WireGuard routing and Docker Overlay Network

I’ve created an attachable overlay network between three servers so I can control the addressing of various containers. Note that this is NOT in Swarm mode.

I have a container running WireGuard which I use to attach to my network when away from home. I’m trying to get the network and the WireGuard implementation to play nice with WireGuard with no significant success.

I created the gwbridge network, the ingress network, and the overlay network.

The subnet for docker_gwbridge:

$ docker network inspect docker_gwbridge | grep Subnet | awk '{print $2}' | sed 's/[",]//g'
172.28.0.0/24

The subnet for the ingress network:

$ docker network inspect id-ingress | grep Subnet | awk '{print $2}' | sed 's/[",]//g'
172.28.1.0/24

The subnet for the overlay network:

$ docker network inspect id-overlay | grep Subnet | awk '{print $2}' | sed 's/[",]//g'
172.28.2.0/24

The IP routing for the edge server host that runs the WireGuard docker container:

$ ip route show
default via 192.168.1.1 dev eth0 src 192.168.1.91 metric 202
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.28.0.0/24 dev docker_gwbridge proto kernel scope link src 172.28.0.1
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.91 metric 202

The IP routing for the WireGuard docker container:

$ docker exec -it wg-easy bash
# ip route show
default via 172.28.0.1 dev eth1
10.8.0.0/24 dev wg0 proto kernel scope link src 10.8.0.1
172.28.0.0/24 dev eth1 proto kernel scope link src 172.28.0.5
172.28.2.0/24 dev eth0 proto kernel scope link src 172.28.2.36

The WireGuard docker container IP Address (a static assigned IP address on the id-overlay network):

# hostname -i
172.28.2.36

The WireGuard address (the ‘server ip address’):

# grep Address /etc/wireguard/wg0.conf | awk '{print $3}' | cut -d/ -f1
10.8.0.1

The addresses for the WireGuard docker container:

# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.8.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
350: eth0@if351: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 02:42:ac:1c:02:24 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.28.2.36/24 brd 172.28.2.255 scope global eth0
       valid_lft forever preferred_lft forever
352: eth1@if353: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:1c:00:05 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 172.28.0.5/24 brd 172.28.0.255 scope global eth1
       valid_lft forever preferred_lft forever

The list of NAT routing rules for the WireGuard container:

# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 118 packets, 37731 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 107 packets, 34385 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    eth0    10.8.0.0/24          anywhere

In summary:

  • 172.28.0.0/24 - docker_gwbridge
  • 172.28.0.1/24 - id-ingress
  • 172.28.0.2/24 - id-overlay
  • wireguard container uses 172.28.0.0/24 on eth1 with address 172.28.0.5
  • wireguard container uses 172.28.2.0/24 on eth0 with address 172.28.2.36
  • The current PreUp commands set up a route from 10.8.0.0/24 to eth0

I think I need to change my PostUp commands, which are currently this:

PostUp =  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

In order to provide routing to all possible IP addresses, which are:

10.8.0.0/24
172.17.0.1/16
172.28.0.0/16
192.168.1.0/24

Or I might need to add POSTROUTING entries to MASQUERADE forwards to docker_gwbridge, id-ingress, and id-overlay.

Has anyone encountered this before with overlay networking and routing tables?

Additional information for each of the four servers in this overlay network.

Commands Used

Show docker container network usage

$ docker container inspect --format="{{range .NetworkSettings.Networks}}{{.IPAddress}},{{end}}{{range .HostConfig.Dns}}{{.}},{{end}}{{.HostConfig.NetworkMode}},{{.Name}},{{.Config.Hostname}}" $(docker ps --all --quiet) | sort --numeric-sort --field-separator=. --key=3,3 --key 4,4 | column --table --separator ',' --table-columns "CONTAINER ADDRESS,DNS ADDRESS,NETWORK,CONTAINER,HOSTNAME" --table-truncate 1

Show ip routing

$ ip route show

id-edge1

docker container network usage

CONTAINER ADDRESS  DNS ADDRESS  NETWORK     CONTAINER     HOSTNAME
172.28.2.11        192.168.1.1  id-overlay  /duckdns      duckdns.id-edge1
172.28.2.21        127.0.0.1    id-overlay  /pihole       pihole.id-edge1
172.28.2.36        172.28.2.21  id-overlay  /wg-easy      wg-easy.id-edge1
172.28.2.41        192.168.1.1  id-overlay  /npm_app      npm_app.id-edge1
172.28.2.46        192.168.1.1  id-overlay  /npm_db       npm_db.id-edge1
172.28.2.51        192.168.1.1  id-overlay  /uptime-kuma  uptime-kuma.id-edge1
172.28.2.221       192.168.1.1  id-overlay  /promtail     promtail.id-edge1
172.28.2.231       192.168.1.1  id-overlay  /netdata      netdata.id-edge1
172.28.2.241       192.168.1.1  id-overlay  /diun         diun.id-edge1

ip routes

default via 192.168.1.1 dev eth0 src 192.168.1.91 metric 202
169.254.0.0/16 dev veth011fe7b scope link src 169.254.236.177 metric 283
169.254.0.0/16 dev vethd92134f scope link src 169.254.191.167 metric 545
169.254.0.0/16 dev veth6e2ca18 scope link src 169.254.226.98 metric 549
169.254.0.0/16 dev vethdc648ef scope link src 169.254.169.135 metric 553
169.254.0.0/16 dev veth496022c scope link src 169.254.153.204 metric 559
169.254.0.0/16 dev vethaf3b757 scope link src 169.254.40.141 metric 561
169.254.0.0/16 dev vetha99b68b scope link src 169.254.97.95 metric 565
169.254.0.0/16 dev vethac4a85d scope link src 169.254.168.34 metric 569
169.254.0.0/16 dev veth382462c scope link src 169.254.152.170 metric 577
169.254.0.0/16 dev veth09b4071 scope link src 169.254.24.33 metric 873
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.28.0.0/24 dev docker_gwbridge proto kernel scope link src 172.28.0.1
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.91 metric 202

id-edge2

docker container network usage

CONTAINER ADDRESS  DNS ADDRESS  NETWORK     CONTAINER     HOSTNAME
172.28.2.13        192.168.1.1  id-overlay  /duckdns      duckdns.id-edge2
172.28.2.23        127.0.0.1    id-overlay  /pihole       pihole.id-edge2
172.28.2.38        172.28.2.23  id-overlay  /wg-easy      wg-easy.id-edge2
172.28.2.43        192.168.1.1  id-overlay  /npm_app      npm_app.id-edge2
172.28.2.48        192.168.1.1  id-overlay  /npm_db       npm_db.id-edge2
172.28.2.53        192.168.1.1  id-overlay  /uptime-kuma  uptime-kuma.id-edge2
172.28.2.223       192.168.1.1  id-overlay  /promtail     promtail.id-edge2
172.28.2.233       192.168.1.1  id-overlay  /netdata      netdata.id-edge2
172.28.2.243       192.168.1.1  id-overlay  /diun         diun.id-edge2

ip routes

default via 192.168.1.1 dev eth0 src 192.168.1.92 metric 202
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.28.0.0/24 dev docker_gwbridge proto kernel scope link src 172.28.0.1
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.92 metric 202

id-services

docker container network usage

CONTAINER ADDRESS   DNS ADDRESS    NETWORK               CONTAINER             HOSTNAME
container:dea75a5d  /transmission  nordlynx.id-services
172.22.0.2          192.168.1.1    nordlynx_net          /nordlynx             nordlynx.id-services
172.28.2.131        192.168.1.1    id-overlay            /prowlarr             prowlarr.id-services
172.28.2.133        192.168.1.1    id-overlay            /overseerr            overseerr.id-services
172.28.2.135        192.168.1.1    id-overlay            /tautulli             tautulli.id-services
172.28.2.141        192.168.1.1    id-overlay            /lidarr               lidarr.id-services
172.28.2.143        192.168.1.1    id-overlay            /radarr               radarr.id-services
172.28.2.145        192.168.1.1    id-overlay            /readarr              readarr.id-services
172.28.2.147        192.168.1.1    id-overlay            /sonarr               sonarr.id-services
172.28.2.151        192.168.1.1    id-overlay            /homer                homer.id-services
172.28.2.156        192.168.1.1    id-overlay            /static-web-server    static-web-server.id-services
172.28.2.161        192.168.1.1    id-overlay            /homeassistant        homeassistant.id-services
172.28.2.163        192.168.1.1    id-overlay            /mqtt                 mqtt.id-services
172.28.2.165        192.168.1.1    id-overlay            /node-red             node-red.id-services
172.28.2.167        192.168.1.1    id-overlay            /zwave-js-ui          zwave-js-ui.id-services
172.28.2.169        192.168.1.1    id-overlay            /influxdb             influxdb.id-services
172.28.2.171        192.168.1.1    id-overlay            /prometheus           prometheus.id-services
172.28.2.173        192.168.1.1    id-overlay            /loki                 loki.id-services
172.28.2.175        192.168.1.1    id-overlay            /grafana              grafana.id-services
172.28.2.177        192.168.1.1    id-overlay            /smartthings-metrics  smartthings-metrics.id-services
172.28.2.179        192.168.1.1    id-overlay            /alertmanager         alertmanager.id-services
172.28.2.181        192.168.1.1    id-overlay            /teslamate            teslamate.id-edge1
172.28.2.183        192.168.1.1    id-overlay            /teslamate_database   teslamate_database.id-edge1
172.28.2.185        192.168.1.1    id-overlay            /teslamate_grafana    teslamate_grafana.id-edge1
172.28.2.191        192.168.1.1    id-overlay            /nextcloud            nextcloud.id-services
172.28.2.193        192.168.1.1    id-overlay            /nextcloud_mysql      nextcloud_mysql.id-services
172.28.2.196        192.168.1.1    id-overlay            /grocy                grocy.id-services
172.28.2.225        192.168.1.1    id-overlay            /promtail             promtail.id-services
172.28.2.235        192.168.1.1    id-overlay            /netdata              netdata.id-services
172.28.2.245        192.168.1.1    id-overlay            /diun                 diun.id-services

ip routes

default via 192.168.1.1 dev eno1 proto static
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.22.0.0/16 dev br-e3d422095d8d proto kernel scope link src 172.22.0.1
172.28.0.0/24 dev docker_gwbridge proto kernel scope link src 172.28.0.1
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.95

id-security

docker container network usage

CONTAINER ADDRESS  DNS ADDRESS  NETWORK     CONTAINER      HOSTNAME
172.28.2.201       192.168.1.1  id-overlay  /wyze-bridge   wyze-bridge.id-security
172.28.2.203       192.168.1.1  id-overlay  /frigate       frigate.id-security
172.28.2.205       192.168.1.1  id-overlay  /ispyagentdvr  ispyagentdvr.id-security
172.28.2.227       192.168.1.1  id-overlay  /promtail      promtail.id-security
172.28.2.237       192.168.1.1  id-overlay  /netdata       netdata.id-security
172.28.2.247       192.168.1.1  id-overlay  /diun          diun.id-security

ip routes

default via 192.168.1.1 dev eno1 proto static
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.28.0.0/24 dev docker_gwbridge proto kernel scope link src 172.28.0.1
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.93

Hope that is of some use!