-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openvpn not starting: Extension MASQUERADE revision 0 not supported #59
Comments
This looks strange seems like your openvpn server container does not have all necessary kernel modules. Did you use included docker-compose with the latest image tag? could you share |
Here are the log files, and the exact docker-compose.yaml file: |
It seems like there might be a mismatch between the version of iptables installed in our Docker image and the kernel version or the kernel modules available on your Linux host. Check kernel modules with kanalizaciya@bookworm64:~/openvpn-server$ lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
nf_nat 57344 3 xt_nat,nft_chain_nat,xt_MASQUERADE
nf_conntrack_netlink 57344 0
nf_conntrack 188416 5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 3 nf_conntrack,nf_nat,nf_tables
nfnetlink 20480 4 nft_compat,nf_conntrack_netlink,nf_tables
kanalizaciya@bookworm64:~/openvpn-server$ uname -a
Linux bookworm64 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
kanalizaciya@bookworm64:~/openvpn-server$ sudo iptables --version
iptables v1.8.9 (nf_tables)
try to check if you have iptables installed and share please host OS version and details. |
Thanks for looking into the issue I have. Not sure what the difference is between iptables legacy vs nf_tables? Should I simply go ahead installing nftables or iptables-nft? (https://wiki.archlinux.org/title/nftables)
|
OK, it fails here: echo 'NAT for OpenVPN clients'
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE with error: Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument Lets try to use SNAT instead of MASQUERADE, this should works with legacy. MY_ETH0_IP=`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | cut -d ':' -f2`
echo "My eth0 IP is: $MY_ETH0_IP"
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j SNAT --to-source $MY_ETH0_IP
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j SNAT --to-source $MY_ETH0_IP You can do it inside the image: sudo docker exec -it --user=root openvpn bash
vi docker-entrypoint.sh Or you can build own image:
I'm not recommend here to move your IPTABLES out of legacy version, as you may have other chains on your server, but for myself I'd better do it. Please let me know if this WA will works for you. Thanks! EDIT: |
Thanks for your help and effort. I followed the exact steps. Was not able to exec into container as it is in a restart loop. I build new image following your exact steps but unfortunately the error has changed into:
|
Hi @rspring, |
When starting openvpn-ui from scratch, both containers are created, but the openvpn container keeps restarting. When I select Configuration > OpenVPN Server, I got a blank page. In the log file of the openvpn container I see:
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
Is this a known issue, is there a workaround?
Thanks for helping out
The text was updated successfully, but these errors were encountered: