[BUG] Client Mode: Connection to server is made, but unable to ping in remote network

[rrickfox]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When connecting with a wg_config.conf file to a remote wireguard server (happens to be a fritz box), I am unable to ping any devices in the remote network from inside my machine. When connecting with a windows laptop to this network, everything works as expected. I am also able to ping the machine in question from this windows laptop, but connections to http-servers and ssh-requests are denied.

Expected Behavior

The machine should behave naturally in the remote network.

Steps To Reproduce

1. I am running this with docker compose in portainer, the compose file should be below (I never worked with these issue forms before)
2. I supply this wg_config.conf file in the specified folder path:

[Interface]
PrivateKey = [...]
Address = 192.168.20.202/24
DNS = 192.168.20.1
DNS = fritz.box

[Peer]
PublicKey = [...]
PresharedKey = [...]
AllowedIPs = 192.168.20.0/24
Endpoint = [...].myfritz.net:58231
PersistentKeepalive = 25

3. I get the log that also should be down below
4. Fritz Box shows the machine as connected
5. The following commands are from the machine in question:

// Test to see if general Internet is working
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=18.9 ms
...

// Router (fritz box) on remote network
ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Destination Host Unreachable
...

// Windows laptop that is vpn-ed into same remote network
ping 192.168.20.201
PING 192.168.20.201 (192.168.20.201) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Destination Host Unreachable
...

6. Following is from windows laptop:

// Ping remote router
ping 192.168.20.1
Ping wird ausgeführt für 192.168.20.1 mit 32 Bytes Daten:
Antwort von 192.168.20.1: Bytes=32 Zeit=22ms TTL=64
...

// Ping machine in question
ping 192.168.20.202
Ping wird ausgeführt für 192.168.20.202 mit 32 Bytes Daten:
Antwort von 192.168.20.202: Bytes=32 Zeit=130ms TTL=63
...

// curl http server
curl 192.168.20.202
curl : Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.

// try ssh
ssh user@192.168.20.202
ssh: connect to host 192.168.20.202 port 22: Connection refused

Environment

- OS: Debian 12
- How docker service was installed: distro's packagemanager

CPU architecture

x86-64

Docker creation

version: "3.7"

services: 
   wireguard: 
     image: linuxserver/wireguard 
     container_name: wireguard 
     cap_add: 
       - NET_ADMIN 
       - SYS_MODULE 
     environment: 
       - PUID=1000 
       - PGID=1000 
       - TZ=Europe/Berlin
     volumes: 
       - /docker-data/wireguard/config:/config 
       - /usr/src:/usr/src # location of kernel headers 
       - /lib/modules:/lib/modules 
     ports: 
       - 51820:51820/udp 
     sysctls: 
       - net.ipv4.conf.all.src_valid_mark=1 
     restart: unless-stopped

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls55
Build-date: 2024-10-10T11:23:38+00:00
───────────────────────────────────────

Uname info: Linux 5bb20dd72f21 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg_config.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg_config.conf ****
Warning: `/config/wg_confs/wg_config.conf' is world accessible
[#] ip link add wg_config type wireguard
[#] wg setconf wg_config /dev/fd/63
[#] ip -4 address add 192.168.20.202/24 dev wg_config
[#] ip link set mtu 1420 up dev wg_config
[#] resolvconf -a wg_config -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
**** All tunnels are now active ****
[ls.io-init] done.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[rrickfox]

One thing I also noticed is the line s6-rc: fatal: unable to take locks: Resource busy in the logs, which I thought would explain the issue, but the issue #290 says that it should be resolved upstream?

[rrickfox]

Update: I have now switched to running wireguard on bare metal, which now works. If the issue is therefore not needed anymore, please just close it, I would leave it open for others to see

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[ranisalt]

Still doesn't work, and I can't run it on the host. Connects successfully, but there's no internet connection at all.

[LinuxServer-CI]

This issue is locked due to inactivity