Can't write correct rules for Debian 10 nft

[lokapal]

Debian 10, nft, wireguard manager is the last one, obtained by

curl https://raw.githubusercontent.com/complexorganizations/wireguard-manager/main/wireguard-manager.sh --create-dirs -o /usr/local/bin/wireguard-manager.sh

The result is the error:

Error: NAT is only supported for IPv4/IPv6
add rule inet wireguard-wg0 POSTROUTING ip saddr 10.0.0.0/8 oifname eth0 masquerade
                                                                         ^^^^^^^^^^
[#] ip link delete dev wg0

Kernel: Linux 5.10.0-0.deb10.21-amd64 #1 SMP Debian 5.10.162-1~deb10u1 (2023-02-14) x86_64 GNU/Linux
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
nft -v
nftables v0.9.0 (Fearless Fosdick)

Any advices?

[Prajwal-Koirala]

The error you're encountering with WireGuard setup on Debian 10 seems to be related to an issue with the Network Address Translation (NAT) configuration in your nftables rules. The message "Error: NAT is only supported for IPv4/IPv6" indicates a problem with the way the NAT rule is defined for your WireGuard interface.

Here are some steps to troubleshoot and potentially resolve this issue:

1. Check nftables Configuration: The error points to an issue with the nftables rule syntax. Ensure that your nftables configuration is correct for your setup. You might need to adjust the rule to match your network configuration, particularly the oifname (output interface name) and the source address range.

2. Verify Interface Name: The script is trying to use eth0 as the output interface in the NAT rule. Make sure that eth0 is the correct external network interface for your system. You can check available network interfaces using the command ip addr.

3. Ensure Kernel Support: Your kernel version (Linux 5.10) should support WireGuard and nftables, but it's good to verify that all necessary modules are loaded. Use lsmod | grep wireguard to check if the WireGuard module is loaded.

4. Update nftables: Your nftables version is 0.9.0, which is relatively old. Consider updating nftables to a newer version if available for Debian 10. This might resolve compatibility or syntax issues.

5. Manual NAT Rule Setup: If the script isn't working, you could manually set up the NAT rule. The typical NAT rule for WireGuard looks something like this:

   nft add table ip nat
   nft add chain ip nat POSTROUTING { type nat hook postrouting priority 0 \; }
   nft add rule ip nat POSTROUTING oif "eth0" ip saddr 10.0.0.0/8 masquerade
   

   Replace eth0 and 10.0.0.0/8 with the correct interface name and IP address range for your setup.

6. Script Compatibility: Ensure that the WireGuard manager script you're using is compatible with Debian 10 and your system's configuration. If it's a third-party script, there might be compatibility issues or assumptions about the system setup that don't apply to your environment.

7. Consult Documentation: Review the WireGuard and nftables documentation for any specifics related to Debian 10 and your system setup.

8. Seek Support: If you're still encountering issues, consider seeking support from Debian forums, WireGuard communities, or the maintainers of the script you're using.

Remember, making changes to network configuration and firewall rules can affect your system's connectivity and security, so proceed with caution and make sure to have backups of your configurations.