1

I'm trying to have a ProtonVPN wireguard running in network namespace, so that all traffic from/to namespace goes out via vpn.

I have tried to follow multiple guides/tools (few links below) but symptoms are always the same, which leads me to think issue might be in the VPS im using (or protonVPN?)

basic process - take wireguard config from protonVPN dashboard, save to /etc/wireguard/wg0.conf

1) ip netns add container 2) ip link add wg0 type wireguard 3) ip link set wg0 netns container 4) ip netns exec container wg setconf wg0 /etc/wireguard/wg0.conf 5) ip -n container addr add 10.2.0.2/32 dev wg0 6) ip -n container link set dev wg0 mtu 1370 up 7) ip -n container route add default dev wg0

I have also tried switching 3&4 as per some recommendations ie:

wg setconf wg0 /etc/wireguard/wg0.conf ip link set wg0 netns container

to no avail.

symptoms:

when i create the namespace and ip netns exec container bash into it

# ping -c10 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=129 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=73.0 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=58 time=72.5 ms 64 bytes from 1.1.1.1: icmp_seq=4 ttl=58 time=73.0 ms 64 bytes from 1.1.1.1: icmp_seq=5 ttl=58 time=72.7 ms --- 1.1.1.1 ping statistics --- 10 packets transmitted, 5 received, 50% packet loss, time 9103ms rtt min/avg/max/mdev = 72.510/84.144/129.488/22.672 ms

sometimes its 5 received, more often only one, max has been 6. i have tried different MTU sizes (both bigger and smaller) - no change.

tried having PersistentKeepalive=25 - no change.

interface: wg0 public key: 77NAlnYc3LeSi6lkLyGIPH27Rbjrn0wimiYcOO+IRAU= private key: (hidden) listening port: 39847 peer: 7sF0UKgxoQr188w2kYOI2vunvk5XiMbDoKe4sdCDP3s= endpoint: 176.96.226.226:51820 allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 19 seconds ago transfer: 5.37 KiB received, 8.52 KiB sent persistent keepalive: every 25 seconds

when pinging, "sent" value goes up, received stays the same.

there's no iptables rules neither in host nor namespace.

tried also setting

sysctl -w net.ipv4.conf.all.rp_filter=0 sysctl -w net.ipv4.conf.eth0.rp_filter=0

and also in the namespace - no change.

any ideas? how to debug this further? im completely stomped, why something that seems pretty simple and people seem to use (as well as containers), just does not work for me...

EDIT: as per Hauke's comment, i tried tcpdumping. taking the session i left yesterday one more thing is evident:

# wg interface: wg0 public key: 77NAlnYc3LeSi6lkLyGIPH27Rbjrn0wimiYcOO+IRAU= private key: (hidden) listening port: 39847 peer: 7sF0UKgxoQr188w2kYOI2vunvk5XiMbDoKe4sdCDP3s= endpoint: 176.96.226.226:51820 allowed ips: 0.0.0.0/0 latest handshake: 9 hours, 46 minutes, 26 seconds ago transfer: 5.55 KiB received, 1.18 MiB sent persistent keepalive: every 25 seconds # ping -c2 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. --- 1.1.1.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1025ms # wg interface: wg0 public key: 77NAlnYc3LeSi6lkLyGIPH27Rbjrn0wimiYcOO+IRAU= private key: (hidden) listening port: 39847 peer: 7sF0UKgxoQr188w2kYOI2vunvk5XiMbDoKe4sdCDP3s= endpoint: 176.96.226.226:51820 allowed ips: 0.0.0.0/0 latest handshake: 9 hours, 47 minutes ago transfer: 5.55 KiB received, 1.18 MiB sent persistent keepalive: every 25 seconds

even the handshake does not get through.

tcpdump looks like:

# tcpdump -i any udp port 51820 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 01:35:22.654897 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:28.030888 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:33.406996 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:38.526894 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:43.902979 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:49.278868 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:54.655076 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:35:59.774884 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:36:05.150860 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:36:10.526903 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:36:15.646905 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:36:20.766924 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:36:25.886891 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148 01:36:31.262890 eth0 Out IP my-hostname.39847 > 176.96.226.226.51820: UDP, length 148

and for comparison, tcpdump from the start of a fresh session with 10 packet ping (10 packets transmitted, 1 received, 90% packet loss, time 9188ms) :

# tcpdump -i any udp port 51820 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 01:41:20.798802 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 32 01:41:22.074936 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:22.148011 eth0 In IP 176.96.226.226.51820 > my-hostname.37722: UDP, length 128 01:41:22.187243 eth0 In IP 176.96.226.226.51820 > my-hostname.37722: UDP, length 1296 01:41:22.187243 eth0 In IP 176.96.226.226.51820 > my-hostname.37722: UDP, length 1296 01:41:22.187379 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 1296 01:41:22.187389 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 1296 01:41:22.247688 eth0 In IP 176.96.226.226.51820 > my-hostname.37722: UDP, length 1312 01:41:22.247825 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 1312 01:41:22.308100 eth0 In IP 176.96.226.226.51820 > my-hostname.37722: UDP, length 1376 01:41:22.308291 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 1312 01:41:22.308307 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:23.076470 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:24.095362 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:25.118904 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:26.142873 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:27.166863 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:28.190877 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:29.214865 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:30.238978 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128 01:41:31.262887 eth0 Out IP my-hostname.37722 > 176.96.226.226.51820: UDP, length 128

Links: https://blog.thea.codes/nordvpn-wireguard-namespaces/ https://www.wireguard.com/netns/#ordinary-containerization

Improve this question
New contributor
nospam is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • I don't have any ideas for a possible reason but what I would do next is use tcpdump to check whether the encrypted packets still arrive at the target (and if not: whether they leave the sending system) so that is becomes clear whether this is a wireguiard problem or a different networking problem and on which of the systems. Commented Dec 8 at 22:44

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.