URGENT bug: Unable to install, it shows an error, how shall I ask for help from developers to debug and fix this issue, please?

[perfectpeach]

Hiya,

Below is the error that is shown when I'm getting a status report. Also, this is originally happened while installation. Update/upgraded the OS doesn't work.

Error code:
https://prnt.sc/tez2zj

OS: CentOS 7.5 x64
Note: I have OpenVPN(community edition) installed different ports(through your auto-installer script associated). And these two are the only applications installed on the VPS.
Please developers and gurus would you help me fix this error?
Note: 'Firewalld' is disabled as I have CSF+LFD installed instead. I also shall mention that I do all the tests and get the error code while the CSF+LFD was Off.
Note: I don't want to enable the 'Firewalld' and looking for a way to make this Wireguard that is installed on a different UDP port that OpenVPN and this UDP port is allowed on the CSF+LFD works alongside of OpenVPN?
Note: I disabled the IPv6 in the CSF+LFD and also the installation of Wireguard has some IPv6 sections, I assume it can work only on the IPv4 as I disabled the IPv6 in the virtual ethernet card of VPS and also I disabled the IPv6 on the CSF+LFD as well.

I believe I have provided fair amount of information that helps you troubleshoot this issue and help me fix it whenever you are free, please? Also please do ask me to provide any information about my setup or any report form VPS, if it helps you debug this error. Also, I shall mention that I disabled the all possible logs in the VPS for privacy concerns, and if any error can be duplicated on the terminal, please ask me to run the code and screenshot the error code to you with posting it here?

If possible, I appreciate it if you please prioritize this debug whenever if there is a possibility?

Tnx and best of luck

[perfectpeach]

Update: I have done removing/commenting two lines of 'PostUp and PostDown' in .conf file associated with Wireguard configuration.

I restarted the CentOS 7.5 x64, and the Wireguard shows as loaded+active as it's on the screenshot below,
https://prnt.sc/tf1ik3

But not when CSF+LFD firewall enabled, nor when it's disabled when my android Wireguard official app connects to the server, I have no receive and just 2KB send? I don't know what else may be blocking these Wireguard from functioning? MAy please advise me on this?

This guide is for IPtables, https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/#Setup_NAT_(MASQUERADE)_rules but as I'm on different firewall CSF+LFD, how shall I proceed in this case and what shall I check? I can send a screenshot of the error codes if you give me a debug code if required?

Tnx and best of luck

[randshell]

See #95 (comment) for the iptables rules and https://blackonsole.org/how-to-add-nat-iptables-rules-with-csf/ for the csf integration.

[perfectpeach]

Hiya @randomshell

Thanks for your input. I couldn't fix the issue. I removed the PostUp+PostDown from that config file and added a couple of lines to CSFpre.sh and it worked. I believe this is no solution as Wireguard shall be able to open and close the port by this PostUp+PostDown procedure, but I don't know how?
The issue is, I already have the CSFpre.sh as it's used for OpenVPN issue solution with CSF, as I have OpenVPN on the same server as well. I just duplicated the lines that I added for OpenVPN, for Wireguard and it worked after I disable the PostUp+PostDown lines in Wireguard config. I believe this is not right as for security reasons it leaves the ports open while they are not used? Could you please advise me if I post my CSFpre.sh code here, so you can kindly tell me with that CSFpre.sh code, if I add the below:
code start
PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE
PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE"
end
(considering Replace $SERVER_WG_NIC and $SERVER_PUB_NIC with your system configuration, look in /etc/wireguard/params/.)

Will this solve my issue or this code needs to be modified besides the $SERVER_WG_NIC and $SERVER_PUB_NIC to be work in my case?

Tnx and best of luck

[perfectpeach]

Hiya @randomshell

May please advise me on my last comment wherever you are free?

Tnx and best of luck

[randshell]

The issue is, I already have the CSFpre.sh as it's used for OpenVPN issue solution with CSF, as I have OpenVPN on the same server as well. I just duplicated the lines that I added for OpenVPN, for Wireguard and it worked after I disable the PostUp+PostDown lines in Wireguard config.

CSF handles all the rules so I don't think you can manually change iptables rules or use firewalld. What you did it's OK, you can use this method.

I believe this is not right as for security reasons it leaves the ports open while they are not used?

Since you're using CSF their forums may be more helpful on how to proceed. Anyway you can just leave the WireGuard process running so the ports are always used.

Will this solve my issue or this code needs to be modified besides the $SERVER_WG_NIC and $SERVER_PUB_NIC to be work in my case?

I don't understand your question, you said it worked when you duplicated the lines from the OpenVPN settings.

[perfectpeach]

Hiya @randomshell

Thanks for your reply. Regarding

Anyway you can just leave the WireGuard process running so the ports are always used.

1. I wanted to add this to my previous statement, as I leave one UDP port open for OpenVPN and as per my knowledge the OpenVPN will not close the port when it's not working, as the only CSF+LFD will handling the firewall rules, thus the issue of leaving the unused port open can potentially exist in OpenVPN as well? How the CSF+LFD handling this to close the port when OpenVPN is not connected then?
2. And the same issue can exist in Wireguard if I delete the PostUP+PostDown lines then like it can be as same secure as OpenVPN utilized UDP port?

Will this solve my issue or this code needs to be modified besides the $SERVER_WG_NIC and $SERVER_PUB_NIC to be work in my case?
I don't understand your question, you said it worked when you duplicated the lines from the OpenVPN settings.

3. Regarding the above question, I'm sorry my statement was confusing, I wanted to add that when I mentioned I added some lines to CSFpre.sh that was duplicate of the OpenVPN rules that I added for the CSFpre.sh ut with the relevant associated IP for Wireguard, I was addressing code below:
   ---Code Alpha---
   iptables -A FORWARD -s x.x.x.x/?? -j ACCEPT
   iptables -t nat -A POSTROUTING -s x.x.x.x/?? -o {adapter name} -j MASQUERADE
   ---end---
   As I didn't add anything from code lines below yet:
   ---Code Beta---
   PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE
   PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE"
   ---end---
   (considering Replace $SERVER_WG_NIC and $SERVER_PUB_NIC with your system configuration, look in /etc/wireguard/params/.)
   And as I stated before, the Wireguard is working, but I don't know because I removed the PostUP+PostDown lines from the server config file, and I didn't add anything from code I marked above as 'Code Beta' but I only added the lines in 'Code Alpha' and its worked before adding lines from 'Code Beta'. But It's not clear for me that is there any security mistake that is made by my approach or not, as I didn't add any part of your code that I marked as 'Code Beta' to my IPtables rules thus then I may put back the PostUp+PostDown I the Wireguard server config file to make it work in the more secure level? Is this make sense in regarding what I wanted to say? And could you please advise me on how shall I proceed to make the server more secure? Shall I add any modified version of your code that I mentioned as 'Code Beta' in the IPtables rules then shall I put back the lines related to PostUp+PostDown in the server config file to make Wireguard work in the more secure level?
4. Then what happens to the OpenVPN UDP port when it's not in use, as I guess it can be in the same level of under security comparing to Wireguards UDP port when it's unused? Is there a way to secure the OpenVPN UDP port when it's not in use like we are doing for Wireguard?

Tnx and best of luck

[randshell]

I believe this is not right as for security reasons it leaves the ports open while they are not used?

The only security risk is when the port of a vulnerable service is opened to the World. Having the port opened in the firewall but no service using it it's not an issue, so you can keep using CSFpre.sh.

Is there a way to secure the OpenVPN UDP port when it's not in use like we are doing for Wireguard?

How the CSF+LFD handling this to close the port when OpenVPN is not connected then?

For WireGuard you would need to use the iptables command and PostUp+PostDown options as explained in #95 (comment). If it doesn't conflict with CSF then use this, otherwise use CSFpre.sh.

For OpenVPN we create a service at /etc/systemd/system/iptables-openvpn.service that keeps the ports opened even after the service is stopped. @angristan we could use the -up cmd and -down cmd options instead to have the same behavior as WireGuard, what do you think? Again, it's not a security issue just an improvement we could implement.

EDIT: we configured OpenVPN to drop elevated privileges and run as nobody, so we can't change iptables rules later with -down. We can however add them with ExecStartPost and ExecStopPost by editing the openvpn service instead.

[perfectpeach]

For WireGuard you would need to use the iptables command and PostUp+PostDown options as explained in #95 (comment). If it doesn't conflict with CSF then use this, otherwise use CSFpre.sh.

Thanks. If it's ok, give me some time and I'll update you with results about this later on my next priority project after TLS 1.3 on OpenVPN is fully implemented. Thanks :)

For OpenVPN we create a service at /etc/systemd/system/iptables-openvpn.service that keeps the ports opened even after the service is stopped. @angristan we could use the -up cmd and -down cmd options instead to have the same behavior as WireGuard, what do you think? Again, it's not a security issue just an improvement we could implement.
EDIT: we configured OpenVPN to drop elevated privileges and run as nobody, so we can't change iptables rules later with -down. We can however add them with ExecStartPost and ExecStopPost by editing the openvpn service instead.

Thanks. If you instruct me. I'll implement this and I will report back here as well. But I'm not so sure where shall I begin, please?

Tnx and best of luck

[randshell]

Thanks. If you instruct me. I'll implement this and I will report back here as well. But I'm not so sure where shall I begin, please?

I tried it but the code becomes more complex to allow support of multiple servers so I dropped the idea. It's OK to stick with another service managing the iptables of openvpn as it's done now.