WireGuard fails on Ubuntu 25.10 kernel 6.17: missing nft_fib modules #465
Description
Bug report
Describe your environment
- Device: Desktop PC / Laptop (x86_64)
- OS name and version: Ubuntu 25.10, Kernel 6.17.0-6-generic
- IVPN app version: 3.14.34
Describe the problem
Steps to reproduce:
- Install IVPN on Ubuntu 25.10 with kernel 6.17.0-6-generic
- Ensure WireGuard kernel module is loaded:
sudo modprobe wireguard - Attempt to connect via WireGuard:
ivpn connect -p wg -any
Observed Results:
Error message:
Error: failed to connect: connection error: failed to start WireGuard: exit status 1
Root cause (found via debugging):
The wg-quick script (bundled in /opt/ivpn/wireguard-tools/wg-quick) fails when executing nftables rules because required kernel modules are not loaded by default on Ubuntu 25.10 kernel 6.17.
Debug log excerpt from /tmp/wg-quick-debug.log:
+ nft -f /dev/fd/63
/dev/fd/63:5:79-92: Error: Could not process rule: No such file or directory
add rule ip wg-quick-wgivpn preraw iifname != "wgivpn" ip daddr 172.17.219.85 fib saddr type != local drop
^^^^^^^^^^^^^^
/dev/fd/63:6:68-83: Error: Could not process rule: No such file or directory
add rule ip wg-quick-wgivpn postmangle meta l4proto udp mark 51820 ct mark set mark
^^^^^^^^^^^^^^^^The fib saddr type expression requires nft_fib and nft_fib_ipv4 kernel modules, which are not loaded automatically on this kernel version.
System state:
- WireGuard kernel module: ✅ Loaded (
wireguard) - nftables: ✅ Installed and working
- Missing modules: ❌
nft_fib,nft_fib_ipv4
Expected Results:
- WireGuard connection should establish successfully
- OR: Clear error message indicating which kernel modules are missing and how to load them
Solution (workaround):
Temporary fix:
sudo modprobe nft_fib
sudo modprobe nft_fib_ipv4
ivpn connect -p wg -any # Now worksPermanent fix:
echo "nft_fib" | sudo tee -a /etc/modules-load.d/wireguard.conf
echo "nft_fib_ipv4" | sudo tee -a /etc/modules-load.d/wireguard.confRelevant Code:
Suggested improvement in daemon/vpn/wireguard/wireguard_linux.go:
// Add this function to check required kernel modules before connection
func checkRequiredKernelModules() error {
requiredModules := []string{
"nft_fib",
"nft_fib_ipv4",
}
var missing []string
for _, module := range requiredModules {
modulePath := filepath.Join("/sys/module", module)
if _, err := os.Stat(modulePath); os.IsNotExist(err) {
missing = append(missing, module)
}
}
if len(missing) > 0 {
return fmt.Errorf(
"required kernel modules not loaded: %s\n" +
"Fix: sudo modprobe %s\n" +
"To make permanent: echo '%s' | sudo tee -a /etc/modules-load.d/wireguard.conf",
strings.Join(missing, ", "),
strings.Join(missing, " "),
strings.Join(missing, "\\n"),
)
}
return nil
}
// In the init() method, add the check:
func (wg *WireGuard) init() error {
// Check for required kernel modules
if err := checkRequiredKernelModules(); err != nil {
log.Warning("WireGuard setup warning: ", err.Error())
// Could also return error to prevent connection attempt
}
// ... rest of init code
}This would provide users with a clear, actionable error message instead of the cryptic "exit status 1".
Additional Context
This issue affects Ubuntu 25.10 with newer kernels (6.17+) where nftables FIB modules are not loaded by default. The WireGuard kernel module itself works fine - the issue is purely with the nftables routing rules in wg-quick.
Related issues:
- Cannot connect with Wireguard with "Failed to connect" message. #137 (Arch Linux - different root cause)
- Can't connect to the IVPN network with Wireguard: failed to initialize interface #237 (MacOS - different root cause)
Verification after fix:
$ lsmod | grep nft_fib
nft_fib 24576 0
nft_fib_ipv4 12288 0
$ ivpn status
VPN: CONNECTED
Protocol: WireGuard
Local IP: 172.17.219.85