wireguard-manager
wireguard-manager copied to clipboard
complexorganizations
Current implementation of nftables rules breaks Wireguard service on CentOS 7
Apr 17 15:33:06 wireguard.home wg-quick[14278]: Warning: `/etc/wireguard/wg0.conf' is world accessible
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip link add wg0 type wireguard
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info> [1681759986.3219] manager: (wg0): new WireGuard device (/org/freedesktop/NetworkManager/Devices/4)
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] wg setconf wg0 /dev/fd/63
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip -4 address add 10.0.0.1/8 dev wg0
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip -6 address add fd00:00:00::1/8 dev wg0
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip link set mtu 1420 up dev wg0
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] sysctl --write net.ipv4.ip_forward=1; sysctl --write net.ipv6.conf.all.forwarding=1; nft add table inet wireguard-wg0; nft add chain inet wireguard-wg0 wireguard_chain {type nat hook post
routing priority srcnat\; policy accept\;}; nft add rule inet wireguard-wg0 wireguard_chain oifname ens192 masquerade
Apr 17 15:33:06 wireguard.home wg-quick[14278]: net.ipv4.ip_forward = 1
Apr 17 15:33:06 wireguard.home wg-quick[14278]: net.ipv6.conf.all.forwarding = 1
Apr 17 15:33:06 wireguard.home wg-quick[14278]: Error: syntax error, unexpected string, expecting - or number
Apr 17 15:33:06 wireguard.home wg-quick[14278]: add chain inet wireguard-wg0 wireguard_chain {type nat hook postrouting priority srcnat; policy accept;}
Apr 17 15:33:06 wireguard.home wg-quick[14278]: ^^^^^^
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info> [1681759986.3816] device (wg0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Apr 17 15:33:06 wireguard.home wg-quick[14278]: [#] ip link delete dev wg0
Apr 17 15:33:06 wireguard.home systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
Apr 17 15:33:06 wireguard.home systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
-- Subject: Unit [email protected] has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit [email protected] has failed.
--
-- The result is failed.
Apr 17 15:33:06 wireguard.home systemd[1]: Unit [email protected] entered failed state.
Apr 17 15:33:06 wireguard.home systemd[1]: [email protected] failed.
Apr 17 15:33:06 wireguard.home polkitd[9321]: Unregistered Authentication Agent for unix-process:14272:179239 (system bus name :1.35, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info> [1681759986.4995] keyfile: add connection /var/run/NetworkManager/system-connections/wg0.nmconnection (e421d624-f43a-4865-a16f-b1681b3cceae,"wg0")
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info> [1681759986.5140] device (wg0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info> [1681759986.5156] device (wg0): Activation: starting connection 'wg0' (e421d624-f43a-4865-a16f-b1681b3cceae)
Apr 17 15:33:06 wireguard.home NetworkManager[848]: <info> [1681759986.5175] device (wg0): state change: disconnected -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
This might be related to too low version of nftables available in CentOS 7 (0.8.14, which is about 5 years old as of now).
