github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6388] wireguard: cannot connect to server (configuration issue) #3259

New issue

Closed

opened 2026-05-05 09:52:10 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:52:10 -06:00

Owner

Originally created by @luckylinux on GitHub (Jun 19, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6388

Description

Describe the bug
Wireguard cannot connect to external Server. Apparently (looking at my OPNSense Router/Firewall=, there is (ALMOST) no attempt at even trying to connect to the Remote Server. I think there was like 1 connection attempt within a Day or so (and not sure if I was playing with some sysctls or what at that point).

I had setup some Wireguard stuff in my Homelab between 2 Debian Machines (without firejail & with apparmor disabled) and no problems there. Connection occurs immediately.

I don't blame it all on firejail, it might be a combination with apparmor (missing) Rules.

There is definitively some cryptic apparmor Entry in dmesg with DENIED status.

Steps to Reproduce

Steps to reproduce the behavior

This is probably not only firejail related, since the wg Program appears to be resolving to /usr/bin/wg, NOT /usr/local/bin/wg. I don't even know if there is a Wireguard Profile ...

root@HOST:/# which wg
/usr/bin/wg

Expected behavior

What you expected to happen
Wireguard connecting successfully to Remote Server.

Actual behavior

What actually happened
Wireguard failing / not even trying to connect to Remote Server.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?
Probably not relevant (see above).

Additional context

Any other detail that may help to understand/debug the problem
Output of sysctl -a attached.

Environment

Ubuntu GNU/Linux 24.04 Noble AMD64
Firejail version (firejail --version): firejail version 0.9.72
If you use a development version of firejail, also the commit from which it was compiled (git rev-parse HEAD): N/A

Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Consumed 27ms CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit wg-quick@wg0.service completed and consumed the indicated resources.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Will spawn child (service_enter_start): /usr/bin/wg-qui>
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Passing 0 fds to service
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: About to execute: /usr/bin/wg-quick up wg0
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Forked /usr/bin/wg-quick as 297436
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Changed dead -> start
Jun 19 18:51:35 HOST systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
░░ Subject: A start job for unit wg-quick@wg0.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wg-quick@wg0.service has begun execution.
░░ 
░░ The job identifier is 114526.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Child 297436 belongs to wg-quick@wg0.service.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=0/SUCCESS (suc>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStart= process belonging to unit wg-quick@wg0.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 0.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Changed start -> exited
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Job 114526 wg-quick@wg0.service/start finished, result=>
Jun 19 18:51:35 HOST systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.
░░ Subject: A start job for unit wg-quick@wg0.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit wg-quick@wg0.service has finished successfully.
░░ 
░░ The job identifier is 114526.
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Failed to send unit change signal for wg-quick@wg0.serv>
Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Control group is empty.

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Originally created by @luckylinux on GitHub (Jun 19, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6388  ### Description _Describe the bug_ Wireguard cannot connect to external Server. Apparently (looking at my OPNSense Router/Firewall=, there is (ALMOST) no attempt at even trying to connect to the Remote Server. I think there was like 1 connection attempt within a Day or so (and not sure if I was playing with some sysctls or what at that point). I had setup some Wireguard stuff in my Homelab between 2 Debian Machines (without firejail & with apparmor disabled) and no problems there. Connection occurs immediately. I don't blame it all on `firejail`, it might be a combination with `apparmor` (missing) Rules. There is definitively some cryptic `apparmor` Entry in `dmesg` with `DENIED` status. ### Steps to Reproduce _Steps to reproduce the behavior_ This is probably not only `firejail` related, since the `wg` Program appears to be resolving to `/usr/bin/wg`, NOT `/usr/local/bin/wg`. I don't even know if there is a Wireguard Profile ... ``` root@HOST:/# which wg /usr/bin/wg ``` ### Expected behavior _What you expected to happen_ Wireguard connecting successfully to Remote Server. ### Actual behavior _What actually happened_ Wireguard failing / not even trying to connect to Remote Server. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Probably not relevant (see above). ### Additional context _Any other detail that may help to understand/debug the problem_ Output of `sysctl -a` attached. ### Environment - Ubuntu GNU/Linux 24.04 Noble AMD64 - Firejail version (`firejail --version`): `firejail version 0.9.72` - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): N/A ``` Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Consumed 27ms CPU time. ░░ Subject: Resources consumed by unit runtime ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ The unit wg-quick@wg0.service completed and consumed the indicated resources. Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Will spawn child (service_enter_start): /usr/bin/wg-qui> Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Passing 0 fds to service Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: About to execute: /usr/bin/wg-quick up wg0 Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Forked /usr/bin/wg-quick as 297436 Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Changed dead -> start Jun 19 18:51:35 HOST systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0... ░░ Subject: A start job for unit wg-quick@wg0.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wg-quick@wg0.service has begun execution. ░░ ░░ The job identifier is 114526. Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Child 297436 belongs to wg-quick@wg0.service. Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=0/SUCCESS (suc> ░░ Subject: Unit process exited ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ An ExecStart= process belonging to unit wg-quick@wg0.service has exited. ░░ ░░ The process' exit code is 'exited' and its exit status is 0. Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Changed start -> exited Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Job 114526 wg-quick@wg0.service/start finished, result=> Jun 19 18:51:35 HOST systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0. ░░ Subject: A start job for unit wg-quick@wg0.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit wg-quick@wg0.service has finished successfully. ░░ ░░ The job identifier is 114526. Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Failed to send unit change signal for wg-quick@wg0.serv> Jun 19 18:51:35 HOST systemd[1]: wg-quick@wg0.service: Control group is empty. ``` ### Checklist  - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` output goes here ``` </p> </details>

gitea-mirror

2026-05-05 09:52:10 -06:00

closed this issue
added the
networking

notabug
labels

gitea-mirror commented

2026-05-05 09:52:13 -06:00

Author

Owner

@luckylinux commented on GitHub (Jun 19, 2024):

sysctl.txt

@luckylinux commented on GitHub (Jun 19, 2024): [sysctl.txt](https://github.com/user-attachments/files/15904040/sysctl.txt)

gitea-mirror commented

2026-05-05 09:52:14 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 26, 2024):

There is definitively some cryptic apparmor Entry in dmesg with DENIED
status.

This looks like a potential duplicate of #6389.

Does the problem still happen after running sudo firecfg --clean and
rebooting?

This is probably not only firejail related, since the wg Program appears
to be resolving to /usr/bin/wg, NOT /usr/local/bin/wg. I don't even know
if there is a Wireguard Profile ...

There isn't.

root@HOST:/# which wg
/usr/bin/wg

What is the output of the following commands:

which -a wg
ls -l /usr/bin/wg

@kmk3 commented on GitHub (Jun 26, 2024): > There is definitively some cryptic `apparmor` Entry in `dmesg` with `DENIED` > status. This looks like a potential duplicate of #6389. Does the problem still happen after running `sudo firecfg --clean` and rebooting? > This is probably not only `firejail` related, since the `wg` Program appears > to be resolving to `/usr/bin/wg`, NOT `/usr/local/bin/wg`. I don't even know > if there is a Wireguard Profile ... There isn't. > ``` > root@HOST:/# which wg > /usr/bin/wg > ``` What is the output of the following commands: ```sh which -a wg ls -l /usr/bin/wg ```

gitea-mirror commented

2026-05-05 09:52:15 -06:00

Author

Owner

@luckylinux commented on GitHub (Jun 27, 2024):

What is the output of the following commands:
which -a wg
ls -l /usr/bin/wg

root@HOST:/# which -a wg
/usr/bin/wg
/bin/wg
root@HOST:/# ls -l /usr/bin/wg
-rwxr-xr-x 1 root root 101672 Apr  8 18:22 /usr/bin/wg

@luckylinux commented on GitHub (Jun 27, 2024): > What is the output of the following commands: > > ```shell > which -a wg > ls -l /usr/bin/wg > ``` ```shell root@HOST:/# which -a wg /usr/bin/wg /bin/wg root@HOST:/# ls -l /usr/bin/wg -rwxr-xr-x 1 root root 101672 Apr 8 18:22 /usr/bin/wg ```

gitea-mirror commented

2026-05-05 09:52:16 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 4, 2024):

root@HOST:/# which -a wg
/usr/bin/wg
/bin/wg
root@HOST:/# ls -l /usr/bin/wg
-rwxr-xr-x 1 root root 101672 Apr  8 18:22 /usr/bin/wg

So wireguard does not have a profile and is not using any symlinks either.

Does the problem still happen after running sudo firecfg --clean and
rebooting?

This question still remains.

If you can demonstrate that the issue is indeed caused by firejail, feel free
to add a comment.

Closing as a likely duplicate of #6389.

@kmk3 commented on GitHub (Jul 4, 2024): > ```shell > root@HOST:/# which -a wg > /usr/bin/wg > /bin/wg > root@HOST:/# ls -l /usr/bin/wg > -rwxr-xr-x 1 root root 101672 Apr 8 18:22 /usr/bin/wg > ``` So wireguard does not have a profile and is not using any symlinks either. > Does the problem still happen after running `sudo firecfg --clean` and > rebooting? This question still remains. If you can demonstrate that the issue is indeed caused by firejail, feel free to add a comment. Closing as a likely duplicate of #6389.

gitea-mirror commented

2026-05-05 09:52:18 -06:00

Author

Owner

@luckylinux commented on GitHub (Jul 4, 2024):

@kmk3: Sorry for the Trouble 😞.

Actually this specific Issue one was neither caused by firejail neither by System Hardening.

I needed to add this to the end of /etc/wireguard/wg0.conf on both Server and Client at the End of the [Peer] Section:

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

Then it works like a Charm 👍.

@luckylinux commented on GitHub (Jul 4, 2024): @kmk3: Sorry for the Trouble :disappointed:. Actually **this** specific Issue one was neither caused by `firejail` neither by System Hardening. I needed to add this to the end of `/etc/wireguard/wg0.conf` on both Server and Client at the End of the `[Peer]` Section: ``` # This is for if you're behind a NAT and # want the connection to be kept alive. PersistentKeepalive = 25 ``` Then it works like a Charm :+1:.

gitea-mirror referenced this issue

2026-05-05 10:24:59 -06:00

[PR #3259] [MERGED] discord 0.10 | fix #3247 #4700

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3259

No description provided.

Rows
Columns