[15:42:51]
<Aleks (he/him/il/lui)> yes, typically it is expected to auto-update smoothly without the admin even noticing
[18:52:57]
<m606> Hello, I have reinstalled both YNH 12.x.x and Wireguard-server app from scratch but can't access outside world from a Wireguard client anymore.
Connection of the client to the server seems successful:
```
me@computer:~$ sudo wg-quick up wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/32 dev wg0
[#] ip -6 address add fd42::1/128 dev wg0
[#] ip link set mtu 1450 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
```
[19:05:34]
<m606> and diagnosis on YNH is fine (only that "port 8095 not open" error but that should be ignored IIRC)
[19:11:58]
<@err404:matrix.numericore.com> Warning: `/etc/wireguard/wg0.conf` is world accessible <-- you should do `chmod 0750 /etc/wireguard`and`chmod 0600 /etc/wireguard/\*\`
[19:12:19]
<@err404:matrix.numericore.com> Warning: `/etc/wireguard/wg0.conf` is world accessible \<-- you should do `chmod 0750 /etc/wireguard` and `chmod 0600 /etc/wireguard/*`
[19:15:54]
<m606> thanks that removes the warning, but does not resolve the internet access issue
[19:20:55]
<@err404:matrix.numericore.com> yes, but at least, your private key is in a safer place
[19:21:31]
<@err404:matrix.numericore.com> please try some traceroute, to see where is the issue
[19:23:16]
<m606> traceroute from client to server right ?
[19:23:36]
<@err404:matrix.numericore.com> from client to anywhere on Internet
[19:29:03]
<m606> I tried `traceroute ddg.gg` from client:
- before connection to WG server: it shows 12 steps (as expected)
- after connection to WG server: `ddg.gg: unknown name or service. Cannot handle "host" cmdline arg 'ddg.gg' on position 1 (argc 1)`
[19:31:46]
<@err404:matrix.numericore.com> use numerical IP address, you will avoid dns issue for the moment
[19:32:17]
<@err404:matrix.numericore.com> like `traceroute 8.8.8.8`
[19:32:47]
<rdkb> cron daemon is spamming me with mail over nextcloud, but its cryptic enough that i have no idea where to look and which port it cannot open, sending hourly mails
[19:35:50]
<rdkb> Ah, found it - is it smart to give the yunohost box option to open ports by itself with upnp
[19:39:32]
<m606> It works before connection to WG server, and does the following (up to the 30th hop) after connection:
```
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
```
[19:40:31]
<@err404:matrix.numericore.com> ok, you need some nat on your firewall
[19:42:32]
<@err404:matrix.numericore.com> this is a part from my config nftables
```
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
table ip6 nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
```
[19:44:09]
<m606> on the server, right ?
[19:45:03]
<m606> BTW one thing I notice while I installed YNH via the script over a fresh existing Debian install on a VPS is that both `iptables` and `nftables` are installed on the server. Is that fine ?
[19:46:51]
<@err404:matrix.numericore.com> yes, on the server
[19:47:47]
<@err404:matrix.numericore.com> to allow your paquets going to Internet and coming back to your client
[19:49:40]
<@err404:matrix.numericore.com> iptables and nftables, on recents installs, there is only nftables installed, and iptables is translated to nftables (I dont know exactly if it is automatic or need manual action)
[19:54:22]
<m606> so I added your snippet in the default `/etc/nftables.conf` on the server.
```
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
## Above is the standard nftables.conf
## Below is to include YunoHost configuration
### Solve Wireguard issue
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
table ip6 nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
###
include "/etc/nftables.d/*.conf"
```
However, no success - `traceroute 8.8.8.8` gives the same result than above.
[19:57:14]
<@err404:matrix.numericore.com> ok, check iptables with `ipables -L` and nftables with `nft list ruleset`
[19:58:43]
<@err404:matrix.numericore.com> ok, your iptables is like empty, not blocking
[19:59:42]
<@err404:matrix.numericore.com> seem good
[20:00:14]
<@err404:matrix.numericore.com> (you can use \`\`\` to mark bloc code)
[20:00:48]
<m606> that's what I did but somehow Cinny decided otherwise
[20:00:55]
<@err404:matrix.numericore.com> ok,
[20:00:58]
<@err404:matrix.numericore.com> dont worry
[20:01:20]
<m606> ```
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related counter packets 1109 bytes 177894 accept
tcp dport { 22, 25, 80, 443, 587, 993, 4093, 5222, 5223, 5224, 5269 } counter packets 10 bytes 616 accept
udp dport { 53, 67, 547, 5353, 8095 } counter packets 23 bytes 5142 accept
udp sport 1900 udp dport >= 1024 ip6 saddr { fd00::/8, fe80::/10 } meta pkttype host limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
udp sport 1900 udp dport >= 1024 ip saddr { 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 } meta pkttype host limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
iifname "lo" counter packets 11 bytes 700 accept
ip protocol icmp counter packets 1 bytes 36 accept
ip6 nexthdr ipv6-icmp counter packets 48 bytes 2688 accept
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
table ip6 nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
```
[20:01:29]
<m606> no it was my mistake actually )
[20:02:52]
<m606> if you say iptables should not be there I wonder how comes given that's a fresh YNH install
[20:03:11]
<@err404:matrix.numericore.com> no it is ok
[20:03:45]
<@err404:matrix.numericore.com> and my wireguard server is not the yunohost, so our config may differ litle bit
[20:41:23]
<m606> shutting down nftables service doesn't help 🤨
[20:41:35]
<m606> Here is what shows `sudo dpkg -l | grep tables` on the server (i.e. both iptables & nftables installed):
```
ii iptables 1.8.9-2 amd64 administration tools for packet filtering and NAT
ii libhtml-tagset-perl 3.20-6 all data tables pertaining to HTML
ii libnftables1:amd64 1.0.6-2+deb12u2 amd64 Netfilter nftables high level userspace API library
ii libnftnl11:amd64 1.2.4-2 amd64 Netfilter nftables userspace API library
ii libxtables12:amd64 1.8.9-2 amd64 netfilter xtables library
ii nftables 1.0.6-2+deb12u2 amd64 Program to control packet filtering rules by Netfilter project
ii python3-prettytable 3.6.0-1 all library to represent tabular data in visually appealing ASCII tables (Python3)
ii python3-rich 13.3.1-1 all render rich text, tables, progress bars, syntax highlighting, markdown and more
```
[20:41:56]
<m606> `iptables -L` shows
```
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```
[20:47:07]
<Salamandar> uh fyi systemctl stop nftables doesn't do anything, it's not a daemon
[20:51:49]
<m606> I disabled it via the webui but it's the same, right ?
[20:55:15]
<m606> now wireguard won't work properly whether nftables is enabled or disabled
[20:56:02]
<m606> thinking twice I guess not because before reinstalling YNH from scratch today, I had an issue with nftables following a migration which would break Wireguard if enabled, but Wireguard would work when disabled (via the webUI)
[21:12:26]
<Salamandar> what's the issue ?
[21:14:11]
<m606> I reinstalled YNH and Wireguard server app. WG client connects to the server without showing warning, but it has no access to internet then.
[21:14:44]
<m606> `traceroute 8.8.8.8` shows empty hops
[21:15:54]
<m606> I notice that I have both `nftables` and `iptables` installed on YNH. I wonder whether that can be a trouble.
[21:21:43]
<m606> WG server's service apparenrly uses iptables
```
-- Boot fc3076fad8f44327b2fbc1427f14e3ed --
Dec 08 18:03:35 systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
Dec 08 18:03:35 wg-quick[1011]: [#] ip link add wg0 type wireguard
Dec 08 18:03:36 wg-quick[1011]: [#] wg setconf wg0 /dev/fd/63
Dec 08 18:03:36 wg-quick[1011]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Dec 08 18:03:36 wg-quick[1011]: [#] ip -6 address add fd42::/112 dev wg0
Dec 08 18:03:36 wg-quick[1011]: [#] ip link set mtu 1450 up dev wg0
Dec 08 18:03:36 wg-quick[1011]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip link set multicast on dev wg0
Dec 08 18:03:36 systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.
```
https://github.com/YunoHost-Apps/wireguard_ynh/blob/master/conf/interfaces.json
[21:23:25]
<m606> WG client uses nftables (but I guess on the client?)
```
me@computer:~$ sudo wg-quick up myClient
[#] ip link add myClient type wireguard
[#] wg setconf myClient /dev/fd/63
[#] ip -4 address add 10.10.10.1/32 dev myClient
[#] ip -6 address add fd42::1/128 dev myClient
[#] ip link set mtu 1450 up dev myClient
[#] resolvconf -a myClient -m 0 -x
[#] wg set myClient fwmark 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev myClient table 51820
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
```
[21:24:47]
<Salamandar> iptables is just a compat layer to nft for some years now
[21:24:59]
<Salamandar> but maybe the wireguard has its nft rules borked ><'
[21:25:22]
<Salamandar> there's a fuck up between iptables setting INPUT in caps and nft using input
[21:25:57]
<Salamandar> ah yeah the iptables command is wrong there
[21:26:15]
<Salamandar> i thought someone had fixed that ?
[21:26:18]
<Salamandar> I don't have any wireguard setup nor knowledge ><'
[21:27:03]
<m606> here above is the `nft list ruleset` of the server (NAT related entries were added recently with the help of @err404:matrix.numericore.com to try solving this issue)
[21:28:27]
<m606> hmm but strangely before reinstall it was working for me (provided I disabled nftables service via the server's webUI)
[21:30:23]
<Salamandar> yeah but disabling nftables doesn't do anything actually
[21:30:31]
<Salamandar> maybe after a reboot though
[21:34:29]
<m606> that was my issue before reinstall: https://github.com/YunoHost/issues/issues/2547#issuecomment-2890856675
[21:36:09]
<m606> BTW I see you had suggested me to change the interface.json using `nft` command instead of `iptables`.
[21:44:27]
<Salamandar> yeah but maybe my command wasn't completely functional