Everything posted by underw0rld
-
wireguard on a container, but with local docker network access
The network assignments created in my previous post persist after bringing individual containers down/up, shutting down all containers associated with the "shared network", and even after disabling/enabling docker entirely. Just for anyone's future reference.
-
wireguard on a container, but with local docker network access
For anyone who also wants to achieve this, I found a solution that is much easier (imo). Create a wireguard connection to your vpn, using "VPN Tunneled Access for Docker" Assign any of your desired containers to this wireguard network Create a "shared network" that can bridge your normal docker network with your wg network, but does NOT route to WAN (--internal flag): docker network create --internal [shared-network-name] Join your VPN'd containers, as well as any you want to be able to access them, to this "shared network" (a container can join multiple docker networks!): docker network connect [shared-network-name] [container-name] that is all you need to do! Now any of your regular docker network containers can communicate with your containers that are on the wireguard network you can create a user script to always join a list of containers to your shared network: #!/bin/bash # Define the target network TARGET_NETWORK="shared-network" # Define the list of container names to monitor CONTAINERS=( "container-name" "container2-name" ) # Function to check and connect container connect_if_needed() { local CONTAINER=$1 # Check if container exists if ! docker inspect "$CONTAINER" &>/dev/null; then echo "$(date): Container '$CONTAINER' does not exist, skipping..." return fi # Get the networks the container is connected to NETWORKS=$(docker inspect "$CONTAINER" -f '{{range $key, $value := .NetworkSettings.Networks}}{{$key}} {{end}}') # Check if container is already connected to the target network if echo "$NETWORKS" | grep -q "$TARGET_NETWORK"; then echo "$(date): Container '$CONTAINER' already connected to '$TARGET_NETWORK'" else echo "$(date): Connecting '$CONTAINER' to '$TARGET_NETWORK'..." docker network connect "$TARGET_NETWORK" "$CONTAINER" if [ $? -eq 0 ]; then echo "$(date): Successfully connected '$CONTAINER' to '$TARGET_NETWORK'" else echo "$(date): Failed to connect '$CONTAINER' to '$TARGET_NETWORK'" fi fi } # Check if target network exists if ! docker network inspect "$TARGET_NETWORK" &>/dev/null; then echo "Error: Network '$TARGET_NETWORK' does not exist" exit 1 fi echo "$(date): Starting Docker event monitor for container updates..." # Monitor docker events for container creates AND starts docker events --filter 'type=container' --filter 'event=create' --filter 'event=start' --format '{{.Actor.Attributes.name}}' | while read CONTAINER_NAME do # Check if this container is in our list for TARGET_CONTAINER in "${CONTAINERS[@]}"; do if [ "$CONTAINER_NAME" = "$TARGET_CONTAINER" ]; then echo "$(date): Detected event for '$CONTAINER_NAME'" # Small delay to ensure container is fully ready sleep 2 connect_if_needed "$CONTAINER_NAME" break fi done done
-
wireguard on a container, but with local docker network access
@bmartino1 thank you for your detailed post - As you assumed I already had a wireguard config set up within unraid, so I stuck with that instead of making a new docker network. It is currently set to the mode "VPN access for docker" (let me know if that is problematic). What is odd is that when the script is running, the unraid server cannot touch the internet. I thought it may be that only the whitelisted vpn IPS could, but even those do not seem to access the wan. I modified your script in 3 ways: changing wg0 to wg1 adding a couple IPs to pass through, and i changed the subnets that are granted local access to my docker network's subnet: #!/bin/bash set -e WG_IF="wg1" WG_TABLE="51820" MARK_HEX="0xC8E4" # arbitrary mark value MARK_DEC=$((0xC8E4)) # List the container IPs that must egress via WireGuard VPN_SRC_IPS=( 172.18.0.100 172.18.0.101 ) # --- Set up routing table for WireGuard --- # Add default route via wg0 in our custom table ip -t route show table ${WG_TABLE} | grep -q "default" || ip route add default dev ${WG_IF} table ${WG_TABLE} || true # Add policy rule to use that table for marked packets ip rule show | grep -q "fwmark ${MARK_DEC} lookup ${WG_TABLE}" || ip rule add fwmark ${MARK_DEC} lookup ${WG_TABLE} # --- iptables chains (idempotent) --- iptables -t mangle -C PREROUTING -j WG_VPN 2>/dev/null || iptables -t mangle -N WG_VPN iptables -t mangle -C PREROUTING -j WG_VPN 2>/dev/null || iptables -t mangle -A PREROUTING -j WG_VPN iptables -t mangle -C OUTPUT -j WG_VPN 2>/dev/null || iptables -t mangle -A OUTPUT -j WG_VPN # Exempt local/LAN destinations early (so LAN stays LAN) for cidr in 10.0.0.0/8 172.18.0.0/12 192.168.0.0/16 100.64.0.0/10 127.0.0.0/8; do iptables -t mangle -C WG_VPN -d $cidr -j RETURN 2>/dev/null || iptables -t mangle -A WG_VPN -d $cidr -j RETURN done # Mark traffic from the chosen container IPs for ip in "${VPN_SRC_IPS[@]}"; do iptables -t mangle -C WG_VPN -s ${ip} -m mark --mark 0x0 -j MARK --set-mark ${MARK_HEX} 2>/dev/null \ || iptables -t mangle -A WG_VPN -s ${ip} -m mark --mark 0x0 -j MARK --set-mark ${MARK_HEX} done # NAT/MASQUERADE out the WireGuard interface for internet return path iptables -t nat -C POSTROUTING -o ${WG_IF} -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -o ${WG_IF} -j MASQUERADE echo "Selective WireGuard policy routing is active." when I run ip rule, I don't see 51820 root@BLADE:~# ip rule 0: from all lookup local 32760: from all fwmark 0xc8e4 lookup 51820 32761: from 172.31.202.0/24 lookup 202 32762: from all lookup main suppress_prefixlength 0 32763: not from all fwmark 0xca6c lookup 51820 32764: from 172.31.201.0/24 lookup 201 32765: from 172.31.200.0/24 lookup 200 32766: from all lookup main 32767: from all lookup default also, when I run iptables -t mangle -S WG_VPN, for some reason the subnet you specified is still there and not reflecting my change to 172.18.* (ofc I have rebooted the server): root@BLADE:~# iptables -t mangle -S WG_VPN -N WG_VPN -A WG_VPN -d 10.0.0.0/8 -j RETURN -A WG_VPN -d 172.16.0.0/12 -j RETURN -A WG_VPN -d 192.168.0.0/16 -j RETURN -A WG_VPN -d 100.64.0.0/10 -j RETURN -A WG_VPN -d 127.0.0.0/8 -j RETURN -A WG_VPN -s 172.18.0.100/32 -m mark --mark 0x0 -j MARK --set-xmark 0xc8e4/0xffffffff -A WG_VPN -s 172.18.0.101/32 -m mark --mark 0x0 -j MARK --set-xmark 0xc8e4/0xffffffff any idea what I missed here? thanks again for your help
-
wireguard on a container, but with local docker network access
Greetings - I have a working wireguard vpn tunnel set up through unraid's vpn config. Is there a way with unraid default config (not using something like gluetun) to allow some containers to use that wg tunnel to connect to WAN, while still allowing them to remain on the docker network's subnet? Currently, if I switch my container's network to wgX, it is no longer visible to my other dockers.
-
[Support] Collectathon - Karakeep
yep this worked for me - using browserlessv2 and unraid 7.1.4