Public bug reported: As copied from https://discourse.ubuntu.com/t/suspected-race-condition- error-in-systemd-startup-order/69668
Ubuntu Version: Ubuntu 24.04.3 LTS (GNU/Linux 6.14.0-1013-oracle x86_64) (Oracle Cloud image) Desktop Environment (if applicable): N/A (headless server) Problem Description: I’m setting up a WireGuard VPN server with NAT and forwarding rules applied via `iptables-persistent` (netfilter-persistent). After reboot, the VPN interface `wg0` comes up, but NAT masquerade rules and forwarding rules are **not consistently applied**, causing traffic from the VPN subnet (10.10.0.0/24) to fail. WireGuard itself works when the rules are manually reapplied. The root cause appears to be systemd starting the [email protected] before netfilter-persistent.service has loaded firewall rules. Expected behavior: NAT and forwarding rules are loaded before the WireGuard interface comes up. VPN clients can route traffic through the server immediately after boot. Observed behavior: After a reboot, health checks report missing NAT and forwarding rules. Temporary fixes include manually running wg-quick down/up and reapplying NAT/forwarding rules. Relevant System Information: iptables-persistent version: 1.0.14 netfilter-persistent version: 1.0.14 WireGuard kernel module: 5.15.0-76-generic Oracle Cloud Ubuntu image with default InstanceServices firewall rules Screenshots or Error Messages: Chain POSTROUTING (policy ACCEPT) pkts bytes target prot opt in out source destination 0 0 MASQUERADE 0 – * ens3 10.10.0.0/24 0.0.0.0/0 Health check log excerpt after reboot: === WireGuard VPN Health Check === ✅ wg0 interface exists ❌ wg0 missing IP — attempting reapply via wg-quick ❌ NAT masquerade rule missing — adding source-specific rule ↳ NAT rule added and saved ✅ Forwarding rule present ✅ IPv4 forwarding enabled ✅ systemd dependency OK === Health check complete === What I’ve Tried: Verified that /etc/iptables/rules.v4 contains the correct NAT/forwarding rules. Ensured netfilter-persistent.service is enabled. Added systemd override for [email protected]: [Unit] After=netfilter-persistent.service Requires=netfilter-persistent.service Saved firewall rules with sudo netfilter-persistent save and reloaded daemon. Created a health-check script that reapplies rules if missing. Result: After this, the system behaves correctly if the script is run, but rules are still inconsistently applied immediately at boot without the script, suggesting a race condition in systemd startup order. ** Affects: wireguard (Ubuntu) Importance: Undecided Status: Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2129961 Title: systemd unit race condition between [email protected] and netfilter- persistent.service integration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/2129961/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
