Score:0

Port forwarding with iptables for Nextcloud (fpm+nginx) through Wireguard

de flag

I am trying to reach my Nextcloud (fpm behind nginx) instance through a wireguard VPN, both running in a docker container.

My docker-compose.yml looks like:

version: "3.9"
services:
  nextcloud:
    image: nextcloud
    container_name: nextcloud
    restart: always
    environment:
      POSTGRES_DB: nextcloud
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: xxxxxxxxx
      POSTGRES_HOST: postgres
      NEXTCLOUD_DATA_DIR: /data
    volumes:
      - /mnt/data/nextcloud:/var/www/html
      - /mnt/data/files:/data
    depends_on:
      - postgres
  web:
    image: nginx:latest
    container_name: web
    restart: always
    volumes:
      - /mnt/data/nextcloud:/var/www/html:ro
      - /srv/nextcloud/nginx.conf:/etc/nginx/nginx.conf
    expose:
      - "80"
    ports: 
      - "80:80"
    depends_on:
      - nextcloud
  wireguard:
    image: docker.myownregistry.xy/wireguard:latest
    container_name: wireguard
    restart: "unless-stopped"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - PORT_FORWARDS=web:80
    volumes: 
      - /srv/wireguard/wg0.conf:/config/wg0.conf
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
    depends_on:
      - web

The iptables look like:

# docker exec -it wireguard iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:DOCKER_WEB_IP

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   424 DOCKER_OUTPUT  all  --  *      *       0.0.0.0/0            127.0.0.11          

Chain POSTROUTING (policy ACCEPT 2 packets, 160 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   424 DOCKER_POSTROUTING  all  --  *      *       0.0.0.0/0            127.0.0.11          
    0     0 SNAT       tcp  --  *      eth0    0.0.0.0/0            DOCKER_WEB_IP           tcp dpt:80 to:DOCKER_WIREGUARD_IP

Chain DOCKER_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.11           tcp dpt:53 to:127.0.0.11:41071
    6   424 DNAT       udp  --  *      *       0.0.0.0/0            127.0.0.11           udp dpt:53 to:127.0.0.11:39020

Chain DOCKER_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       tcp  --  *      *       127.0.0.11           0.0.0.0/0            tcp spt:41071 to::53
    0     0 SNAT       udp  --  *      *       127.0.0.11           0.0.0.0/0            udp spt:39020 to::53



# docker exec -it wireguard iptables -L -n -v

Chain INPUT (policy ACCEPT 4 packets, 381 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  wg0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:80 flags:0x17/0x02 ctstate NEW
    0     0 ACCEPT     all  --  eth0   wg0     0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  wg0    eth0    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 7 packets, 561 bytes)
 pkts bytes target     prot opt in     out     source               destination    

First of all I can ping the wireguard peer from the VPN and get responses. When I send a HTTP request to the peer IP the request appears in nginx' log and the http client get's stuck waiting for a response.

A TCP dump shows that the HTTP GET request get's actually forwarded, but the server response doesn't (it retries several times):

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
13:10:05.319590 IP WG_CLIENT_IP.39952 > WG_PEER_IP.80: Flags [S], seq 2013357617, win 64860, options [mss 1380,sackOK,TS val 625358504 ecr 0,nop,wscale 7], length 0
13:10:05.319809 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [S.], seq 2024405621, ack 2013357618, win 28960, options [mss 1460,sackOK,TS val 4067727362 ecr 625358504,nop,wscale 7], length 0
13:10:05.337819 IP WG_CLIENT_IP.39952 > WG_PEER_IP.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 625358524 ecr 4067727362], length 0
13:10:05.337939 IP WG_CLIENT_IP.39952 > WG_PEER_IP.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 625358525 ecr 4067727362], length 74: HTTP: GET / HTTP/1.1
13:10:05.338016 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], ack 75, win 227, options [nop,nop,TS val 4067727380 ecr 625358525], length 0
13:10:05.601611 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [P.], seq 1:1413, ack 75, win 227, options [nop,nop,TS val 4067727644 ecr 625358525], length 1412: HTTP: HTTP/1.1 302 Found
13:10:05.621031 IP WG_CLIENT_IP.39952 > WG_PEER_IP.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 625358808 ecr 4067727380,nop,nop,sack 1 {1369:1413}], length 0
13:10:05.655547 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067727697 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:05.885450 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067727928 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:06.335429 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067728378 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:07.245449 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067729288 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:09.086287 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067731129 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:12.685537 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067734731 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:20.365456 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067742416 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
13:10:35.086342 IP WG_PEER_IP.80 > WG_CLIENT_IP.39952: Flags [.], seq 1:1369, ack 75, win 227, options [nop,nop,TS val 4067757152 ecr 625358808], length 1368: HTTP: HTTP/1.1 302 Found
...

The weird thing is when I run a simple http echo server (e.g.: ealen/echo-server which uses nodejs express) instead I can reach it through the VPN without any complications.

It also didn't work when I was using the nextcloud container with a bundled apache server.

EDIT:

Here is the configuration of my host iptables

# iptables -L -n -v
Chain INPUT (policy ACCEPT 423K packets, 53M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
5142K   18G DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
5142K   18G DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
3473K 5987M ACCEPT     all  --  *      br-50f634c9c605  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 3955  238K DOCKER     all  --  *      br-50f634c9c605  0.0.0.0/0            0.0.0.0/0           
1665K   12G ACCEPT     all  --  br-50f634c9c605 !br-50f634c9c605  0.0.0.0/0            0.0.0.0/0           
 3891  234K ACCEPT     all  --  br-50f634c9c605 br-50f634c9c605  0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 153K packets, 97M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   12   824 ACCEPT     tcp  --  !br-50f634c9c605 br-50f634c9c605  0.0.0.0/0            172.18.0.3           tcp dpt:2049
   19  1140 ACCEPT     tcp  --  !br-50f634c9c605 br-50f634c9c605  0.0.0.0/0            172.18.0.5           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
1665K   12G DOCKER-ISOLATION-STAGE-2  all  --  br-50f634c9c605 !br-50f634c9c605  0.0.0.0/0            0.0.0.0/0           
5142K   18G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-50f634c9c605  0.0.0.0/0            0.0.0.0/0           
1665K   12G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
5142K   18G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 67238 packets, 8661K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   74  4480 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 66720 packets, 8628K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4761 packets, 360K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 5305 packets, 393K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    2   352 MASQUERADE  all  --  *      !br-50f634c9c605  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.3           172.18.0.3           tcp dpt:2049
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.5           172.18.0.5           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-50f634c9c605 *       0.0.0.0/0            0.0.0.0/0           
   12   824 DNAT       tcp  --  !br-50f634c9c605 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2049 to:172.18.0.3:2049
   19  1140 DNAT       tcp  --  !br-50f634c9c605 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.18.0.5:80
Kayson avatar
es flag
It's suspicious that your dnat and snat rules haven't been hit at all. What does iptables look like on the host?
hhornbacher avatar
de flag
@Kayson I've added iptables of my host
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.