Wireguard problems in CE 19.1-Matrix_rc1 (Stable)

Hello:

I’m trying to use Wireguard fron docker in CE 19.1-Matrix_rc1 (Stable) (X96 Max+; S905X3).

Docker installation:
docker create
–name=wireguard
–cap-add=NET_ADMIN
–cap-add=SYS_MODULE
-e PUID=1000
-e PGID=1000
-e TZ=Europe/Madrid
-e SERVERURL=mydomain.duckdns.org #optional
-e SERVERPORT=51820
-e PEERS=30 #optional
-e PEERDNS=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4,176.103.130.130,176.103.130.131,208.67.222.222,208.67.220.220
-e INTERNAL_SUBNET=10.10.10.0
-e ALLOWEDIPS=0.0.0.0/0
-p 51820:51820/udp
-v /storage/.config/wireguard/config:/config
-v /lib/modules:/lib/modules
–sysctl=“net.ipv4.conf.all.src_valid_mark=1”
–restart unless-stopped
linuxserver/wireguard

My config in wg0.conf:

[Interface]
Address = 10.10.10.1
ListenPort = 51820
PrivateKey = mykey
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]

peer1

PublicKey = key1
AllowedIPs = 10.10.10.2/32

[Peer]

peer2

PublicKey = key2
AllowedIPs = 10.10.10.3/32

[Peer]

peer3

PublicKey = key3
AllowedIPs = 10.10.10.4/32

etc.

Configs for the peers:
peer1.conf:
[Interface]
Address = 10.10.10.2
PrivateKey = key
ListenPort = 51820
DNS = 8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4,176.103.130.130,176.103.130.131,208.67.222.222,208.67.220.220

[Peer]
PublicKey = key
Endpoint = mydomain:51820
AllowedIPs = 0.0.0.0/0

OK.

I have configured 2 clients (1 with my smartphone, other with a PC using Windows 10).

Both (smartphone and PC) connect wit wireguard with no problem. I can do a ping to 10.10.10.1 (Wireguard server in CE) with no problem at all:
ping 10.10.10.1

Haciendo ping a 10.10.10.1 con 32 bytes de datos:
Respuesta desde 10.10.10.1: bytes=32 tiempo=1ms TTL=64
Respuesta desde 10.10.10.1: bytes=32 tiempo=15ms TTL=64
Respuesta desde 10.10.10.1: bytes=32 tiempo=1ms TTL=64
Respuesta desde 10.10.10.1: bytes=32 tiempo=15ms TTL=64

Estadísticas de ping para 10.10.10.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 15ms, Media = 8ms

, BUT, when I try to connect using samba, ssh of sFTP:
\10.10.10.1
ssh root@10.10.10.1

I can’t connect to wireguard server at all:
ssh root@10.10.10.1
ssh: connect to host 10.10.10.1 port 22: Connection refused

Do you know if there is a bug, a bad configuration…?

P.D.: I have opened the port (51820) in the router.

Kind regards

If you ping and receive a response then it appears that there is communication. When also the answer is ‘Connection refused’ then there may be a firewall problem.

When testing with a wireguard client within the home network, you should change the server’s public IP address to the local IP address assigned by the router 192.168.x.x. After the wireguard service works for you within the home network then you can test from the internet, for example, with the smartphone disconnected from the home WiFi.

The --net=host option allows programs like tvheadend server to individually recognize clients of the service (10.10.20.4, 10.10.20.8, …) that it might not otherwise recognize.

I leave you my docker so you can analyze the differences with your docker:

docker create \
  --privileged \
  --name=51820-wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/Paris \
  -e SERVERURL=MY_PUBLIC_IP \
  -e SERVERPORT=51820 \
  -e PEERS=MY_DEVICES1,MY_DEVICE2,... \
  -e PEERDNS=94.140.14.14,94.140.15.15 \
  -e INTERNAL_SUBNET=10.10.20.0/24 \
  -e ALLOWEDIPS=0.0.0.0/0 \
  -p 51820:51820/udp \
  -v /storage/.config/dockers/wireguard/config:/config \
  -v /lib/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv6.conf.all.disable_ipv6=0" \
  --restart unless-stopped \
  --net=host \
  linuxserver/wireguard

I have tried without wifi (data) in my smartphone. Same problem.

When I run the docker with this line:
–net=host \

It’s impossible for me to start it.

Without that line, I can start wireguard.
I have used the other lines as you have posted (with my IP, etc., but the rest is the same).

I do not know your level of knowledge, I suppose you know that you cannot start a docker service in which the ports are being used by another service or program. If you want to test my docker container you will have to delete your wireguard container first.

The --net=host option is innocent enough and shouldn’t cause a problem, this tells docker to use the main network domains instead of docker’s internal private domains that require bridging.

I recommend that you use ‘portainer’ for container management.

Yes. I use portainer, and I have removed the wireguard docker (container and image) before I tried your config.

I have been trying with my smartpone (data, no wifi) far away from home… and I have found something very strange to me.

When I connect to wireguard using mobile data out of home:
a) ssh root@10.10.10.1
Connection refused

b) ssh root@192.168.1.37 (internal IP of the TV-box with wireguard)
CONNECTION OK

It has no sense for me. Out of home (more than 200 metres), when I connect to wireguard using data, I can access using ssh to CoreELEC… with “internal” IP, but no using wireguard IP.

Is that normal?

CoreELEC firewall or router firewall?

I have also said to test within your home network to rule out router problems. For this you will have to change YOUR PUBLIC IP in the wireguard client to 192.168.1.37 and ssh root@10.10.10.1 within your home network.

I use this regularly, all my CE, Android clients, etc. They use the wireguard service even inside the house, that is, my wireguard domain 10.10.20.0/24 is only for the use of the media server. Inside the home I use the WG-Home configuration, outside the home I use the WG-Internet configuration. The difference between the two is only the address of the wireguard server. In addition I also use the wireguard server as a DNS server and all wireguard client devices are also protected by the server’s firewall.

Sorry. I don’t know how I can change my public IP in the wireguard client.

I think my level of understanding is not enough to understand you in this case. Sorry.

I don’t know if I had to “install” wireguard client in the same TV-Box that I installed Wireguard server (using docker).
I have not done that. I have only installed the server.

When I go to:
System > CoreELEC > Connections

I don’t see nothing about wireguard (in the TV-Box used as server). Only the wired (eth0) connection.

And When, using ssh to the Tv-Box, I do:
ifconfig

This is the output:

ifconfig

docker0 Link encap:Ethernet HWaddr 02:42:BA:47:3A:F1
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:baff:fe47:3af1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:179182 errors:0 dropped:0 overruns:0 frame:0
TX packets:182097 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:75479667 (71.9 MiB) TX bytes:76537242 (72.9 MiB)

eth0 Link encap:Ethernet HWaddr 90:0E:B3:23:94:9C
inet addr:192.168.1.37 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4950065 errors:0 dropped:0 overruns:0 frame:0
TX packets:1720170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5844920748 (5.4 GiB) TX bytes:282403399 (269.3 MiB)
Interrupt:13

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:33934 errors:0 dropped:0 overruns:0 frame:0
TX packets:33934 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:5410480 (5.1 MiB) TX bytes:5410480 (5.1 MiB)

veth670611f Link encap:Ethernet HWaddr 36:5E:1E:37:C3:40
inet6 addr: fe80::345e:1eff:fe37:c340/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:74509 errors:0 dropped:0 overruns:0 frame:0
TX packets:58050 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:48422092 (46.1 MiB) TX bytes:47044891 (44.8 MiB)

vethff49f92 Link encap:Ethernet HWaddr E2:40:00:97:63:E4
inet6 addr: fe80::e040:ff:fe97:63e4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1595 errors:0 dropped:0 overruns:0 frame:0
TX packets:27818 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1096384 (1.0 MiB) TX bytes:2846624 (2.7 MiB)

wlan0 Link encap:Ethernet HWaddr 40:AA:56:0D:81:6B
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ztqu3lpdcn Link encap:Ethernet HWaddr 7E:90:2D:95:AE:22
inet addr:192.168.191.41 Bcast:192.168.191.255 Mask:255.255.255.0
inet6 addr: fe80::20d7:2eff:fe1e:4ae8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:2800 Metric:1
RX packets:2483577 errors:0 dropped:0 overruns:0 frame:0
TX packets:1424917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4703541118 (4.3 GiB) TX bytes:95824244 (91.3 MiB)

For example, I see the zerotier net (ztqu3lpdcn), but NOTHING about wireguard.

Perhaps should I see something about wireguard in the TV-Box with Wireguard server?

After thinking a bit I think you are using a configuration file with old and wrong keys

When I remove the previous docker, I remove all the configuration files too, so the last configuration files are the generated for the last installation from docker.

Could you confirm me if when you ssh your wireward server:
ifconfig

Can you see something about Wireguard?

Another question:
-e SERVERURL=MY_PUBLIC_IP \

Here I have used my dns domain:

-e SERVERURL=domain.duckdns.org \

Could be this the problem, that is NOT working with my domain and it needs my public IP?

And if that’s the case… what can I do when my public IP changes?

I have tried three different wireguard client configuration files and everything works fine. The tests have been done with an android smartphone.

Test 1.- WG-Home.conf: File to use only inside the home:

[Interface]
Address = 10.10.20.3 #copied from docker client file conf
PrivateKey = copied from docker client file conf
ListenPort = 51820 #copied from docker client file conf
DNS = 10.10.20.1 #because my WG server is also a DNS server
[Peer]
PublicKey = copied from docker client file conf
Endpoint = 192.168.0.16:51820 #IP of the WG server inside home
AllowedIPs = 0.0.0.0/0

Test 2.- WG-Internet.conf: File to use from the internet when the WG server has a static IP:

[Interface]
Address = 10.10.20.3 #copied from docker client file conf
PrivateKey = copied from docker client file conf
ListenPort = 51820 #copied from docker client file conf
DNS = 10.10.20.1 #because my WG server is also a DNS server
[Peer]
PublicKey = copied from docker client file conf
Endpoint = x.x.x.x:51820 #static IP of the WG server on the internet
AllowedIPs = 0.0.0.0/0

Test 3.- WG-DDNS.conf: File to use from the internet when the WG server has a dynamic IP with an account at duckdns.org:

[Interface]
Address = 10.10.20.3 #copied from docker client file conf
PrivateKey = copied from docker client file conf
ListenPort = 51820 #copied from docker client file conf
DNS = 10.10.20.1 #because my WG server is also a DNS server
[Peer]
PublicKey = copied from docker client file conf
Endpoint = xyz.duckdns.org:51820 #dynamic IP of the WG server on the internet
AllowedIPs = 0.0.0.0/0

EVERYTHING WORKS WONDERFULLY !

Note:

My wireguard server ( = CoreELEC/LibreELEC server ) has the following IP addresses:

  • In the Home network domain 192.168.0.0/24 it has the IP 192.168.0.16
  • In the Zerotier domain 10.10.10.0/24 it has the IP 10.10.10.1
  • In the WireGuard domain 10.10.20.0/24 it has the IP 10.10.20.1

For multimedia services I use the WireGuard domain and as an alternative in case of failure, the slower Zerotier domain. For this reason my tvheadend server and my multimedia library are always at the address 10.10.20.1 even if I am enjoying a holiday in the Canary Islands, or at home.

I tried “home config” (for home)… and I have exactly the same problem with 10.10.10.1 (Ping OK, but other connections refused) but even I can’t connect (SSH, sFTP, etc.) or even ping with 192.168.1.37:

ping 192.168.1.37

Haciendo ping a 192.168.1.37 con 32 bytes de datos:
Error general.
Error general.
Error general.
Error general.

Estadísticas de ping para 192.168.1.37:
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),

ssh root@192.168.1.37
ssh: connect to host 192.168.1.37 port 22: Permission denied

I proposed that you try the connections within home to rule out problems with the router. However, I ask you to disable the Zerotier network. The reason is as follows:

The Zerotier network is a very neutral network that in principle does not modify the routing of the device unless you do it (this is not entirely true because every month that passes new functions are added and it is more complicated), but WireGuard behaves like a traditional VPN that modifies the routing and when it goes up all the communications of the client device are established through the server.

So, disable the Zerotier network and try again. If you have problems, run the ‘ifconfig’ and ‘route’ commands on both the WG client and the server to try to find out what the problem is.

In my Zerotier configuration I do not have any configuration defined, only the declaration of 10.10.10.0/24 as LAN. If I add more stuff then it interferes with WireGuard.

As a curious thing, you can see that Android and Windows do not allow two VPN services to be enabled simultaneously. With Linux this can be done but carefully. I really like the Zerotier philosophy because the applications are only limited by the intelligence of the user and there is no problem in, for example, interconnecting five home networks or work centers.

Thanks; perhaps I’ll try again in other SD.

Kind regards

Or just enable hairpin NAT on the wireguard interface.

In my country the routers are from internet providers, it is really difficult to enable NAT Hairpinning.

About | FAQ | Terms of Service | Privacy Policy | Legal Notice