Unable to bring Wireguard tunnel up - iptablesrestore

[glahera]

I am having trouble following your guide to bring up tunnel to Mullvad service. Everything worked fine until the step of turning on the tunnel. Here's its output:

# WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] boringtun wg0 --disable-drop-privileges=1
BoringTun started successfully
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.68.51.35/32 dev wg0
[#] ip link set mtu 1412 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.6.1: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try 'iptables-restore -h' or 'iptables-restore --help' for more information.

Any idea?
Edit: Reformat output into code block

[opustecnica]

@glahera , would you mind posting the wg0.conf sanitized of private/public keys?
From the output above it seems you are trying to establish a client connection with restricted default gateway. This, on the UDM/P would have a long series of consequences.

[glahera]

Hello, sorry for my late reply. This is my configuration:

[Interface]
Address = 10.14.145.200
PrivateKey = [myprivatekey]
DNS = 10.0.0.243,10.0.0.242

[Peer]
PublicKey = [mypublickey]
Endpoint = 156.146.41.79:1337
AllowedIPs = 0.0.0.0/0

[smagdali]

I'm getting the same error. I'm trying to connect to a known working server of my own, but my wg0.conf is basically the same [Interface]
Address = 10.200.200.4/32
PrivateKey = [mine]
DNS = 10.200.200.1

[Peer]
PublicKey = [mine]
Endpoint = 3.10.65.0:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

[tusc]

Hey guys,

would you mind testing the WireGuard kernel version I recently released? https://github.com/tusc/wireguard-kmod
This issue has been resolved with this version. It had to do with the kernel module not loaded on the UDM (iptables_raw.ko). The issue is that anytime routes need to be changed (like in the Mullvad example above), the wg-quick script requires access to the iptables RAW table.

[smagdali]

This worked for me.

Actually DNS isn't working once the tunnel is up but that's going to be different problem. Traceroute via IP address is fine:

traceroute 142.250.187.228
traceroute to 142.250.187.228 (142.250.187.228), 30 hops max, 46 byte packets
1 192.168.0.1 (192.168.0.1) 0.248 ms 0.357 ms 0.966 ms
2 * * *
3 192.168.213.21 (192.168.213.21) 23.573 ms 24.731 ms 23.946 ms
4 192.168.213.22 (192.168.213.22) 19.976 ms 19.791 ms 20.947 ms
5 * * *
6 * * *
7 63.130.127.221 (63.130.127.221) 31.218 ms 27.233 ms 24.978 ms
8 90.255.251.51 (90.255.251.51) 24.926 ms 90.255.251.18 (90.255.251.18) 23.375 ms 90.255.251.51 (90.255.251.51) 25.581 ms
9^C
wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.200.200.4/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n'
traceroute 142.250.187.228
traceroute to 142.250.187.228 (142.250.187.228), 30 hops max, 46 byte packets
1 10.200.200.1 (10.200.200.1) 39.672 ms 31.936 ms 29.903 ms
2 52.56.0.91 (52.56.0.91) 168.971 ms^C

[tusc]

If you have DNS in the interface section it’ll throw this error as the wq-quick script expects to find resolvconf but it’s not part of UbiOS.

[smagdali]

removing DNS from wg0.conf didn't immediately seem to fix it, but I'm a bit enfeebled by covid vaccination so it's probably my own problem and I should stop tinkering until I'm recovered.