I run a wireguard enpoint as a docker container on my server with roadwarrior clients connecting to it via LTE:
The real server address is a static public IP. The client config is as follows (irrelevant parts excluded):
[Interface]
Address = 10.254.99.2
[Peer]
AllowedIps = 10.254.99.1/32
Endpoint = 192.168.5.55
This works fine if I ping the client from within the docker container. But since I also want to reach the client from the docker host, I add a route on the server:
ip route add 10.254.99.0/24 via 172.17.0.2 dev docker0 src 192.168.5.55
Accordingly, I add the src
address to the list of AllowedIps on the server:
[Peer]
AllowedIps = 10.254.99.1/32, 192.168.5.55/32
And with this things stop working. I cannot ping the client, neither from the server nor from within the container anymore. If I allow all Ips on the client instead, everything works as expected:
[Peer]
AllowedIps = 0.0.0.0/0
But I don't want to route all traffic through the tunnel. What's the proper way to do this?
Best Answer
You can't use the same address in the client's
Endpoint
andAllowedIPs
settings*.Endpoint
should be the server's address outside the tunnel, andAllowedIPs
should include all the addresses you want to have access inside the tunnel.To fix it, get rid of the
src
setting on the route you added to the server, so that the route will just use the address of the server'sdocker0
interface:Then change the WireGuard client's
AllowedIPs
setting to include the address of the server'sdocker0
interface (172.17.0.1
):Your server will now use its
docker0
interface address (172.17.0.1
) as the source of the packets it sends through your WireGuard network.However, instead of adding that extra layer of routing on your server, the simplest thing to do would be to run the WireGuard container in "host" network mode (using the
--network=host
flag withdocker run
, or thenetwork_mode: host
setting withdocker-compose
). That would expose the WireGuard container'swg0
interface directly to the host, so you wouldn't need additional routing rules on the server, and you wouldn't need to add additionalAllowedIPs
to the client.In that case, the server would just use the WireGuard interface's own
10.254.99.1
address as the source of the packets it sends through your WireGuard network.* unless you set up some fancy packet routing/filtering rules on your client instead of using the defaults the WireGuard client sets up for you