[BUG] Client Mode: Connection to server is made, but unable to ping in remote network

[rrickfox]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When connecting with a wg_config.conf file to a remote wireguard server (happens to be a fritz box), I am unable to ping any devices in the remote network from inside my machine. When connecting with a windows laptop to this network, everything works as expected. I am also able to ping the machine in question from this windows laptop, but connections to http-servers and ssh-requests are denied.

Expected Behavior

The machine should behave naturally in the remote network.

Steps To Reproduce

1. I am running this with docker compose in portainer, the compose file should be below (I never worked with these issue forms before)
2. I supply this wg_config.conf file in the specified folder path:

[Interface]
PrivateKey = [...]
Address = 192.168.20.202/24
DNS = 192.168.20.1
DNS = fritz.box

[Peer]
PublicKey = [...]
PresharedKey = [...]
AllowedIPs = 192.168.20.0/24
Endpoint = [...].myfritz.net:58231
PersistentKeepalive = 25

3. I get the log that also should be down below
4. Fritz Box shows the machine as connected
5. The following commands are from the machine in question:

// Test to see if general Internet is working
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=18.9 ms
...

// Router (fritz box) on remote network
ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Destination Host Unreachable
...

// Windows laptop that is vpn-ed into same remote network
ping 192.168.20.201
PING 192.168.20.201 (192.168.20.201) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Destination Host Unreachable
...

6. Following is from windows laptop:

// Ping remote router
ping 192.168.20.1
Ping wird ausgeführt für 192.168.20.1 mit 32 Bytes Daten:
Antwort von 192.168.20.1: Bytes=32 Zeit=22ms TTL=64
...

// Ping machine in question
ping 192.168.20.202
Ping wird ausgeführt für 192.168.20.202 mit 32 Bytes Daten:
Antwort von 192.168.20.202: Bytes=32 Zeit=130ms TTL=63
...

// curl http server
curl 192.168.20.202
curl : Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.

// try ssh
ssh [email protected]
ssh: connect to host 192.168.20.202 port 22: Connection refused

Environment

- OS: Debian 12
- How docker service was installed: distro's packagemanager

CPU architecture

x86-64

Docker creation

version: "3.7"

services: 
   wireguard: 
     image: linuxserver/wireguard 
     container_name: wireguard 
     cap_add: 
       - NET_ADMIN 
       - SYS_MODULE 
     environment: 
       - PUID=1000 
       - PGID=1000 
       - TZ=Europe/Berlin
     volumes: 
       - /docker-data/wireguard/config:/config 
       - /usr/src:/usr/src # location of kernel headers 
       - /lib/modules:/lib/modules 
     ports: 
       - 51820:51820/udp 
     sysctls: 
       - net.ipv4.conf.all.src_valid_mark=1 
     restart: unless-stopped

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls55
Build-date: 2024-10-10T11:23:38+00:00
───────────────────────────────────────

Uname info: Linux 5bb20dd72f21 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg_config.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg_config.conf ****
Warning: `/config/wg_confs/wg_config.conf' is world accessible
[#] ip link add wg_config type wireguard
[#] wg setconf wg_config /dev/fd/63
[#] ip -4 address add 192.168.20.202/24 dev wg_config
[#] ip link set mtu 1420 up dev wg_config
[#] resolvconf -a wg_config -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
**** All tunnels are now active ****
[ls.io-init] done.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[rrickfox]

One thing I also noticed is the line s6-rc: fatal: unable to take locks: Resource busy in the logs, which I thought would explain the issue, but the issue #290 says that it should be resolved upstream?

[rrickfox]

Update: I have now switched to running wireguard on bare metal, which now works. If the issue is therefore not needed anymore, please just close it, I would leave it open for others to see