networking – Accessing Host’s Wireguard from Docker Containers

dockerdocker-networkinglinux-networkingnetworkingwireguard

I have a Debian server that has a Wireguard connection to a box sitting behind a NAT. The box has Wireguard IP 192.168.60.2 whereas the server has Wireguard IP 192.168.60.1. On the server, a few Docker containers are running. I would like to be able to assign some containers an IP on the 192.168.60.0/24 subnet so that I can tell the containers apart by IP on the box as requests from the contains come in.

When I launch containers without special network config, i.e. using the standard bridge driver, I can reach the box via its IP 192.168.60.2, however, the originating IP is the server's (192.168.60.1).

I tried using Docker's IPVLAN network driver, but that requires an actual Ethernet interface as opposed to a tunnel.

How can I achieve this?

edit: After creating a Docker network with docker network create --driver=bridge --subnet=192.168.60.0/24 my-net and starting a dummy container with docker run -it --rm --network=my-net --ip=192.168.60.10 alpine, I still cannot get this to work.

The Wireguard settings on the server are like so:

[Interface]
PrivateKey = *** REDACTED ***
ListenPort = 51821
Address = 192.168.60.1/24
[Peer]
PublicKey = *** REDACTED ***
AllowedIPs = 192.168.60.2/32 # I also tried setting this to /24

In the box's Wireguard settings the Address is set to 192.168.60.2/32 and AllowedIPs is set to 192.168.60.0/24.

I checked the firewall counters and I don't think this is what's stopping the packets. However, when looking at the routing table, this seems suspicious:

192.168.60.0/24 dev wg1 proto kernel scope link src 192.168.60.1
192.168.60.0/24 dev br-df2fc584e6b0 proto kernel scope link src 192.168.60.1

wg1 is the Wireguard interface and br-df2fc584e6b0 corresponds to the Docker bridge my-net. More details:

$ ip a show dev br-df2fc584e6b0
184: br-df2fc584e6b0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:98:27:08:23 brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.1/24 brd 192.168.60.255 scope global br-df2fc584e6b0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:98ff:fe27:823/64 scope link
       valid_lft forever preferred_lft forever

$ ip a show dev wg1
177: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.60.1/24 scope global wg1
       valid_lft forever preferred_lft forever

edit2: I was able to resolve this by making the IP subnets non-overlapping, i.e. the Wireguard interface has the address 192.168.60.1/28 and the bridge network is assigned the subnet 192.168.60.16/28. Additionally, I created the bridge network with com.docker.network.bridge.enable_ip_masquerade=false to keep the original IP.

Best Answer

you can create a custom bridge network in Docker and then connect your containers to this network.

docker network create --driver=bridge --subnet=192.168.60.0/24 mynetwork

docker run --network=mynetwork --ip=192.168.60.x -d your_container_image

Ensure that your WireGuard setup allows traffic from the Docker bridge network. Update your WireGuard configuration to allow traffic from the Docker bridge subnet (192.168.60.0/24). Update the AllowedIPs both on WireGuard client and server side and make sure to restart WireGuard after that.

Related Solutions

How to add an static route on google compute engine

The virtual network you get on a GCE instance is effectively a /32 network to which only the instance itself and the gateway are attached (the latter being configured using a host route). This means that all outgoing traffic is sent to the gateway.

That is the reason why you get the following error:

B:~$ sudo ip route add 11.10.0.0/16 via 10.240.0.8 dev eth0
RTNETLINK answers: Network is unreachable

The error simply tells you that there is no host or network route that matches 10.240.0.8 (other than the default route which uses a gateway itself).

There is no way to set up your desired configuration using routing configuration on the hosts. Instead you need to configure routing in GCE itself, as described here. Conceptually you can think of this as configuring the routing table on the gateway. You don't need any additional configuration on the hosts because as explained above, they send all outgoing packets to the gateway.

Ssh – connect a docker container to a local network

The approach that I took when setting something similar was to statically assign IP addresses to each container. I then "stacked" the IP addresses as secondary IPs on the bridge's interface, vmbr0.

My network setup:

$ ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:22:15:91:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::222:15ff:fe91:XXXX/64 scope link
       valid_lft forever preferred_lft forever
3: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:22:15:91:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global vmbr0
    inet 192.168.1.101/24 scope global secondary vmbr0
    inet 192.168.1.103/24 scope global secondary vmbr0
    inet6 fe80::222:15ff:fe91:c12d/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 172.17.42.1/16 scope global docker0

I added these secondary IPs like so:

$ ip addr add 192.168.1.101/24 dev vmbr0
$ ip addr add 192.168.1.101/24 dev vmbr0

I would run my containers like so:

$ docker run --name='bind' -d \
    -p 192.168.1.101:53:53/udp \
    -p 192.168.1.101:10000:10000 sameersbn/bind:latest

Best Answer

Related Solutions

How to add an static route on google compute engine

Ssh – connect a docker container to a local network

Related Topic