pivpn: Iptables masquerade rule does not persist on reboot

In raising this issue I confirm that

• I have read the documentation
• I have read and understood the PiVPN General Guidelines
• I have read and understood the PiVPN Troubleshooting Guidelines
• The issue I am reporting isn’t a duplicate, see closed issues and open issues.
• I have searched for similar issues and solutions
• I can replicate the issue even after a clean OS installation

Describe the issue

When rebooted, communication between wireguard clients work but no Internet connection. When pivpn -d is used upon reboot, it asks me to add the masquerade rule again. It works! When checking the firewall file, multiple masquerade rules have been added from previous attempts but pivpn ignores these. I have tried manually deleting all the duplicate rules too.

Expected behavior

Upon reboot all masquerading rules from previous pivpn - d command should be detected and shouldn’t have to add another line.

Please describe the steps to replicate the issue

1. Install PiVPN using bash script
2. Add client
3. Reboot Server
4. Do pivpn - d. Script should ask to add masquerade rule to iptables
5. Reboot again
6. Run pivpn-d again and script should ask again to add masquerade rule

Have you taken any steps towards solving your issue?

None, I’m not sure how to solve this issue.

Screenshots

No response

Where did you run pivpn?

Raspberry Pi 4 8GB

Please provide your output from uname -a

Linux pihole 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux

Details about Operative System

PRETTY_NAME=“Debian GNU/Linux 11 (bullseye)” NAME=“Debian GNU/Linux” VERSION_ID=“11” VERSION=“11 (bullseye)” VERSION_CODENAME=bullseye ID=debian HOME_URL=“https://www.debian.org/” SUPPORT_URL=“https://www.debian.org/support” BUG_REPORT_URL=“https://bugs.debian.org/”

Installation

No response

Profile / Client creation

No response

Debug output

::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
Branch: master
Commit: f7f81e1bf47b5f4564b6ded7a516da5fd3c2f63c
Author: 4s3ti
Date: Mon Nov 28 23:32:17 2022 +0100
Summary: fix(scripts): uninstall default option
=============================================
::::        Installation settings        ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=1
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.0.25/24
IPv4gw=192.168.0.1
install_user=nick
install_home=/home/nick
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=()
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820
### begin Note20 ###
[Peer]
PublicKey = Note20_pub
PresharedKey = Note20_psk
AllowedIPs = 10.6.0.2/32
### end Note20 ###
### begin Yoga6 ###
[Peer]
PublicKey = Yoga6_pub
PresharedKey = Yoga6_psk
AllowedIPs = 10.6.0.3/32
### end Yoga6 ###
### begin TabS7 ###
[Peer]
PublicKey = TabS7_pub
PresharedKey = TabS7_psk
AllowedIPs = 10.6.0.4/32
### end TabS7 ###
### begin Office ###
[Peer]
PublicKey = Office_pub
PresharedKey = Office_psk
AllowedIPs = 10.6.0.5/32
### end Office ###
### begin Nextcloud ###
[Peer]
PublicKey = Nextcloud_pub
PresharedKey = Nextcloud_psk
AllowedIPs = 10.6.0.6/32
### end Nextcloud ###
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = Note20_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1

[Peer]
PublicKey = server_pub
PresharedKey = Note20_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
::::    Recursive list of files in       ::::
::::    /etc/wireguard shown below       ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
clients.txt
Nextcloud.conf
Note20.conf
Office.conf
TabS7.conf
Yoga6.conf

/etc/wireguard/keys:
Nextcloud_priv
Nextcloud_psk
Nextcloud_pub
Note20_priv
Note20_psk
Note20_pub
Office_priv
Office_psk
Office_pub
server_priv
server_pub
TabS7_priv
TabS7_psk
TabS7_pub
Yoga6_priv
Yoga6_psk
Yoga6_pub
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Ufw is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Ufw input rule set
:: [OK] Ufw forwarding rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive       ::::
:::: information, however, still make sure that PrivateKey, PublicKey      ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this:                  ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe                          ::::
=============================================
::::            Debug complete           ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::