Scenario:
A simple PHP script (myip.php) hosted on a server with public IP WSIP. The script is available via http and https.
I have a small server (GW) with public IP GWIP. This server is intented to be used only as a gateway.
Another server (WORKER) has to access the php script, but only via GW. WORKER have Docker installed on it.
Wireguard is configured between GW and WORKER, acting GW as the VPN server.
GW wg0.conf
[Interface]
PrivateKey = <GW-PRI-K>
Address = 10.1.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <WORKER-PUB-K>
AllowedIPs = 10.1.0.2/32,10.1.0.0/24
WORKER wg0.conf
[Interface]
PrivateKey = <WORKER-PRI-K>
Address = 10.1.0.2/24
[Peer]
PublicKey = <GW-PUB-K>
Endpoint = GWIP:51820
AllowedIPs = 10.1.0.1/24,WSIP/32
PersistentKeepalive = 25
From WORKER (host) I can reach the web service. Everything is ok.
curl http://$WSIP/myip.php
xxx.xxx.243.174
curl https://$WSIP/myip.php
xxx.xxx.243.174
But, if I run the same command from a docker container:
curl http://$WSIP/myip.php
xxx.xxx.243.174
curl https://$WSIP/myip.php
NO RESPONSE for https.
Relevant routing table entries of WORKER:
10.1.0.0/24 dev wg0 proto kernel scope link src 10.1.0.2
WSIP dev wg0 scope link
Looks like there's no problem on reaching the server WS, but something happens with the response.
I'm pretty convinced the solutions should be related with masquerading, but after several hours I'm a bit lost.
Any clue?