Wg-quick inside lxc still not working: iptables to nftables problem?

Software SW help
, , ,
1

Hi,
I’m still having problems with wg-quick inside a lxc copntainer (Alpine latest-stable i.e. 3.20).

The problems started already with Turris OS 7.0.

The solution was to roll back Turris OS and stop automatic updates together with older package for iptables in Alpine.

But this can’t be the permanent solution. I think it may be related to the iptables → nftables transition both in Alpine and Turris OS.

Now I enabled automatic updates in Turris. It broke again wg-quick.

I tried to change the branch up to HBD, which gives Turris 8.0 and I think a working nftables, am I right?

On the Alpine side I’ve tried iptables, iptables-legacy and nftables.

But still can’t get wg-quick to work :frowning:

Error with iptables:

# wg-quick up vpn
[#] ip link add vpn type wireguard
[#] wg setconf vpn /dev/fd/63
[#] ip -4 address add 10.141.100.141/32 dev vpn
[#] ip -6 address add fd7d:76ee:e68f:a993:ecb7:46cc:b67b:223/128 dev vpn
[#] ip link set mtu 1420 up dev vpn
[#] resolvconf -a vpn -m 0 -x
[#] wg set vpn fwmark 51820
[#] ip -6 route add ::/0 dev vpn table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
Warning: Extension addrtype is not supported, missing kernel module?
ip6tables-restore v1.8.10 (nf_tables): Couldn't load match `addrtype':No such file or directory

Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] resolvconf -d vpn -f
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev vpn

Error with nftables:

# wg-quick up vpn
[#] ip link add vpn type wireguard
[#] wg setconf vpn /dev/fd/63
[#] ip -4 address add 10.141.100.141/32 dev vpn
[#] ip -6 address add fd7d:76ee:e68f:a993:ecb7:46cc:b67b:223/128 dev vpn
[#] ip link set mtu 1420 up dev vpn
[#] resolvconf -a vpn -m 0 -x
[#] wg set vpn fwmark 51820
[#] ip -6 route add ::/0 dev vpn table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
/dev/fd/63:5:100-113: Error: Could not process rule: No such file or directory

[#] resolvconf -d vpn -f
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev vpn

Any suggestions?

2

Try another container ?

3

I was already thinking about it. What do you suggest?

EDIT: I’ve tried Debian by maurer Bookworm, it uses nftables and I get the same error like in Alpine using nftables:

...
[#] nft -f /dev/fd/63
/dev/fd/63:5:106-119: Error: Could not process rule: No such file or directory
...

EDIT2: Debian by maurer Bullseye - the same

4

Install kmod-ipt-extra via opkg on the Turris host maybe?

Or kmod-nft-core if the container use nftables.

5

Both packages were already installed in Turris OS:

# opkg install kmod-ipt-extra
Package kmod-ipt-extra (5.15.162-1-d814ed73d47b1ca341794d2d1c0009ca) installed in root is up to date.

# opkg install kmod-nft-core
Package kmod-nft-core (5.15.162-1-d814ed73d47b1ca341794d2d1c0009ca) installed in root is up to date.
6

It seems that installing kmod-nft-fib solved the problem with nftables in the container! :grinning:

For iptables in the container you need kmod-nf-conncount and kmod-ipt-conntrack-extra.

2 Likes