I have the following setup: A Cloud-Server connects itself as a VPN (Wireguard) Client to my Wireguard Server at home. This works without issues, local access (with the Wireguard tunnel) is possible. Now I want to run some docker containers on the Cloud-Server. This is also not really a problem. But if I start a Webserver (nginx or traefik; tried both) and want to curl it on the Cloud-Server (Host) with the IP the Server gets from the Wireguard connection I get a timeout. A curl to localhost or 127.0.0.1 works. If I curl the local / Wireguard IP of the Cloud-Server from my own PC at home it works too.

I found out, that if I set the network_mode of the container to host the connection also works. But this is not really practical as I want to make use of Dockers networks and internal name resolution.

draw.io901×400 27 KB

Thanks in advance for any help.

Is WireGuard running inside a container connected to a Docker network?

Wireguard runs natively on the host and not connected to a Docker network. All the traffic should be transmitted through the Wireguard Tunnel (ssh to the host and all connections to the docker containers).

When WireGuard runs on host, then you need to ensure that your target containers open ports: to be reachable from outside Docker Networks.

We run wg-easy inside a container on host.

Yes, this is done with a reverse proxy (traefik) with ports 80:80 and 443:443. The problem is, that if the Cloud-Server makes curl 192.168.10.5:80 (IP of Wireguard; curl on the traefik container) it gets a timeout.

The wg-easy container you mentioned is a Wireguard Server, but my problem is on the Wireguard Client specifically with dockers networks.