Hi all,
I am looking for a docker-compose.yml solution for the following scenario:
- clients send their log data to syslog-ng which is protected by wireguard VPN tunnel
- example route: 10.1.0.42 (client, local) → 10.1.0.254 (wireguard, remote) → 10.1.1.254 (syslog-ng)
initial docker-compose.yml (syslog-ng and wireguard)
- wireguard can reach syslog-ng (docker exec -it wireguard ping 10.1.1.254)
- problem: clients cannot see syslog-ng yet (i.e. they cannot reach 10.1.1.254)
version: '3.9'
services:
mysyslog:
image: balabit/syslog-ng
container_name: syslog
restart: unless-stopped
volumes:
- ./config/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf
- ./logs:/var/log
networks:
netlog:
ipv4_address: 10.1.1.254
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/London
- SERVERPORT=51234
- ALLOWEDIPS=10.1.0.0/16
volumes:
- ./config/:/config
- /lib/modules:/lib/modules
ports:
- 51234:51234/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
networks:
netwg:
ipv4_address: 10.1.0.254
netlog:
networks:
netlog:
ipam:
driver: default
config:
- subnet: 10.1.1.0/24
netwg:
ipam:
driver: default
config:
- subnet: 10.1.0.0/24
server wireguard conf
[Interface]
Address = 10.1.0.253/32
ListenPort = 51234
PrivateKey = ...
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 10.1.0.42/32
client wireguard conf
[Interface]
Address = 10.1.0.42/24
PrivateKey = ...
[Peer]
PublicKey = ...
PresharedKey = ...
Endpoint = 1.2.3.4:51234 # some public IP + wireguard port
AllowedIPs = 10.1.0.0/16
PersistentKeepalive = 25
Network layout does not need to be that separated/static here, but at least I would like to see a simple config how a local client (network0) can communicate via one container (network1) to another non-public container (network2).
Thank you very much in advance for any help! 