[6.11.1] VPN Tunnel Failing


b1ue

Recommended Posts

I have a fresh Unraid install going, first thing I want to do is setup the WireGuard vpn, I went to 
`Settings -> VPN Manager`

Setup defaults

Add Peer

 

And then try to click the `Inactive` toggle to activate, and it turns off automatically.

 

After reading online a bit I saw `wg-quick up wg0` as a test command from terminal.

 

My output reads so:

root@Tower:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.253.0.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.253.0.2/32 dev wg0
[#] logger -t wireguard 'Tunnel WireGuard-wg0 started'
[#] iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
[#] ip -4 route flush table 200
[#] ip -4 route add default via 10.253.0.1 dev wg0 table 200
[#] ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev  table 200
Error: either "to" is duplicate, or "200" is a garbage.
[#] ip link delete dev wg0

 

The `/etc/wireguard/wg0.conf` file contains:

 

[Interface]
#homewg
PrivateKey=...
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200
PostUp=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev  table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev  table 200
[Peer]
#phone
PublicKey=OCcPej80Tkt1lT0UvAgCVEG3oIa4EaFkOseI4BDO3QQ=
AllowedIPs=10.253.0.2

 

The problem seems to be with line:

`PostUp=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev  table 200`

 

 

I just removed the config line causing the error, initialized the VPN, and repaired phone and it is working. Is this a considered a bug then? The config that was there was default, when I removed the line it worked.

Edited by b1ue
  • Like 1
  • Thanks 2
  • Haha 1
  • Upvote 2
Link to comment
On 10/9/2022 at 8:39 AM, erak said:

Thanks for this find. I had the same issue after updating. After removing " dev " from line 12 and 15, and "dev wg0 " from line 11 it's up and running again. These are the exact differences from the old configuration.

 

This may be a dumb question, but I'm experiencing the exact problem but I can't seem to find any wg0.conf file on Unraid.  I have configured that file on Ubuntu, but I can't seem to find it anywhere on undraid.  There doesn't appear to be an /etc/wireguard folder as far as I can tell.  Any idea where the wireguard GUI stores these files?  Thanks

Edited by AW139
Link to comment
47 minutes ago, AW139 said:

This may be a dumb question, but I'm experiencing the exact problem but I can't seem to find any wg0.conf file on Unraid.  I have configured that file on Ubuntu, but I can't seem to find it anywhere on undraid.  There doesn't appear to be an /etc/wireguard folder as far as I can tell.  Any idea where the wireguard GUI stores these files?  Thanks

Did you check on the flashdrive ? ( /boot/  probably in the /config/ subdirectory )

  • Upvote 1
Link to comment
2 hours ago, ChatNoir said:

Did you check on the flashdrive ? ( /boot/  probably in the /config/ subdirectory )

 

Duh... thanks!

 

I edited the .conf file with midnight commander, and that seems to solve the problem of connecting WireGuard.  I am able to connect to my LAN from outside the network now.  For whatever reason I still can't get WAN access on the remote peer with Wireguard active.  This was not a problem at all until I updated unraid!!!

  • Like 1
Link to comment
16 hours ago, AW139 said:

 

Duh... thanks!

 

I edited the .conf file with midnight commander, and that seems to solve the problem of connecting WireGuard.  I am able to connect to my LAN from outside the network now.  For whatever reason I still can't get WAN access on the remote peer with Wireguard active.  This was not a problem at all until I updated unraid!!!

Send your current file. If you save a peer it will update itself again incorrect and the file will need to be updated again. Make sure you follow the instructions above exactly including the spaces.

 

Once i did that it worked for me.

 

Link to comment

Hi, I know this is a real dumb question, but how do I edit this file?  Can I do this in terminal?  I keep getting a permission issue.  Sorry for the lack of knowledge on my side.  The more info that can be provided, the better.  I am sure I am not the only one that is having an issue with permissions in the flash drive.

 

Link to comment
44 minutes ago, ZosoPage1963 said:

Hi, I know this is a real dumb question, but how do I edit this file?  Can I do this in terminal?  I keep getting a permission issue.  Sorry for the lack of knowledge on my side.  The more info that can be provided, the better.  I am sure I am not the only one that is having an issue with permissions in the flash drive.

 

nevermind on this, I just went back a version on unraid for now.

Link to comment
11 hours ago, ZosoPage1963 said:

nevermind on this, I just went back a version on unraid for now.

 

If you do need to edit that file, try using midnight commander by typing "mc" in the terminal window and hitting enter.  Worked well for me.

Edited by AW139
  • Like 1
Link to comment
On 10/13/2022 at 8:08 AM, chris smashe said:

Send your current file. If you save a peer it will update itself again incorrect and the file will need to be updated again. Make sure you follow the instructions above exactly including the spaces.

 

Once i did that it worked for me.

 

 

 

I edit the file after I completed the changes, so right now I THINK it looks all correct.  Which spaces are critical?  Thanks.

 

[Interface]
#WireGuard
PrivateKey= REMOVED
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1  table 200
PostUp=ip -4 route add 192.168.1.0/24 via 192.168.1.1   table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.1.0/24 via 192.168.1.1   table 200

Link to comment
On 10/15/2022 at 4:41 AM, AW139 said:

I edit the file after I completed the changes, so right now I THINK it looks all correct.  Which spaces are critical?  Thanks.

I haven't tested if too many spaces is an issue. But standard is one space before "table 200". Now you have double and triple spaces.

Link to comment
On 10/14/2022 at 4:18 PM, ZosoPage1963 said:

Hi, I know this is a real dumb question, but how do I edit this file?  Can I do this in terminal?  I keep getting a permission issue.  Sorry for the lack of knowledge on my side.  The more info that can be provided, the better.  I am sure I am not the only one that is having an issue with permissions in the flash drive.

There are several ways, I used vi. Open terminal and write the following and press enter: vi /etc/wireguard/wg0.conf

Press i to edit, do your changes. Press esc to exit input mode. Press : to enter a command, write wq and press enter, which means "write and quit".

  • Like 1
  • Upvote 1
Link to comment
2 hours ago, erak said:

I haven't tested if too many spaces is an issue. But standard is one space before "table 200". Now you have double and triple spaces.

 

I messed around with it, and the spaces don't seem to affect it.  

 

EDIT - Got remote tunneled access to work correctly.  I had misconfigured my static route on my router.

Edited by AW139
Link to comment
On 10/9/2022 at 6:39 AM, erak said:

Thanks for this find. I had the same issue after updating. After removing " dev " from line 12 and 15, and "dev wg0 " from line 11 it's up and running again. These are the exact differences from the old configuration.

 

This made it work, but it seems like you have to do this for every peer you add. Each time I add a peer, the slider becomes inactive again and have to delete the dev again

Link to comment
11 hours ago, Quadrapole said:

 

This made it work, but it seems like you have to do this for every peer you add. Each time I add a peer, the slider becomes inactive again and have to delete the dev again

 

Just configure all your peers, and once you are finished go in and edit the file again.  Any changed to peers you make after that will necessitate you re-edditing the file.

Link to comment

If I remove the `dev` from `wg0.conf` I can not turn active the vpn, it keeps under inactive state.

Removing both `dev wg0` I could at least turn wireguard on, but did not worked as well.

I have handshake and some lan connection but really nothing else works.

I can confirm it was working before upgrade in the really same configs.

-- edit

Ok I got mine to work and I did not need to change wg0.conf.

Im not sure what worked because I did many things, but there is two or three settings that I can suspect.

 

What I did:

- stopped the wireguard if it was running

- deleted some docker network like br0 and wg0

- stopped docker network

- disabled "Host access to custom networks" in Docker settings

- uncheck the "IPV4 Custom network on interface br0" yet in Docker settings
- reboot

 

My wg0.conf still have the `dev br0` and `dev wg0` but it is working now.

 

Edited by fabricionaweb
  • Thanks 1
Link to comment

The issue seems to be with this line in the code:
  https://github.com/limetech/webgui/blob/d196c027aa6fa49987773bf72d5859055a1321f4/plugins/dynamix/include/update.wireguard.php#L238 
for some reason the `$device` variable is empty on some systems.

 

I wrote a small script to isolate these variables:
  https://gist.github.com/ljm42/cc8bce83129cecbe148c09f0fbf6d3da 

If you are having this issue, please do the following to download and run that script:

cd /tmp
wget https://gist.githubusercontent.com/ljm42/cc8bce83129cecbe148c09f0fbf6d3da/raw/2e42e812d6946089b9443a94eada1ce637ae84b3/testnet.php
php testnet.php

 

My output looks like this:

Array
(
    [DHCP_KEEPRESOLV] => no
    [DNS_SERVER1] => 192.168.10.1
    [DHCP6_KEEPRESOLV] => no
    [BONDING] => no
    [BONDNAME] => 
    [BONDNICS] => 
    [BONDING_MODE] => 1
    [BONDING_MIIMON] => 100
    [BRIDGING] => yes
    [BRNAME] => br0
    [BRNICS] => eth0
    [BRSTP] => no
    [BRFD] => 0
    [DESCRIPTION:0] => 
    [PROTOCOL:0] => ipv4
    [USE_DHCP:0] => yes
    [IPADDR:0] => 192.168.10.50
    [NETMASK:0] => 255.255.255.0
    [GATEWAY:0] => 192.168.10.1
    [METRIC:0] => 
    [USE_DHCP6:0] => yes
    [IPADDR6:0] => 
    [NETMASK6:0] => 
    [GATEWAY6:0] => 
    [METRIC6:0] => 
    [PRIVACY6:0] => 
    [MTU] => 
    [TYPE] => access
)
BRIDGING: 'yes'
BRNAME: 'br0'
BONDING: 'no'
BONDNAME: ''
ethX: 'eth0'
device: 'br0'

 

If at the end you see "device: 'br0'" (or 'eth0' or some other value) that means everything is working correctly and I would not expect you to have the issue being discussed here.

 

But if you have the issue being discussed then the device variable at the end is probably blank (i.e. you see something like "device: ''") Please copy/paste the whole output here so we can figure out why.

Link to comment

hi @ljm42 I'm a new unraid user, and just setup a new server; I also ran into the same issue as everyone described above.

 

When I click the "Inactive" toggle switch it fails to stay enabled for `Tunnel wg0`.

 

Here is my output:

 

root@nas:/tmp# php testnet.php 
Array
(
    [DHCP_KEEPRESOLV] => yes
    [DNS_SERVER1] => 1.1.1.1
    [DNS_SERVER2] => 
    [DNS_SERVER3] => 
    [DHCP6_KEEPRESOLV] => no
    [BONDING] => yes
    [BONDNAME] => 
    [BONDNICS] => eth0,eth1,eth2,eth3
    [BONDING_MODE] => 1
    [BONDING_MIIMON] => 100
    [BRIDGING] => yes
    [BRNAME] => 
    [BRNICS] => bond0
    [BRSTP] => 0
    [BRFD] => 0
    [DESCRIPTION:0] => 
    [PROTOCOL:0] => 
    [USE_DHCP:0] => no
    [IPADDR:0] => 192.168.0.8
    [NETMASK:0] => 255.255.255.0
    [GATEWAY:0] => 192.168.0.1
    [METRIC:0] => 
    [USE_DHCP6:0] => 
    [IPADDR6:0] => 
    [NETMASK6:0] => 
    [GATEWAY6:0] => 
    [METRIC6:0] => 
    [PRIVACY6:0] => 
    [MTU] => 
    [TYPE] => access
)
BRIDGING: 'yes'
BRNAME: ''
BONDING: 'yes'
BONDNAME: ''
ethX: 'eth0'
device: ''
HEY dev is empty!
root@nas:/tmp# 

 

Link to comment

I am getting the same issue as @x86intel - I followed what @erak had done and now my toggle bounces back to `inactive` when I attempt to set it to `active`.

 

Output of the script below:

 

```
root@Odin:/tmp# php testnet.php
Array
(
    [DHCP_KEEPRESOLV] => yes
    [DNS_SERVER1] => 10.0.0.1
    [DNS_SERVER2] => 8.8.8.8
    [DNS_SERVER3] => 
    [DHCP6_KEEPRESOLV] => no
    [BONDING] => yes
    [BONDNAME] => bond0
    [BONDNICS] => eth0,eth1
    [BONDING_MODE] => 1
    [BONDING_MIIMON] => 100
    [BRIDGING] => yes
    [BRNAME] => br0
    [BRNICS] => bond0
    [BRSTP] => no
    [BRFD] => 0
    [DESCRIPTION:0] => 
    [PROTOCOL:0] => ipv4
    [USE_DHCP:0] => no
    [IPADDR:0] => 10.0.0.10
    [NETMASK:0] => 255.255.255.0
    [GATEWAY:0] => 10.0.0.1
    [METRIC:0] => 
    [USE_DHCP6:0] => yes
    [IPADDR6:0] => 
    [NETMASK6:0] => 
    [GATEWAY6:0] => 
    [METRIC6:0] => 
    [PRIVACY6:0] => 
    [MTU] => 
    [TYPE] => access
)
BRIDGING: 'yes'
BRNAME: 'br0'
BONDING: 'yes'
BONDNAME: 'bond0'
ethX: 'eth0'
device: 'br0'
```
 

Link to comment
On 10/9/2022 at 8:39 AM, erak said:

Thanks for this find. I had the same issue after updating. After removing " dev " from line 12 and 15, and "dev wg0 " from line 11 it's up and running again. These are the exact differences from the old configuration.

This remedy worked; The downside is that you need to repeat the edit anytime you change any tunnel related settings

Link to comment
11 hours ago, x86intel said:

hi @ljm42 I'm a new unraid user, and just setup a new server; I also ran into the same issue as everyone described above.

 

When I click the "Inactive" toggle switch it fails to stay enabled for `Tunnel wg0`.

 

Here is my output:

 

root@nas:/tmp# php testnet.php 
Array
(
    [DHCP_KEEPRESOLV] => yes
    [DNS_SERVER1] => 1.1.1.1
    [DNS_SERVER2] => 
    [DNS_SERVER3] => 
    [DHCP6_KEEPRESOLV] => no
    [BONDING] => yes
    [BONDNAME] => 
    [BONDNICS] => eth0,eth1,eth2,eth3
    [BONDING_MODE] => 1
    [BONDING_MIIMON] => 100
    [BRIDGING] => yes
    [BRNAME] => 
    [BRNICS] => bond0
    [BRSTP] => 0
    [BRFD] => 0
    [DESCRIPTION:0] => 
    [PROTOCOL:0] => 
    [USE_DHCP:0] => no
    [IPADDR:0] => 192.168.0.8
    [NETMASK:0] => 255.255.255.0
    [GATEWAY:0] => 192.168.0.1
    [METRIC:0] => 
    [USE_DHCP6:0] => 
    [IPADDR6:0] => 
    [NETMASK6:0] => 
    [GATEWAY6:0] => 
    [METRIC6:0] => 
    [PRIVACY6:0] => 
    [MTU] => 
    [TYPE] => access
)
BRIDGING: 'yes'
BRNAME: ''
BONDING: 'yes'
BONDNAME: ''
ethX: 'eth0'
device: ''
HEY dev is empty!
root@nas:/tmp# 

 

 

Thank you, this is the condition I was looking for. Would you please upload your diagnostics.zip file (from Tools -> Diagnostics). I need to try and replicate this.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.