[BUG] browser log reports wireguard module is not active but lsmod shows it is active

[chinarut]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have Ubuntu Server 22.04.4 LTS with CasaOS v0.4.8. Container version 13.0.13-ls59

root@orbit:/# docker inspect -f '{{ index .Config.Labels "build_version" }}' linuxserver-mullvad-browser-app-1
Linuxserver.io version:- 13.0.13-ls59 Build-date:- 2024-04-14T23:33:33+00:00

not clear why “image” version differs (13.0.14-ls60) (putting it here for completeness):

root@***:/# docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/mullvad-browser:latest
Linuxserver.io version:- 13.0.14-ls60 Build-date:- 2024-04-16T16:36:40+00:00

browser works fine without VPN enabled.

I downloaded the following file from my VPN and saved it as config/wg0.conf (sanitized for privacy):

PrivateKey = ***
Address = *.*.*.*
DNS = 8.8.8.8

[Peer]
PublicKey = ***
AllowedIps = 0.0.0.0/0
Endpoint = ***:993
PersistentKeepalive = 21

now this shows up in my log:

app-1  | RTNETLINK answers: Operation not permitted
app-1  | **** The wireguard module is not active or you do not have the correct Capabilities set. If you believe that your kernel should have wireguard support already, make sure that it is activated via modprobe! ****

I checked to see if my wireguard module is loaded and it is:

root@***:/# lsmod | grep wireguard
wireguard              94208  0
curve25519_x86_64      36864  1 wireguard
libchacha20poly1305    16384  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard

what other steps can we take to troubleshoot?

Expected Behavior

Mullvad Browser establishes VPN tunnel using provided Wireguard config file from VPN provider.

http://ifconfig.io reports an IP in Australia instead of my ISP IP.

Steps To Reproduce

1. install Ubuntu 22.04.04 LTS
2. install CasaOS (latest: 0.4.8)
3. install LinuxServer.io AppStore
4. install Mullvad Browser
5. open browser at http://localhost:3000
6. open http://ifconfig.io and confirm it reports your public ISP IP
7. copy Wireguard config to /config/wg0.conf (in container)
8. open browser at http://localhost:3000
9. observe host browser just hangs and eventually [Safari] reports “Safari couldn’t open the page because the server stopped responding.”
10. open container log file
11. observe Wireguard module is not loaded

Environment

• hardware: early 2015 Retina MacBook Pro.
• OS: Ubuntu Server 22.04.4 LTS
• How docker service was installed: sudo apt install docker.io

(1)
just FYI, I have WG Easy installed and can successfully tunnel into my server from an external cellular network using the official Wireguard app on a Pixel 6a:

https://github.com/WisdomSky/CasaOS-Coolstore/blob/main/Apps/wg-easy/docker-compose.yml

(2)
to help isolate that is not my VPN provider, I tested a 2nd Wireguard config assigned to my Pixel & able to create a tunnel in the Wireguard app no problem.

CPU architecture

x86-64

Docker creation

from LinuxServer.io AppStore - so I assume this one:

https://github.com/WisdomSky/CasaOS-LinuxServer-AppStore/blob/main/Apps/Mullvad-browser/docker-compose.yml

Container logs

root@***:/# docker logs linuxserver-mullvad-browser-app-1������������������[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

Uname info: Linux da0cedda58e2 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
RTNETLINK answers: Operation not permitted
**** The wireguard module is not active or you do not have the correct Capabilities set. If you believe that your kernel should have wireguard support already, make sure that it is activated via modprobe! ****
[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

Uname info: Linux da0cedda58e2 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
RTNETLINK answers: Operation not permitted
**** The wireguard module is not active or you do not have the correct Capabilities set. If you believe that your kernel should have wireguard support already, make sure that it is activated via modprobe! ****

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[thespad]

or you do not have the correct Capabilities set

If you read our readme you will see that you need the NET_ADMIN cap set in order for the image to work (otherwise it can't modify the host networking to allow wireguard to function) but the Casaos compose template does not set it.

[j0nnymoe]

Also note, that app store is nothing to do with us and the reason your version is pinned is due to the person creating it has pinned that version tag.

[chinarut]

If you read our readme you will see that you need the NET_ADMIN cap set in order for the image to work (otherwise it can't modify the host networking to allow wireguard to function) but the Casaos compose template does not set it.

ok - I will pass this feedback onto the developer (@WisdomSky). Let me try to create the container directly in docker (as CasaOS doesn’t seem to let me set NET_ADMIN capability for some reason)

Also note, that app store is nothing to do with us and the reason your version is pinned is due to the person creating it has pinned that version tag.

good to know I made the assumption you were maintaining the store. thank you for taking the time to explain the difference in versions and how it is pinned 📌

[WisdomSky]

Let me try to create the container directly in docker (as CasaOS doesn’t seem to let me set NET_ADMIN capability for some reason)

Hi @chinarut,

CasaOS does allow you to set container capabilities from the CasaOS dashboard. Under the app settings, scroll to the bottom and you will find the container capabilities. Once you start typing NET_ADMIN into the text field, a list will appear that contains the NET_ADMIN.

[chinarut]

thanks for the quick reply @WisdomSky! The developers noted you are missing the NET_ADMIN capability in your docker-compose file and WireGuard functionality will not work without it.

and in response to your comment above, NET_ADMIN capability is not in my capabilities list in my Mullavad container (created from your Coolapp Store):

[WisdomSky]

thanks for the quick reply @WisdomSky! The developers noted you are missing the NET_ADMIN capability in your docker-compose file and WireGuard functionality will not work without it.

and in response to your comment above, NET_ADMIN capability is not in my capabilities list in my Mullavad container (created from your Coolapp Store):

Hi,

In response to your feedback, you can scroll down the list as the items are arranged alphabetically. Or you can write the whole "NET_ADMIN" for it to appear.

That said, I will update the appstore and apply the required missing container capability later today once I'm available.

Thank you.

[chinarut]

The 6 capabilities I circled is what is available. I will see if I can reproduce this behavior outside of CasaOS and if not, I will file a bug report with CasaOS.

After you update the missing container capability, be sure to test the VPN feature by putting a valid wg0.conf in its config directory. Thanks!

[chinarut]

good news is I got Wireguard to work using the stock container created from the command line using this compose file:

# https://github.com/linuxserver/docker-mullvad-browser

services:
  mullvad-browser:
    image: lscr.io/linuxserver/mullvad-browser:latest
    container_name: mullvad-browser

    cap_add:
      - NET_ADMIN
    security_opt:
      - seccomp:unconfined #optional

    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - LOCAL_NET=192.168.0.0/16 #optional
    volumes:
      - /DATA/AppData/mullvad-browser/config:/config
      - /DATA/Downloads:/config/Downloads

    ports:
      - 3000:3000
      - 3001:3001

    shm_size: "1gb"
    restart: unless-stopped

# https://github.com/WisdomSky/CasaOS-LinuxServer-AppStore/blob/main/Apps/Mullvad-browser/docker-compose.yml

x-casaos:
  architectures:
    - amd64
  main: app
  description:
    en_us: The Mullvad Browser is a privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project. It’s designed to minimize tracking and fingerprinting. You could say it’s a Tor Browser to use without the Tor Network. Instead, you can use it with a trustworthy VPN.
  tagline:
    en_us: The Mullvad Browser is a privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project. It’s designed to minimize tracking and fingerprinting. You could say it’s a Tor Browser to use without the Tor Network. Instead, you can use it with a trustworthy VPN.

  developer: LinuxServer.io

  icon: https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/mullvad-browser-logo.png
  thumbnail: https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/mullvad-browser-logo.png

  port_map: "3000"
  scheme: http

  title:
    en_us: Mullvad browser+

thank you everyone for all the support getting this up and running! 🙌🏼

[WisdomSky]

The 6 capabilities I circled is what is available. I will see if I can reproduce this behavior outside of CasaOS and if not, I will file a bug report with CasaOS.

I had to make a recording just so you'll be able to get what I mean by "scroll down the list as the items are arranged alphabetically".

Recording.2024-04-20.153612.mp4