I'm trying to set up a VPN server with wireguard.
I have the following setup in docker compose:
version: "3.1"
services:
wireguard:
image: linuxserver/wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- SERVERURL=someoffice.com
- SERVERPORT=51820
- PEERS=6
- PEERDNS=10.0.10.1
- INTERNAL_SUBNET=10.13.13.0
volumes:
- /home/fredrik/Servers/wireguard:/config
- /lib/modules:/lib/modules
#ports:
# - 51800:51820/udp # our router does this part, since we're using macvlan
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
restart: unless-stopped
networks:
wireguard_vlan:
ipv4_address: 10.0.10.16
networks:
wireguard_vlan:
external: true
The wireguard_vlan was created as follows:
docker network create -d macvlan --subnet 10.0.10.0/24 --gateway 10.0.10.1 --ip-range 10.0.10.15/32 -o parent=eth0 wireguard_vlan
I was basically trying to give the wireguard access to the network after being inspired by this video: Docker Networking Tutorial // ALL Network Types explained!
This is the peer config:
$ cat ~/Desktop/peer1.conf
[Interface]
Address = 10.13.13.2
PrivateKey = <key>
ListenPort = 51820
DNS = 10.0.10.1
[Peer]
PublicKey = <key>
PresharedKey = <key>
Endpoint = someoffice.com:51800
AllowedIPs = 0.0.0.0/0, ::/0
It seems to be working, because I can ping the wireguard server at 10.0.10.16 from our local network. I can also ping other machines on the local network from the wireguard container. I can not, however, ping 10.0.10.16 from the docker host (not important though).
When I connect with the wireguard client ui on windows, I can ping servers on the internet, but if I try to ping anything on the 10.0.10.0/24 network, I get the following:
$ ping 10.0.10.1
Pinging 10.0.10.1 with 32 bytes of data:
General failure.
General failure.
General failure.
Ping statistics for 10.0.10.1:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Here's the wg0.conf
[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
[Peer]
# peer1
PublicKey = <key>
PresharedKey = <key>
AllowedIPs = 10.13.13.2/32
In the container I can see the following interfaces:
root@16328831e502:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.13.13.1/32 scope global wg0
valid_lft forever preferred_lft forever
98: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:22:01:01:0a:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.10.16/24 brd 10.0.10.255 scope global eth0
valid_lft forever preferred_lft forever
The eth+ in PostUp is suspicious to me, since the interface is called eth0@if2, but I tried to spell out eth0@if2 in the wg0.conf, and it didn't seem to matter.
I think it's the PostUp and/or PostDown that is supposed to do something that will allow VPN clients access, but I don't really understand that line.
So, all in all, I can't seem to find a way to give outside access to 10.0.10.0/24.
Any help and/or pointers will be highly appreciated :-)
