you paid for. (ie; dedi, vps, mullvad, torguard, etc)

I expect to see the IP of the VPN Server.
I run the VPN on a Server in the Internet to protect my connection (=my data transfer) between the client (phone or PC) and the router.

On the Phone it works. I see the VPN Servers IP when i check for my IP. But on PC it is not working. I see my Routers IP and not the IP of the VPN Server.
So my real ip is “leaked”

where are you running the wireguard container? your home server or some colo host/vps?
You’re lacking some critical information in your post that would be extremely helpful to us :slight_smile:

I run it on a VPS in the Internet.

ok in that case, can you obfuscate the private key and share the leaking pc config? feel free to share the working phone’s config as well, just remember to remove/obfuscate the private key

the following is the config which is stored under “config/wg0.conf”.
When i scan the QR Code in the Docker Containers Console, my mobile device is connecting and the Outgoing IP is the IP from the server.
When i use the wg0.conf for my Computer (since i cannot scan the QR Code with my Computer), it is showing the real IP of my Router when i check which IP i use for outgoing connections.
What i discovered is that the Server URL is completely missing in that config. The clients says that it is connected and dont throw any error.

Address = IP from a Private Subnet
ListenPort = 51820
PrivateKey = KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

# peer1
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = IP from a Private Subnet

You’re using the wrong conf. You need to get the peer’s conf in the config folder and put it into the other one. wg0.conf is the server’s conf

Yes, i just read it. Thanks for your answer, it is working now! :slight_smile:
But what i still didnt understand is that the Client, on Mobile and on PC, says it is connected even if i shutdown the server.
Connection to the Internet (open a website for example) is not working then, but the client says it is connected and dont give any error.

BTW is there any logging of the URLs that the Client is contacting?

Wireguard is stateless. When it says connected, it just means it’s sending packets through the tunnel. Whether the other side is receiving and is able to decrypt the packets is a different story.

You need to check for a handshake on the server by running docker exec wireguard wg show

Is there any chance to change this or to at least get notified when the connection is not successfull instead of just sending packages?

You could fork the wireguard project and make it non-stateless and start logging things, sure. It is not something that has anything to do with us. We are happy with wireguard as it is.