Score:0

Routing call to IP-filtered web service from Docker container via WireGuard VPN

be flag

Scenario:

A simple PHP script (myip.php) hosted on a server with public IP WSIP. The script is available via http and https.

I have a small server (GW) with public IP GWIP. This server is intented to be used only as a gateway.

Another server (WORKER) has to access the php script, but only via GW. WORKER have Docker installed on it.

Wireguard is configured between GW and WORKER, acting GW as the VPN server.

GW wg0.conf

[Interface]
PrivateKey = <GW-PRI-K>
Address = 10.1.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <WORKER-PUB-K>
AllowedIPs = 10.1.0.2/32,10.1.0.0/24

WORKER wg0.conf

[Interface]
PrivateKey = <WORKER-PRI-K>
Address = 10.1.0.2/24

[Peer]
PublicKey = <GW-PUB-K>
Endpoint = GWIP:51820
AllowedIPs = 10.1.0.1/24,WSIP/32
PersistentKeepalive = 25

From WORKER (host) I can reach the web service. Everything is ok.

curl http://$WSIP/myip.php
xxx.xxx.243.174

curl https://$WSIP/myip.php
xxx.xxx.243.174

But, if I run the same command from a docker container:

curl http://$WSIP/myip.php
xxx.xxx.243.174

curl https://$WSIP/myip.php

NO RESPONSE for https.

Relevant routing table entries of WORKER:

10.1.0.0/24 dev wg0 proto kernel scope link src 10.1.0.2
WSIP dev wg0 scope link 

Looks like there's no problem on reaching the server WS, but something happens with the response.

I'm pretty convinced the solutions should be related with masquerading, but after several hours I'm a bit lost.

Any clue?

Score:0
us flag

Since you get an answer with http, it shouldn't be the routing or nating fault. Also, you don't get an error with curl, so it might just be an empty answer.

Can you please try to get the http code curl -I https://$WSIP/myip.php, and to make curl verbose with curl -v https://$WSIP/myip.php?

You can also check the php logs.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.