*partially working* Wireguard Docker


Recommended Posts

WARNING: I don't know what i'm doing. Proceed at your own risk.

 

So our beloved Spaceinvaderone put out a new video, on how to share a docker's internet to other dockers.
This gave me a new project.

tasks: 

  • consolidate dockers, which use vpns, to share one.
  • test wireguard

 

OS: Unraid 6.8.3

Container: linuxserver/wireguard

Documentation: https://hub.docker.com/r/linuxserver/wireguard

Container Config: 

Extra Parameters: --cap-add=NET_ADMIN --cap-add=SYS_MODULE --sysctl="net.ipv4.conf.all.src_valid_mark=1" --sysctl net.ipv6.conf.all.disable_ipv6=0

 

No idea what most of that does, but the ipv6 part, disables ipv6, as the docker was throwing errors without it, and would stop.

 

image.png.4c18e19018679800d0ee864ff9edf2c8.png

 

Wireguard Config: 

#remove all references to ipv6

  • interface, address, dns,
  • Perr, allowedIPs, endpoint

 

#Make the following edits to allow for Internet Kill Switch.

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

 

Note: this docker does NOT use systemd-resolve, so leaking DNS appears not the be an issue.

 

At this point everything works, save for local access. Meaning:

  • The container has internet access through the VPN, and the other containers have their internet routed through this one.
  • When the vpn drops, network traffic drops until it reconnects .
  • Passed IPLeak.net
  • And the speed! I can get 80% of my connection in throughput. Openvpn was 10%.

 

Here is where things, turn.  I made he following edit(s), but none of them allow for local traffic and block all traffic. I tried them individually and all together. The error is the same, "ping: sendmsg: Operation not permitted". Both by ip and by dns. Both local and external. Meaning that when the VPN is connected, no traffic passes. Internal or external.

 

  1. add my local range to the AllowedIPs section in the wg config file.
  2. replace mark scripts with hard coded entries: 
    1. PostUp = iptables -P OUTPUT DROP && iptables -A OUTPUT -o <vpn interface id >+ -j ACCEPT && iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT && iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT &&  iptables -A INPUT -s 255.255.255.255 -j ACCEPT & iptables -A OUTPUT -o eth+ -p udp -m multiport --dports 53,51820 -d <wg server ip> -j ACCEPT && iptables -A OUTPUT -o eth+ -p tcp -m multiport --dports 53 -d <wg server ip> -j ACCEPT && iptables -A OUTPUT -o eth+ ! -d <wg server DNS ip> -p tcp --dport 53 -j DROP && ip6tables -P OUTPUT DROP && ip6tables -A OUTPUT -o <vpn interface id >+ -j ACCEPT
  3. Manually add my local lan as a path 
    1. PreDown = iptables -D INPUT -i eth+ -d 192.168.10.0/24 -j ACCEPT && iptables -D OUTPUT -o eth+ -d 192.168.10.0/24 -j ACCEPT
    2. PostUp = iptables -I INPUT -i eth+ -d 192.168.10.0/24 -j ACCEPT && iptables -I OUTPUT -o eth+ -d 192.168.10.0/24 -j ACCEPT
  4. Add every non addressable range to allowedIPs
    1. 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32, 10.64.0.0/10

 

I hope the working part helps someone.

Any ideas on the second part?

Link to comment

You would probably be best hitting up linuxserver on their discord channel for this one, since they've made a conscious decision to not publish it within CA (I can only assume because of

Quote

This image is designed for Ubuntu and Debian based systems only. 

 

  • Thanks 1
Link to comment

Aptalca  put this one together, so I don't know the details, but as far as I know it's building the needed kernel modules, and that is not something we can easily do on unraid.

I know wireguard is included in unraid, but I have no idea if that is all that is needed.

  • Thanks 1
Link to comment
4 hours ago, Squid said:

You would probably be best hitting up linuxserver on their discord channel for this one, since they've made a conscious decision to not publish it within CA (I can only assume because of

 

Thanks Squid. I didn't even know they had a discord.

 

4 hours ago, saarg said:

Aptalca  put this one together, so I don't know the details, but as far as I know it's building the needed kernel modules, and that is not something we can easily do on unraid.

I know wireguard is included in unraid, but I have no idea if that is all that is needed.

The wireguard version in unraid doesn't allow you to select which dockers use it, and which dont, even though it says it does (VPN tunneled access: Route traffic for specific Dockers and VMs through a commercial WireGuard VPN provider).

 

however, I have not tried to see if allows local access....that may be the missing key.

Thank you for the idea.

Link to comment
10 hours ago, rukiftw said:

Thanks Squid. I didn't even know they had a discord.

 

The wireguard version in unraid doesn't allow you to select which dockers use it, and which dont, even though it says it does (VPN tunneled access: Route traffic for specific Dockers and VMs through a commercial WireGuard VPN provider).

 

however, I have not tried to see if allows local access....that may be the missing key.

Thank you for the idea.

I was only talking about if unraid had the correct modules to get our container to run correctly, not if you could do it using unraids built in wireguard support.

Link to comment
  • 2 weeks later...

I've had some success with allowing local access to Wireguard and it's attached containers. Im running this via docker-compose but it should work in unRAID's GUI as well. Here's what I've added.

Wireguard Container:

- Add environmental variable LAN_NETWORK and populate with your LAN (i.e. 192.168.1.0/24)

- in the wg0.conf config file, add the following to the PostUp and PostDown lines

PostUp=ip route add $LAN_NETWORK via $(ip route |awk '/default/ {print $3}') dev eth0
PostDown=ip route del $LAN_NETWORK via $(ip route |awk '/default/ {print $3}') dev eth0

You can then designate specific containers to utilize the Wireguard connection. In the container we want to use with Wireguard:

- remove all ports as we will now be connecting to this container via the Wireguard container.

- In docker-compose we'll add a network_mode: service:wireguard line. As for unRAID's GUI, there are a couple of discussions here and here regarding the container network.

- your attached container needs to start after Wireguard so add the following

  depends_on:

    - wireguard

 

Here is a sample docker-compose.yml showing NZBget routing through Wireguard:

version: '3.6'
services:
# Wireguad
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    restart: always
    ports:
      - 51820:51820/udp
      # nzbget
      - 6789:6789
    volumes:
      - /mnt/user/appdata/wireguard:/config
      - /lib/modules:/lib/modules
    environment:
      LAN_NETWORK: 192.168.1.0/24
      PGID: 100
      PUID: 99
      TZ: America/New_York
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0

# NzbGET  Usenet (NZB) Downloader
  nzbget:
    image: linuxserver/nzbget
    container_name: nzbget
    restart: always
    network_mode: service:wireguard
    volumes:
      - /mnt/user/appdata/nzbget:/config
      - /mnt/user/media:/media
    environment:
      PGID: ${PGID}
      PUID: ${PUID}
      TZ: ${TZ}
    depends_on:
      - wireguard

One item of note, I was unable the make the kill switch work. Any help would be greatly appreciated.

root@8de63d4b329d:/# iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Unable to access interface: No such device
iptables v1.6.1: mark: bad mark value for option "--mark", or out of range.

Try `iptables -h' or 'iptables --help' for more information.
root@8de63d4b329d:/# 

 

Link to comment

The IP-tables "mark" rules only work when WireGuard routes everything through the tunnel, as it creates and array to block all ips, but 0.0.0.0/0.

 

However, i think the error message, is related  to something else, like the vpn adapter not being found or character issue from copy/paste.

 

Link to comment
On 5/1/2020 at 12:30 PM, danofun said:

I've had some success with allowing local access to Wireguard and it's attached containers. Im running this via docker-compose but it should work in unRAID's GUI as well. Here's what I've added....

 

Thank you for your post, I'm so close to this I can feel it! Were you able to get this working?

 

I've done everything you have, the only thing is that I noticed an error in the wireguard container logs about not finding eth0 for that start up command. Any idea what the container's interface is called?

 

Here's docker compose and wg0.conf for reference:

 

version: "3.6"
services:

  wireguard-client:
    image: linuxserver/wireguard
    container_name: wireguard-client
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - LAN_NETWORK=${LAN}
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    volumes:
      - /home/serveradmin/remote/docker/wireguard-client:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
      - 7502:8989 #Eonarr
      - 7501:7878 #Radarr
      - 7500:7880 #Jackett
      - 7505:5075 #nzbhydra2
      - 7506:6789 #nzbget
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  radarr:
    image: "linuxserver/radarr"
    container_name: "radarr"
    volumes:
      - /home/serveradmin/remote/docker/radarr:/config
      - /home/serveradmin/remote/downloads/completed:/downloads
      - /home/serveradmin/remote/media/movies:/movies
      - "/etc/localtime:/etc/localtime:ro"
      - /home/serveradmin/remote/docker/shared:/shared
    restart: always
    network_mode: "service:wireguard-client"
    depends_on:
      - wireguard-client
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}

and

 

[Interface]
PrivateKey = xxxx
Address = x.x.x.x/32
DNS = x.x.x.x
PostUp=ip route add x.x.x.x/20 via $(ip route |awk '/default/ {print $3}') dev eth0
PostDown=ip route del x.x.x.x/20 via $(ip route |awk '/default/ {print $3}') dev eth0

[Peer]
PublicKey = xxxx
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32, 10.64.0.0/10
Endpoint = x.x.x.x:51820

Thank you!

Link to comment
  • 4 weeks later...
  • 3 weeks later...
  • 1 month later...

i think i got this to work. 

i'm testing this with the linuxserver/deluge container. 

the output from "curl ipconfig.io" is the  wireguard vpn ip. i can access the deluge webGUI through my local lan. 

 

so, i set up the wireguard container as explained by rukiftw. did not touch the wireguard conf file, and did not enable internet kill switch. 

i also added the environmental variable LAN_NETWORK as mentioned by danofun.

 

then just followed the spaceinvader One video https://www.youtube.com/watch?v=znSu_FuKFW0 to force the deluge container through the wireguard one.

also added the deluge ports to the wireguard container. 

 

and then added the Postup=ip  . . . (see danofuns post) to my wireguards config file under the [Interface] block.

 

 

 

 

 

 

Link to comment
On 7/23/2020 at 12:01 AM, omsha said:

i think i got this to work. 

i'm testing this with the linuxserver/deluge container. 

the output from "curl ipconfig.io" is the  wireguard vpn ip. i can access the deluge webGUI through my local lan. 

 

so, i set up the wireguard container as explained by rukiftw. did not touch the wireguard conf file, and did not enable internet kill switch. 

i also added the environmental variable LAN_NETWORK as mentioned by danofun.

 

then just followed the spaceinvader One video https://www.youtube.com/watch?v=znSu_FuKFW0 to force the deluge container through the wireguard one.

also added the deluge ports to the wireguard container. 

 

and then added the Postup=ip  . . . (see danofuns post) to my wireguards config file under the [Interface] block.

Yes, this worked for me too.

I was able to connect to mullvad and my raspberry wireguard server. Tried it with sonarr and the firefox docker.

Link to comment
  • 3 weeks later...

Hi, 

First post on this forum. I'm not even using Unraid (but will look into it), simply using Docker like @danofun seems to be.

After 2 days in hell trying to make this work, this post did it for me, thanks every one so (so!) much!

 

in the end, it was this exact post which did it for me: 

 

 

Cheers

Link to comment
  • 1 month later...

Hi Everyone, 

 

Thank you for the great information in this thread.  I am adding a few more tweaks and notes below in order to run the native UNRAID Dynamics Wireguard simultaneously with the Linuxserver Wireguard Docker. I now have two working versions of Wireguard running on my machine with one specifically for use with whatever Dockers I decide to add to the new Wireguard VPN.

 

When intially created, I named my new docker "wireguard4dockers" as shown below. When downloaded, you have to add a lot of the variables into the template, so this takes time, and if you have an error (like I did the first time), you might think you have lost the data after you click the "apply" button and the template disappears; but if you go to the CA "APPS" tab, you can reinstall the template and pick right back up where you left off.

 

First off, since you are adding this as a new docker and probably have Wireguard set up on UNRAID already, when you begin to enter your specific information into the template, change the ListenPort so you don't have a conflicting port between this Wireguard docker and the built in Wireguard in UNRAID. By Default the UNRAID Wireguard listenport is 51820, which is also the standard listenport of the Linuxserver docker.

 

Secondly, make sure that you set your config properly so the docker saves into your "appdata" folder using, Container Path: /config and Host Path to "your specific location". I  initially did not set it up properly and couldn't figure out why my folder was blank, until I realized that I did not put the slash in front of "config".  Also, don't forget to add the "config" folder inside your own "wireguard4docker" folder.

 

I also changed my internal SUBNET to something completely different from the built-in Wireguard to avoid any conflicts. Not sure if this was necessary, but I thought it couldn't hurt.

 

Also, take note that once you get the template created and it has saved as an operational Docker, if you import a pre-made config file into your config folder for this docker, you need to change the name of the file to "wg0" (that lower case w, g and a zero) or create your new template named as "wg0". This was noted on one of the many pages of posts in the links that danofun included above.

 

Lastly, I had to include my specific Local LAN IP Address in the config file in the "PostUp" and "PostDown" lines ...part of another tip mentioned to be added to the config file in previous posts;

in my file these two lines are:

PostUp=ip route add 195.168.4.0/24 via $(ip route |awk '/default/ {print $3}') dev eth0

PostDown=ip route del 195.168.4.0/24 via $(ip route |awk '/default/ {print $3}') dev eth0

 

.....and going this route I did NOT need to add the following environmental variable into the docker template: "LAN_NETWORK ....populated with your LAN (i.e. 192.168.1.0/24)" noted to add in the above posts.

 

Here are a few snippets of my "wireguard4docker" template.

Please note, I also downloaded the Firefox docker to use to check out connectivity, following other posts on how to link other dockers to your vpn docker.

 

image.png.ff930bf2bbe00573fa10e66658aafeb1.png

 

image.png.66f96ccf0c4ee88a7f9e5fe556a717f5.png

 

 

Firefox Ports to add while you are setting up the "wireguard4docker" VPN created under the "advanced view": port 7814 will be your port to use to get into the firefox webgui.

 

image.png.78b6a298180210bb1d372e2ad0146bca.png

 

image.png.2787f711df4cac40bff1614ca5592c43.png

 

Using the posts in this thread, as well and the links provided by everyone, I was able to create a fully functioning secondary Wireguard Docker VPN running in less than an hour. Proving that we can in fact use an off the shelf existing Wireguard docker template to be used as a VPN for specific Docker Containers, while at the same time utilize the built in Wireguard Controls for your other VPN needs. Thus overcoming the bottleneck and limitation of not being able to have a "VPN tunneled access"  running along with another tunnel instance within the built-in UNRAID Dynamics Wireguard Program.

 

I hope this helps others. I really haven't done anything different other than compile a few critical pieces of information under the same thread. I spend a lot of time browsing the forum for information and am always amazed at what can be found here; but having run through this process this evening I thought this additional data might be helpful for other to have. Kudo's and a big thankyou to everyone prior who pave the way for amateur's like myself who are able to stumble through to make something work and confirm what others have accomplished does in fact work. 

 

Thanks,

 

 

  • Thanks 2
Link to comment
  • 3 weeks later...

Glad it helped you.

Additionally, I recently found and added the docker "Rebuild DNDC" that monitors any custom containers, so any other dockers pointed to your custom wireguard4dockers container will automatically rebuild if the Wireguard container is updated. It is available under community "APPS" tab. It works 90% of the time updating linked containers without issue. A few times I had to reinstall one of my linking containers, but not a big issue of community Apps is installed.

Here is the support site: https://hub.docker.com/r/eafxx/rebuild-dndc

 

image.png.ec6268c627a92875b5b6b6b2afc560f3.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.