I am quite desperate. I am trying to get my site-to-site vpn setup working, but no luck so far. Please don't judge me, I am quite new to the routing problematic.
I have a VPS with a public IP 123.456.789 and on there a docker stack running with the linuxserver swag container and some other containers. Because I don't have a IPv4 Address at my home network just a DS-Lite connection from my ISP I want to connect to the server via a wireguard VPN to have all my services available behind the swag container.
Additionally it would be beneficial when I can down the line add some more client who can all access my home network.
I am using the linuxserver wireguard container both as server and client with the compose files:
Server side
version: "3"
services:
# WireGuard VPN service
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
networks:
swag-network:
ipv4_address: 172.19.0.10
cap_add:
- NET_ADMIN
- SYS_MODULE
volumes:
- ./config:/config
ports:
# Port of the WireGuard VPN server
- "51820:51820/udp"
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Amsterdam
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME=${wgui_username}
- WGUI_PASSWORD=${wgui_password}
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./db:/app/db
- ./config:/etc/wireguard
restart: unless-stopped
networks:
swag-network:
external: true
and the wg0.conf
# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui)
# Please don't modify it manually, otherwise your change might get replaced.
# Address updated at: 2023-07-09 07:59:28.178966655 +0000 UTC
# Private Key updated at: 2023-07-09 07:44:46.69833353 +0000 UTC
[Interface]
Address = 10.21.2.0/24
ListenPort = 51820
PrivateKey = *secret*
DNS = 1.1.1.1
MTU = 1450
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUP = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
PostUp = iptables -A FORWARD -o eth0 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -D FORWARD -o eth0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
PostUp = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Table = auto
[Peer]
PublicKey = *secret*
PresharedKey = *secret*
AllowedIPs = 10.21.2.0/24,10.21.0.0/23
and on the client side
version: "3"
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Amsterdam
volumes:
- ./config:/config
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
restart: unless-stopped
networks:
default:
ipam:
config:
- subnet: 172.18.7.0/24
gateway: 172.18.7.1
with the wg0.conf
[Interface]
Address = 10.21.2.1/32
PrivateKey = *secret*
DNS = 1.1.1.1
MTU = 1450
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUP = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
PostUp = iptables -A FORWARD -o eth0 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -D FORWARD -o eth0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = *secret*
PresharedKey = *secret*
AllowedIPs = 10.21.2.0/32,172.19.0.0/16
Endpoint = 123.456.789:51820
PersistentKeepalive = 25
With this configuration and on the server side a
ip route add 10.21.0.0/23 via 172.19.0.10
Same for the Client side. I added a static route inside my router at home and added a similar route on my client machine to the vpn.
I can ping both inside the swag container and outside on the server host my local network for example with ping 10.21.0.10and docker exec swag ping 10.21.0.10 both work. But when I not try to reverse proxy to a service I get timed out. I also tried the commands
docker exec swag nc -vz 10.21.0.10 8443
Connection to 10.21.0.10 8443 port [tcp/*] succeeded!
but from the host I got
nc -vz 10.21.0.10 8443
10.21.0.10: inverse host lookup failed: Unknown host
(UNKNOWN) [10.21.0.10] 8443 (?) open
As you can see in the config files I tried a little bit with iptable configurations but no luck. I think its some kind of routing problem.
So in summary:
|
Home Network |
Server Network |
| Public IP |
N/A |
123.456.789 |
| Private Subnet |
10.21.0.0/23 |
N/A |
| Private IP |
10.21.0.10 |
N/A |
| Docker Subnet |
172.18.7.0/24 |
172.19.0.0/24 |
| Docker IP |
172.18.7.10 |
172.19.0.10 |
| VPN IP |
10.21.2.1 |
10.21.0.0 |
With the configuration above pinging every client inside both networks from both networks functions but TCP services like SSH, HTTP, HTTPS are not working.
