wg-quick up fails on UXG-PRO : unable to initialize table 'raw'

[sirLeone]

Package version

1.0.20211208

Firmware version

 1.12.19

Device

UniFi UXG-PRO

Issue description

I cannot start wireguard with following command :
wg-quick up /etc/wireguard/wg0.conf

My wg0.conf file is like here :

[Interface]
Address = 192.168.2.1/24
PrivateKey = MY_KEY
ListenPort = 51820

[Peer]
PublicKey = PUB_KEY1
AllowedIPs = 0.0.0.0/0, ::/0

[Peer]
PublicKey = PUB_KEY2
AllowedIPs = 0.0.0.0/0, ::/0

Configuration and log output

wg-quick up /etc/wireguard/wg0.conf
Warning: `/mnt/data/wireguard/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.2.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
ip6tables-restore v1.6.2: ip6tables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

[peacey]

Hi @sirLeone,

Please see the troubleshooting section in the Wiki. Specifically the question: wg-quick up returns error "unable to initialize table 'raw'

Your kernel does not have the iptables raw module. The raw module is only required if you use 0.0.0.0/0 or ::/0 in your wireguard config's AllowedIPs. A workaround is to instead set AllowedIPs to 0.0.0.0/1,128.0.0.0/1 for IPv4 or ::/1,8000::/1 for IPv6. These subnets cover the same range but do not invoke wg-quick's use of the iptables raw module.

If you do not want to use that workaround, you can also load the external module instead of using Ubiquiti's built-in wireguard module by setting LOAD_BUILTIN=0 in the setup_wireguard.sh script. Loading the external module will also load the raw module if the module is compiled for your kernel in this package.

One question though, are you using wireguard as a server or client on the UXG? If using as a server, why are you using 0.0.0.0/0 and ::/0 for client peers? Shouldn't you be setting the correct subnets for each peer instead, or how will WireGuard know how to route which subnet to which Peer if all subnets go to both peers?

[sirLeone]

Hi @peacey
Thank you for answer. Tried with 0.0.0.0/1 and it works :)

UXG is my home router and i would like to connect to my home lab from the internet. Second peer is for my wife' phone. I would like to have access to my lab and use my home internet connection while i am on vacations. Assuming this scenario am I wrong with provided config using 0.0.0.0/1 ?

[peacey]

@sirLeone, your configuration is not right for your use case. You should be using the /32 wireguard client IP for each client in the AllowedIPs section for that peer on your router's wireguard config.

You have two peers, each of them have their own unique IP assigned in their wireguard config Address section, right?

Say Peer 1 has IP 10.0.3.2/32 and Peer 2 has IP 10.0.3.3/32. Your router's wireguard config peer section should be like this

[Peer]
PublicKey = PUB_KEY1
AllowedIPs = 10.0.3.2/32

[Peer]
PublicKey = PUB_KEY2
AllowedIPs = 10.0.3.3/32

If you also assigned IPv6 addresses to your peer, you should also add them of course (as /128).