Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WARNING: WireGuard does not seem to be running. main process exited. FirewallD is not running #95

Closed
slrslr opened this issue Jul 3, 2020 · 4 comments · Fixed by #92
Closed

WARNING: WireGuard does not seem to be running. main process exited. FirewallD is not running #95

slrslr opened this issue Jul 3, 2020 · 4 comments · Fixed by #92

Comments

@slrslr
Copy link

slrslr commented Jul 3, 2020

Thank You for creating this VPN installer.

I tried to run it on CentOS Linux release 7.7.1908 (Core), kernel 3.10.0-1062.18.1.el7.x86_64

Only issues i seen was "WARNING: WireGuard does not seem to be running."

systemctl status wg-quick@wg0 -l

Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] ip -4 address add 10.66.66.1/24 dev wg0
Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] ip -6 address add myaddresshere::1/64 dev wg0
Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] ip link set mtu 1420 up dev wg0
Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] firewall-cmd --add-port xxxxx(myporthere)/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.66.66.0/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=myaddresshere::0/24 masquerade'
Jul 03 18:24:17 my.host.name wg-quick[24031]: FirewallD is not running
Jul 03 18:24:17 my.host.name wg-quick[24031]: [#] ip link delete dev wg0
Jul 03 18:24:17 my.host.name systemd[1]: wg-quick@wg0.service: main process exited, code=exited, status=1/FAILURE
Jul 03 18:24:17 my.host.name systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
Jul 03 18:24:17 my.host.name systemd[1]: Unit wg-quick@wg0.service entered failed state.
Jul 03 18:24:17 my.host.name systemd[1]: wg-quick@wg0.service failed.

I also tried quick look on "journalctl -xe" but seen nothing interesting. Which commands to run to discover the cause of the issue? On same server is running OpenVPN server which i am actively using:

systemctl status openvpn@server.service -l

● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-04-**
 Main PID: 1128 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─1128 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

openvpn is using device tun and 10.8.0.0 as IP. But maybe the issue is not caused by OpenVPN.
@randshell
Copy link
Contributor

Run yum install kernel kernel-devel kernel-headers and reboot. It shouldn't be necessary to rebuild the dkms module.

In my tests there is a version mismatch between kernel and kernel-devel/kernel-headers. The dkms was build with headers of a kernel version I didn't have installed.

yum install kernel-devel kernel-headers:

Package kernel-devel-3.10.0-1127.13.1.el7.x86_64 already installed and latest version
Package kernel-headers-3.10.0-1127.13.1.el7.x86_64 already installed and latest version

yum install kernel:

Installing:
 kernel                       x86_64            3.10.0-1127.13.1.el7               updates             50 M

Would you like to open a PR to add these packages for centos?

wireguard-install/wireguard-install.sh

Line 157 in 59570c7

yum -y install epel-release

@slrslr
Copy link
Author

slrslr commented Jul 4, 2020

In my case i got following when running Yours mentioned commands:

--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-1127.13.1.el7 will be installed
---> Package kernel-devel.x86_64 0:3.10.0-1127.13.1.el7 will be installed
---> Package kernel-headers.x86_64 0:3.10.0-1062.18.1.el7 will be updated
---> Package kernel-headers.x86_64 0:3.10.0-1127.13.1.el7 will be an update
--> Finished Dependency Resolution
...
DKMS: build completed.

wireguard.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/3.10.0-1127.13.1.el7.x86_64/extra/
Adding any weak-modules

depmod....................

DKMS: install completed.

I rebooted and "systemctl restart wg-quick@wg0.service" is failed/exitted as before, with following lines in "journalctl -xe" output:

nm-dispatcher[2437]: req:1 'up' [wg0]: new request (4 scripts)
nm-dispatcher[2437]: req:1 'up' [wg0]: start running ordered scripts...
wg-quick[2393]: FirewallD is not running
wg-quick[2393]: [#] ip link delete dev wg0
NetworkManager[645]: <info>  [1593853486.0182] device (wg0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
nm-dispatcher[2437]: req:2 'down' [wg0]: new request (4 scripts)
nm-dispatcher[2437]: req:2 'down' [wg0]: start running ordered scripts...
systemd[1]: wg-quick@wg0.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

"ifconfig" does not show wg0 interface.
Any idea what is the reason/what to try please?

@randomshell says "Would you like to open a PR to add these packages for centos?"
I do not understand these things so if you can do it, then please do it.

@randshell
Copy link
Contributor

randshell commented Jul 4, 2020
edited

Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] ip -4 address add 10.66.66.1/24 dev wg0
Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] ip -6 address add myaddresshere::1/64 dev wg0
Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] ip link set mtu 1420 up dev wg0
Jul 03 18:24:05 my.host.name wg-quick[24031]: [#] firewall-cmd --add-port xxxxx(myporthere)/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.66.66.0/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=myaddresshere::0/24 masquerade'
Jul 03 18:24:17 my.host.name wg-quick[24031]: FirewallD is not running
Jul 03 18:24:17 my.host.name wg-quick[24031]: [#] ip link delete dev wg0

In your case firewalld is not running. We configure wireguard to use firewalld over iptables if the system supports it. You can enable firewalld or if you have reasons to disable it you can edit PostUp and PostDown in /etc/wireguard/wg0.conf to use iptables.

PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE
PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE

Replace $SERVER_WG_NIC and $SERVER_PUB_NIC with your system configuration, look in /etc/wireguard/params/.

randshell added a commit to randshell/wireguard-install that referenced this issue Jul 4, 2020
@randshell
Fix installation on CentOS
e7d4bee 
angristan#95 (comment)

Fedora might need this change too.
randshell added a commit to randshell/wireguard-install that referenced this issue Jul 4, 2020
@randshell
Use firewall-cmd only if firewalld is running
fc8039a 
Fix angristan#95
@randshell randshell mentioned this issue Jul 4, 2020
Merged
@slrslr
Copy link
Author

slrslr commented Jul 5, 2020

Yes, without replacing $SERVER_WG_NIC and $SERVER_PUB_NIC by values from /etc/wireguard/params it was failing complaining about bad ACCEPT parameter in iptables command. Unsure why i had to replace it, but after replacing, it worked (wg service started).
Thank you for the pull requests. Hopefully it solves the issue.

@randshell randshell mentioned this issue Jul 7, 2020
Closed
@randshell randshell mentioned this issue Jul 15, 2020
Closed
angristan added a commit that referenced this issue Jul 31, 2020
@randshell @chrislewicki @angristan
Refactor script (#92)
5f82b76 
- cleaned some minor code
- use IPv6 if IPv4 isn't available
- add input validations, fixes #86 .
  - assign secondary DNS to primary DNS value if it's empty. Fixes #68 
- use `$SERVER_WG_IPV4` and `$SERVER_WG_IPV6` when suggesting the client IP
- save user DNS to `params` file and apply it to all clients, removing support for customizing DNS for individual clients. If this is a problem we can add again the code to allow customization but maybe use the sourced DNS as a suggestion for clients that need a different one
- add shellcheck ignores, needed for IDE that have shellcheck support
- escaped variables to `"${var}"` style
- updated README to reflect changes
- fixed the kernel mismatch issue on CentOS by updating the kernel #95 (comment). Fedora might need this change too
- Use `firewall-cmd` only if `firewalld` is running. Fixes #95 
- Fix the client's subnet mask. Fixes #87 
- Save the client configuration in the correct `$HOME`. Fixes #96 

Co-authored-by: Chris Lewicki <chris@lewicki.dev>
Co-authored-by: Stanislas <angristan@pm.me>
@x0r2d2 x0r2d2 mentioned this issue Aug 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor script randshell/wireguard-install
2 participants
@slrslr @randshell