I have a wireguard container on a docker network, the docker network subnet is 10.18.0.0/16. The container ip is 10.18.0.2 and is receiving data on eth0, which I can see with tcpdump from within the container. I need to forward all data to the wg0 interface at 10.10.10.1 and from wg0 to eth0 (so bidirectional). I have tried the following:
docker exec --privileged wireguard sh -c "
sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
ip route add 10.10.10.0/24 dev wg0
"
And what is automatically generated for the server wg0 config:
[Interface]
Address = 10.10.10.1
ListenPort = 51820
PrivateKey =
PostUp = iptables -A FORWARD -i %i -j ACCEPT
; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
[Peer]
peer1
PublicKey = 8qoHrFiwP3ZLKSoaSid8aSCd3UdzNK1rtG83bf1GG08=
PresharedKey = w2EcjRTa/xlNoEtKQGUWHJy+yOR4kSUTRIjaAzQImv0=
AllowedIPs = 10.10.10.2/32
and wg show:
root@65ba9c130b82:/# wg show
interface: wg0
public key: NGUwwvrxBkW6afwyiztMieUHOlBi/dIDxHEx8zHIP1M=
private key: (hidden)
listening port: 51820
peer: 8qoHrFiwP3ZLKSoaSid8aSCd3UdzNK1rtG83bf1GG08=
preshared key: (hidden)
endpoint: 10.254.254.75:63164
allowed ips: 10.10.10.2/32
latest handshake: 55 seconds ago
transfer: 936 B received, 600 B sent
My container:
Launch WireGuard container
if
! docker run -d --name wireguard
–privileged
–cap-add=NET_ADMIN
–cap-add=SYS_MODULE
–sysctl net.ipv4.conf.all.src_valid_mark=1
–sysctl net.ipv4.ip_forward=1
-e PUID=$(id -u)
-e PGID=$(id -g)
-e TZ=Etc/UTC
-e SERVERURL=auto
-e SERVERPORT=51820
-e PEERS=$NUM_PEERS
-e INTERNAL_SUBNET=10.10.10.0/24
-e ALLOWEDIPS=10.10.10.0/24
-e PEERDNS=auto
-v “$WIREGUARD_CONFIG_DIR:/config”
-p 51820:51820/udp
–restart unless-stopped
–network $NETWORK_NAME
lscr.io/linuxserver/wireguard:latest;
then
echo -e “${RED}Error: Failed to start WireGuard container.${RESET}”
exit 1
fi
I have tried many different things but nothing seems to work. No data is ever forwarded to wg0 or from wg0 to eth0. The wg0 interface is up and is communicating with the client, I can ping both ways over the wireguard link.
Any help is appreciated!