Hi!

I’m in great need of some assistance. Any help is very much appreciated.

Edit: The host system is Arch Linux with the 5.6 kernel running on a x86-64 system.

The goal:
Run both WireGuard and Transmission in one Alpine-based container simultaneously.

Progress:
Transmission is up and running and torrenting files to the host machine works fine.
WireGuard is not starting up. When running wg-quick up wg0 the script is successfully reading the wg0.conf but at the end of the startup it halts.

/ # wg-quick up wg0

You might want to try :

-v /sys:/sys:rw

Still getting the same error. I might add that the host system is an Arch Linux installation running on a x86-64 system if that helps.

I guessed that since otherwise you would have said it upfront.
Beside, as far as docker is concerned, imho, arch or ubuntu, debian, centos, it’s all the same (devuan or alpine might differ though)

I dont see any other clean way to get /sys mounted as RW (that doesnt mean there’s no way. --privileged might work, but that’s not a clean option)
I hope someone have a better option for you

I Googled a bit more and found this:

Looks like you can’t set any sysctl containing .net,

However I’m seeing a lot of other Docker containers doing exactly that successfully. Could anyone explain that?

I’m running into this same issue with the same goal, host Ubuntu 18.04. I have been unable to get Wireguard working in a container with anything I’ve written myself or grabbed from posts. I’ve tried the LinuxServer wireguard image as a client but am getting the same erros as @sebdanielsson . I can’t say for sure that’s the issue, but is the only thing I can see that doesn’t look right.

I’m willing to help debug this though, and will continue to look into it myself!

Does running with --privileged resolve the issue?

That’s what I had to do for https://hub.docker.com/r/jordanpotter/wireguard as well.

Actually I found this:

This guys container is actually working just by running:

Without need for --privileged. I’m trying to figure out why his script is working so well when my isn’t… Do you have any idéa?

It looks like that Docker image hasn’t been updated in over a year, which means it likely isn’t running a recent version of Wireguard. The change requiring net.ipv4.conf.all.src_valid_mark appears to be recent. To verify this, you can try building his image yourself via docker build and running it.

Note that jordanpotter/wireguard also didn’t require --privileged until the image was updated to use the latest Wireguard.

That’s really interesting. I can confirm that my image is working with the --privileged option.
So is this due to a kernel change or a wireguard-tools change? Did this change before WireGuard was mainlined into 5.6?

Hello, a little late to the party but I’ve found a good fix.
include this line into the Dockerfile

RUN sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' /usr/bin/wg-quick && \

And include the following option in docker compose (or the cli equivalent)

    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

This change makes wg-quick attempt to modify the value of net.ipv4.conf.all.src_valid_mark only when its not already set to 1. Docker compose sets it to 1 so the illegal operation never occurs.

I found this solution in the linuxserver/wireguard Dockerfile