Read only filesystem causes issues while setting "sysctl -q net.ipv4.conf.all.src_valid_mark=1" about addon-wireguard-client HOT 7 CLOSED

@McFabi please could you post here your add-on configuration? Please pay attentions to NOT share private information, please obfuscate these parts! And, if you could also post the generated wireguard file (under /etc/wireguard/wg0.conf).
Cheers

from addon-wireguard-client.

Thanks for your help:
My Add-on Config:

interface:
  private_key: key
  address: 10.7.0.4
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
  post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
  public_key: key
  pre_shared_key: key
  endpoint: 'my_wireguard_server_ip:51820'
  allowed_ips:
    - 0.0.0.0/0
  persistent_keep_alive: '25'
log_level: trace

[Interface]
PrivateKey = key
Address = 10.7.0.4/24
DNS = 8.8.8.8,8.8.4.4
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = key
PreSharedKey = key
Endpoint = server:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

The configuration looks good. The file was in the docker container of the corresponding add-on. Is that where it should be?

What's a little bit strange for me: I have docker -it in the container and tried to set the "sysctl -q net.ipv4.conf.all.src_valid_mark=1" and the Read only filesystem error came.

from addon-wireguard-client.

Maybe this will help you:

➜  ~ docker exec -it 39ddab32110f bash
root@fd24a922-wireguard-client:/$ ls -l
total 80
drwxr-xr-x    1 root     root          4096 Feb  1 17:07 bin
drwxr-xr-x    2 root     root          4096 Apr  9 08:16 data
drwxr-xr-x   17 root     root          3920 Apr  8 09:25 dev
drwxr-xr-x    1 root     root          4096 Apr  9 08:16 etc
drwxr-xr-x    2 root     root          4096 Jan 14 12:51 home
-rwxr-xr-x    1 root     root           389 Oct 20 14:52 init
drwxr-xr-x    1 root     root          4096 Feb  1 17:07 lib
drwxr-xr-x    2 root     root          4096 Oct  9 17:22 libexec
drwxr-xr-x    5 root     root          4096 Jan 14 12:51 media
drwxr-xr-x    2 root     root          4096 Jan 14 12:51 mnt
drwxr-xr-x    2 root     root          4096 Jan 14 12:51 opt
dr-xr-xr-x  232 root     root             0 Apr  9 08:16 proc
drwx------    2 root     root          4096 Jan 14 12:51 root
drwxr-xr-x    1 root     root          4096 Apr  9 08:16 run
drwxr-xr-x    1 root     root          4096 Feb  9 20:12 sbin
drwxr-xr-x    2 root     root          4096 Jan 14 12:51 srv
drwxr-xr-x    3 root     root          4096 Apr  8 09:01 ssl
dr-xr-xr-x   12 root     root             0 Jan  1  1970 sys
drwxrwxrwt    2 root     root          4096 Jan 14 12:51 tmp
drwxr-xr-x    1 root     root          4096 Feb  9 20:12 usr
drwxr-xr-x    1 root     root          4096 Jan 14 12:51 var

As you can see the sys filesystem has no write access.
Is it possible for you to set the flag while building the container?

from addon-wireguard-client.

Thanks for your help:
My Add-on Config:

interface:
  private_key: key
  address: 10.7.0.4
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
  post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
  public_key: key
  pre_shared_key: key
  endpoint: 'my_wireguard_server_ip:51820'
  allowed_ips:
    - 0.0.0.0/0
  persistent_keep_alive: '25'
log_level: trace

[Interface]
PrivateKey = key
Address = 10.7.0.4/24
DNS = 8.8.8.8,8.8.4.4
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = key
PreSharedKey = key
Endpoint = server:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

The configuration looks good. The file was in the docker container of the corresponding add-on. Is that where it should be?

What's a little bit strange for me: I have docker -it in the container and tried to set the "sysctl -q net.ipv4.conf.all.src_valid_mark=1" and the Read only filesystem error came.

Hi @McFabi try to change

  allowed_ips:
    - 0.0.0.0/0

with:

  allowed_ips:
    - 10.7.0.0/24

Please give me a feedback if it solves...should it! 👍

from addon-wireguard-client.

Ok that's working now...
strange... I tried this

from addon-wireguard-client.

Ok that's working now...
strange... I tried this

No, it's not so "strange" 0.0.0.0 is a reserved address 😉 ...and the read-only fs it's good as is too 👍 Enjoy

from addon-wireguard-client.

Hi @bigmoby ! Thank you very much for your Wireguard client!

Sorry to re-open this issue, but what if I need to allow 0.0.0.0/0 as incoming adress? My use case is that my HA instance is behind a 4G connection, with no public IP or forwardable ports, so I use Wireguard to connect to my other home Internet box which has a Wireguard instance on it. I can then create a port forwarding rule on it so that I can access my HA. The problem is that the source addresse is whatever Internet address I use when trying to connect to the remote HA so I need to be able to use a wildcard in allowed_ips.

Do you know how I could achieve that with your plugin?

from addon-wireguard-client.