nicolaslabsit's picture

I Install turnkey wireguard server on a proxmox server in my company, it works all right, I was able to create clients and configure them remotely ok.

But when rebooting "loses" all configuration and wireguard wg0 does not start.

 

 

Forum: 
Jeremy Davis's picture

Thanks for taking the time to report the unexpected behaviour you experienced. Unfortunately, I'm not super familiar with the WireGuard appliance, but if you can provide a bit more info, that will assist me to understand the specifics of the issue you've hit, so I can try to reproduce it (and if I can reproduce it, I can likely fix it).

So some more info would be really useful: Is it the latest/current release (v16.1 - if you're not sure, post the output of 'turnkey-version')? What platform is it running on (LXC container or KVM VM)? If a container, is it a privileged container? If so, do you have nesting enabled?

TBH, personally I would generally recommend running it within a "proper" VM, although it should still certainly work within a container.

As a troubleshooting measure, I recommend that you download the ISO (from the appliance page) and install that to a full VM. See if that works after a reboot. If so, then we can pin-point the issue to something related to running within a container. If you still get the same behaviour with the ISO, then we'll need to dig in a little further (as we haven't made major changes for some time and no one else has reported issues such as you note).

nicolaslabsit's picture

Thank you very much for the prompt response!

I installed version 16.0 and 16.1, in both versions I get the same result,   from iso, vmdk ,always the same thing happens.

I do not use containers, I use KVM proxmox on my own hardware.

You can replicate by simply installing iso in server mode, then add a client on the server and configure your client and you will see that you can see the entire subnet, e.g. 10.0.0.0/8 , my subnet is 10.10.1.0/24
eht0 ip: 10.10.1.219, Wireguard Ip 10.0.0.0

from the client I get ping to 10.10.1.0/24 smoothly, to all devices on my network.

but.. When you reboot the vm all the configuration does not start.

i try start the Wireguard wg0 manually, it starts. but it doesn't take clients well and no longer routes my network and peers to each other.

I hope you understand my bad English.

Thanks 

Jeremy Davis's picture

I'll follow your instructions and assuming that I can reproduce the issue I'll see if I can devise a fix.

I think that what you describe could be caused by the firewall settings not being reapplied after a reboot?!

PS your English is fine! At least so far... :)

Jeremy Davis's picture

Doh, this is a pretty serious oversight, which I'm not sure why hasn't been experienced sooner!

On the plus side, the fix is really easy! :) Simply enable (and start) the 'wg-quick@wg0.service', like this:

systemctl enable --now  wg-quick@wg0.service

That command should both enable the service (so it starts on boot) and start it now (the '--now' switch).

I've opened an issue related to this on our tracker to allow others to more easily find the workaround and to ensure that it doesn't get forgotten.

nicolaslabsit's picture

Hello! Thank you. This has already been tested, the service now if you lift it at the beginning.but for example, peers generated before reboot no longer work.We have to create new ones. These stop "seeing" my subnet only manage to see wg ip, but do not route to any ip of my remote lan.( subnet etho) They are also not seen among other wg peer

 

in the first boot if you see all the networks .E.G: wireguard ip 10.10.1.219/24 gateway 10.10.1.1

wg0 ip 10.0.0.0

 

wgo ip peer 1 10.0.0.1

Ping ok to 10.10.1.0/24 any ip

Ping ok to 10.0.0.0

 

 after reboot and enabled the wg service and created the wg client again

NO ping to 10.10.1.0/24 any ip

YES PING TO 10.0.0.0

NO PING to other peer ( eg 10.0.0.3)

 

I hope you can replicate this to understand what happens.

nicolaslabsit's picture

First enable:

systemctl enable --now  wg-quick@wg0.service

Then add the following in /etc/sysctl.conf

sysctl -w net.ipv4.ip_forward=1


reboot, and add clients

thank you!!

Jeremy Davis's picture

Great work. Thanks on looking into this and working it out! I wonder why that sysctl setting doesn't cause issues initially? Regardless, I had already opened an issue re the service needing to be enabled. But with your additional info, I've opened another.

Thanks again for reporting this issue and helping resolve it.

Add new comment