wg-access-server icon indicating copy to clipboard operation
wg-access-server copied to clipboard

Published 20 hours ago verified publisher icon Place1

Helm deployement, client connect but not routed/nat correctly

Open sarce666 opened this issue 3 years ago • 5 comments

hello

i use the helm chart to deploy it my client is connected , i can see it in my gui wireguard interface in green in my client i can ping it gateway 10.44.0.1 in my pods i can ping my client 10.44.0.6 but my client cannot go to iinternet

in my wireguard server , if i do a tcpdum in wg0 i can see the packet for the port 443 but in my eth0 i have nothing , like the packet is not routed/nat ?

thanks for your help

here is my values.yaml

config: dns: upstream: - "8.8.8.8" loglevel: debug externalHost: "xxx" vpn: cidr: 10.44.0.0/24 allowedIPs: - 0.0.0.0/0 - ::/0

web: config: adminUsername: "" adminPassword: "" wireguard: config: privateKey: "" service: type: "LoadBalancer" #loadBalancerIP: "" persistence: enabled: true

Persistent Volume Storage Class

If defined, storageClassName: <storageClass>

If set to "-", storageClassName: "", which disables dynamic provisioning

If undefined (the default) or set to null, no storageClassName spec is

set, choosing the default provisioner. (gp2 on AWS, standard on

GKE, AWS & OpenStack)

storageClass: "-"

size: 100Mi annotations: {} accessModes: - ReadWriteOnce subPath: ""

sarce666 avatar Jul 13 '21 14:07 sarce666

I'm having the same issue. Did you find a solution?

mattlathrop avatar Oct 24 '21 20:10 mattlathrop

Adding a bit of color here: Logging into the shell of the pod, it seems forwarding has not been enabled on the container (i.e. cat /proc/sys/net/ipv4/ip_forward returns 0)? Is that normal @Place1? Attempts to change it give me errors that the file system is read only.

mattlathrop avatar Oct 24 '21 20:10 mattlathrop

another +1 here.

rtrox avatar Nov 18 '21 21:11 rtrox

For everyone still having the problem, here is a workaround that does not involve sysctl admin tricks with PSPs and other.

Just patch your wg-access-server deployment with this initContainer :

      initContainers:
      - command:
        - sysctl
        - -w
        - net.ipv4.ip_forward=1
        image: busybox
        imagePullPolicy: IfNotPresent
        name: init-sysctl
        securityContext:
          privileged: true
          runAsNonRoot: false
          runAsUser: 0

It will works fine, and even if it need privileged container, it's just the time to set the sysctl, after that the main container remains not privileged as expected !

AlexisDucastel avatar Nov 21 '21 21:11 AlexisDucastel

Just added a Pull Request to fix this : https://github.com/Place1/wg-access-server/pull/162

AlexisDucastel avatar Nov 21 '21 22:11 AlexisDucastel