Docker Community Forums

Share and learn in the Docker community.

Wireguard VPN protected syslog-ng server (docker compose)

Hi all,

I am looking for a docker-compose.yml solution for the following scenario:

  • clients send their log data to syslog-ng which is protected by wireguard VPN tunnel
  • example route: 10.1.0.42 (client, local) → 10.1.0.254 (wireguard, remote) → 10.1.1.254 (syslog-ng)

initial docker-compose.yml (syslog-ng and wireguard)

  • wireguard can reach syslog-ng (docker exec -it wireguard ping 10.1.1.254)
  • problem: clients cannot see syslog-ng yet (i.e. they cannot reach 10.1.1.254)
version: '3.9'

services:

  mysyslog:
    image: balabit/syslog-ng
    container_name: syslog
    restart: unless-stopped
    volumes:
      - ./config/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf
      - ./logs:/var/log
    networks:
      netlog:
        ipv4_address: 10.1.1.254

  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/London
      - SERVERPORT=51234
      - ALLOWEDIPS=10.1.0.0/16
    volumes:
      - ./config/:/config
      - /lib/modules:/lib/modules
    ports:
      - 51234:51234/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      netwg:
        ipv4_address: 10.1.0.254
      netlog:

networks:
  netlog:
    ipam:
      driver: default
      config:
        - subnet: 10.1.1.0/24
  netwg:
    ipam:
      driver: default
      config:
        - subnet: 10.1.0.0/24

server wireguard conf

[Interface]
Address = 10.1.0.253/32
ListenPort = 51234
PrivateKey = ...

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 10.1.0.42/32

client wireguard conf

[Interface]
Address = 10.1.0.42/24
PrivateKey = ...

[Peer]
PublicKey = ...
PresharedKey = ...
Endpoint = 1.2.3.4:51234 # some public IP + wireguard port
AllowedIPs = 10.1.0.0/16
PersistentKeepalive = 25

Network layout does not need to be that separated/static here, but at least I would like to see a simple config how a local client (network0) can communicate via one container (network1) to another non-public container (network2).

Thank you very much in advance for any help! :slight_smile: