I'm trying to familiarize myself with Wireguard. As a test case, I started an Ubuntu 22.04 Docker container within an Ubuntu 22.04 host. The host and container are connected to each other over 172.18.0.0/16.
After starting Wireguard on each with wg-quick up wg0 and letting the peers perform the handshake, the host has
[Interface]
Address = 172.100.0.1/16
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
ListenPort = 51820
PrivateKey = ...
[Peer]
PublicKey = ...
AllowedIPs = 172.100.0.2/32
Endpoint = 172.18.0.2:46883
in /etc/wireguard/wg0.conf and the container has
[Interface]
PrivateKey = ...
Address = 172.10.0.2/16
SaveConfig = true
[Peer]
PublicKey = ...
Endpoint = 172.18.0.1:51820
AllowedIPs = 0.0.0.0/0
I then load up Wireshark on the host and start listening on eno1 with a BPF of ip host <apt mirror IP>.
Running apt -y update on the container, I see the SYN packets going out to the apt mirror and SYN-ACK packets in response. However, there are no ACK packets coming back from the container. As a sanity check, I start listening on wg0 in Wireshark and I see the SYN packets going through but no SYN-ACK packets.
Did I set up my iptables rules incorrectly? I would have thought that adding a rule to the NAT table would take care of the reverse direction.
