For the last few months, Wireguard has been mysteriously broken on my personal laptop.
I hadn’t touched the configuration, and my other devices were working perfectly, but
packets from my laptop were no longer reaching my Wireguard server. I finally decided
to sit down and crack the problem today. After a couple of hours spent in the unhappy
company of dmesg, tcpdump and various reboots, I have a culprit: Microk8s.
Algo, which is what I used to set up Wireguard, recommends the use of wg-quick
to set up client devices on Linux. wg-quick sets up a rule to route all traffic via
the Wireguard network interface. Wireguard also adds a fwmark to packets, which is
apparently a way of tagging certain packets so that they can be routed in a particular
way. I don’t fully understand the networking intricacies here, but Microk8s (which acts
directly on the host, unlike Minikube), also adds its own iptables rules, in particular
including a rule that drops all marked packets.
There are a couple of people who appear to have run into this issue in different contexts, with differing solutions.
- Stop/remove Microk8s and reboot. Github
- Don’t use wg-quick and run the networking setup by hand. Kubernetes Forums
- Remove the fwmark from Wireguard configuration. Github
My first instinct was to remove Microk8s, which I can confirm works. I’m not sure what the etiquette of marked packets is: whether Wireguard should be marking packets differently or Kubernetes shouldn’t be routing marked packets in that way. Regardless, the fix was easy enough!