Score:0

Remote mysql server in docker container - access using macvlan and wireguard?

co flag

Situation: Several VPS servers around the US connected to my laptop via wireguard mesh network. For wireguard mesh network Im using tool called innernet (https://github.com/tonarino/innernet).

So basically its like my laptop and vps servers are on same internal network.

VPS ip    = 10.32.89.1
laptop ip = 10.32.90.1

Looks like VPS and laptop has this virtual interface defined (not sure if this matters):

innernet

VPS server has mysql container runig (I dont expose 3306 port to the host). How can I can connect to that dockerized mysql server from my laptop without mounting mysql port to the host?

Reasoning:
Why I want it this way?
Because I dont want to make it (mysql server) visible to entire internet and thus attackers, but at same time i want easy access to mysql data from my laptop.

Possible solution:
Is that what docker macvlan is for? Do I need to create a network on VPS that has innernet interface as a parent or something? and then attach my mysql container to that network?

I've tried this:

docker network create \
-d macvlan \
--attachable \
--subnet=172.40.110.0/24 \
--gateway=172.40.110.1 \
-o parent=innernet \
infranet2

And then I've tried joining mysql container to it:

docker network connect infranet2 mysql-server

But I only get an error:
root@vps:~$ sudo docker network connect infranet2mysql-server Error response from daemon: failed to create the macvlan port: invalid argument

Score:2
sb flag

What you can do is you can expose your port (3306) only on the internal ip, accessible via wireguard, such as the tunnel ip (as opposed to exposing it on all ips (0.0.0.0/0), as it happens by default). Given your tunnel ip is 192.168.0.1, this is how you would do it:

docker run --name mysql-server \
-p 192.168.0.1:3306:3306 \
-e MYSQL_ROOT_PASSWORD=my-secret-pw \
-d mysql

Then you can access your remote mysql server, but the access from the internet wouldn't be possible.

Dannyboy avatar
co flag
Thanks I thought about that - but not sure how is docker going to behave if wireguard network suddenly goes down. Will that also bring down the mysql container? Was hoping to find a solution where if innernet/wireguard network isn't available this wont cause container to go down. ^and i suspect above will lock it.
jabbson avatar
sb flag
no the container will not go down along with the interface, container is still going to be running, it just won't be accessible
Dannyboy avatar
co flag
thanks. you are right. just tested it and it works - mysql is accessible on innernet mesh network and not on public ip. no need for esoteric networking types. wireguard meshes are fantastic.
Dannyboy avatar
co flag
ah interesting - actually - if wireguard network is down mysql container WILL NOT be able to start. Ive tested using random ip address and I got this error trying to boot stack up: "Error starting userland proxy: listen tcp 10.32.89.22:3306: bind: cannot assign requested address". meaning that I think if wireguard network is down - stack wontbe able to boot / reboot properly affecting reliability....
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.