openvpn not starting: Extension MASQUERADE revision 0 not supported

[rspring]

When starting openvpn-ui from scratch, both containers are created, but the openvpn container keeps restarting. When I select Configuration > OpenVPN Server, I got a blank page. In the log file of the openvpn container I see:

net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Is this a known issue, is there a workaround?
Thanks for helping out

[d3vilh]

This looks strange seems like your openvpn server container does not have all necessary kernel modules. Did you use included docker-compose with the latest image tag?

could you share docker logs openvpn and docker logs openvpn-ui output.

[rspring]

Here are the log files, and the exact docker-compose.yaml file:
_openvpn-ui_logs.txt
_openvpn_logs.txt
docker-compose.yaml.txt

[d3vilh]

It seems like there might be a mismatch between the version of iptables installed in our Docker image and the kernel version or the kernel modules available on your Linux host.

Check kernel modules with lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
here is my Debian bookworm host server output example:

kanalizaciya@bookworm64:~/openvpn-server$ lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
nf_nat                 57344  3 xt_nat,nft_chain_nat,xt_MASQUERADE
nf_conntrack_netlink    57344  0
nf_conntrack          188416  5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  3 nf_conntrack,nf_nat,nf_tables
nfnetlink              20480  4 nft_compat,nf_conntrack_netlink,nf_tables
kanalizaciya@bookworm64:~/openvpn-server$ uname -a
Linux bookworm64 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
kanalizaciya@bookworm64:~/openvpn-server$ sudo iptables --version
iptables v1.8.9 (nf_tables)

openvpn server image use newer version iptables v1.8.10 (nf_tables) and it works fine.

try to check if you have iptables installed and share please host OS version and details.

[rspring]

Thanks for looking into the issue I have. Not sure what the difference is between iptables legacy vs nf_tables? Should I simply go ahead installing nftables or iptables-nft? (https://wiki.archlinux.org/title/nftables)

rudolf@nuc:~$ lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
nf_conntrack_netlink    61440  0
nf_nat                 65536  3 xt_nat,iptable_nat,xt_MASQUERADE
nf_conntrack          208896  5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         12288  1 nf_conntrack
libcrc32c              12288  2 nf_conntrack,nf_nat
nfnetlink              20480  3 nf_conntrack_netlink
rudolf@nuc:~$ uname -a
Linux nuc 6.7.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 08 Mar 2024 01:59:01 +0000 x86_64 GNU/Linux
rudolf@nuc:~$ sudo iptables --version
iptables v1.8.10 (legacy)
rudolf@nuc:~$ 

[d3vilh]

OK, it fails here:

echo 'NAT for OpenVPN clients'
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE

with error:

Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Lets try to use SNAT instead of MASQUERADE, this should works with legacy.
Modify docker-entrypoint.sh script lines 68 and 69 with this syntax:

MY_ETH0_IP=`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | cut -d ':' -f2`
echo "My eth0 IP is: $MY_ETH0_IP"
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j SNAT --to-source $MY_ETH0_IP
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j SNAT --to-source $MY_ETH0_IP

You can do it inside the image:

sudo docker exec -it --user=root openvpn bash
vi docker-entrypoint.sh

Or you can build own image:

1. Update the ~/openvpn-server/docker-entrypoint.sh in the root repo directory, then
2. Rebuild openvpn-server image by running sudo ./build-image.sh script.
3. It will create new local image d3vilh/openvpn-server:latest (docker image ls)
4. Retag it docker tag d3vilh/openvpn-server:latest local/openvpn-server:latest
5. Update your docker-compose.yml with local image image: local/openvpn-server:latest
6. Run container and it should use new docker-entrypoint.sh

I'm not recommend here to move your IPTABLES out of legacy version, as you may have other chains on your server, but for myself I'd better do it.

Please let me know if this WA will works for you.

Thanks!

EDIT: iptables-nft is better idea :) but please be careful and test it before applying on production.

[rspring]

Thanks for your help and effort. I followed the exact steps. Was not able to exec into container as it is in a restart loop. I build new image following your exact steps but unfortunately the error has changed into:

net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
My eth0 IP is: 192.168.48.3
Warning: Extension SNAT revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
PKI already set up.

[d3vilh]

Hi @rspring,
It seems iptables kernel modules does to loaded properly.
Did you try to restart server? :)