Port Forward? about docker-wireguard HOT 21 CLOSED

FYI if anyone else stumbles across this issue - You can enable external traffic coming in through VPN on a given port by adding this to the PostUp and PreDown section of your wg0.conf:

PostUp = FORWARDEDPORT=1234; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; ...rest of your PostUp config...
PreDown = FORWARDEDPORT=1234; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; ...rest of your PreDown config...

Where 1234 is your port (perhaps given to you by your VPN provider).
Note the "...rest of your PostUp config..." at the end of both of those lines.

from docker-wireguard.

It's a feature request not a how-to. I've tried what you suggested, and it didn't work if there were multiple docker containers as clients.

I.e:

Wireguard Client
Container A
Container B port 5597 open
Container C

The Wireguard client needs to forward incoming traffic on 5597 to Container B, nothing else.

This would need to also work for:

Wireguard Client
IP Address 1
IP Address 2 port 5597 open
IP Address 3

It should forward by IP address in that case outside of the container.

Presumably this would setup IP tables based on the environment variables passed to go and redirect the ports properly.

from docker-wireguard.

@spider1163 and @jjarthur I managed to get this working forever ago. Make sure you're using a VPN that supports port forwarding, then enable it and copy down your port. You're going to want the blow lines under the [Interface] section in wg0.conf

PostUp = FORWARDEDPORT=12345; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = FORWARDEDPORT=12345; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

I hope this helps

from docker-wireguard.

@undaunt so lets say I have forwarded port 1234, should I go to my wireguard docker container and do -p 1234:1234 and then set QB to listen on that port? Is that it or am I missing something?

I just made a Reddit post here with all of my configs if you wouldn't mind taking a look I would appreciate it!

No, so the only place I'm putting the forwarded ports from the VPN provider are within qBittorrent as the 'Port used for incoming connections.' Everything else is just networking the containers together and the postup/predown wireguard scripts. Keep in mind that the qBittorrent container will be operating only within the Wireguard network if you attach it to wireguard, and within the wireguard network, we're forwarding the port the provided has sent us.

The configs I posted above are moreso about the local wireguard container port 51820 to my host OS for wireguard connectivity, and then I'm forwarding port (example) 8081 as the "WEBUI_PORT" on qBittorrent's container as an environmental variable. I'm then putting that same port as the Traefik loadbalancer port on the Wireguard container so I can see the qBittorrent webui via my local reverse proxy, and also exposing it to the host. I may not need to expose it to the host and only expose 51820, but I haven't bothered to test removing it.

Let me paste my actual configs without variables making it harder to read.

Here is my wg0.conf postup and predown scripts. Obviously I'm not including my private key and my server, etc.

PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = HOMENET=192.168.0.0/16; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

Here is my qB container (1 of 5, I actually am load balancing my traffic based on number of torrents so the containers don't bog down)

  qb:
    image: lscr.io/linuxserver/qbittorrent:14.3.9
    container_name: qb
    restart: unless-stopped
    network_mode: service:wireguard
    security_opt:
      - no-new-privileges:true
    depends_on:
      - wireguard
    volumes:
      - $DOCKERDIR/qb:/config
      - $DLDIR:/downloads
    environment:
      - TZ
      - PUID
      - PGID
      - WEBUI_PORT=8081

Here is wireguard, and I'm removing the lines for the other four containers so its easier to read.

  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    restart: always
    networks:
      - $TRAEFIK_NETWORK
    security_opt:
      - no-new-privileges:true
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
    ports:
      - 51820:51820
      - 8081:8081
    volumes:
      - $DOCKERDIR/wireguard:/config
      - /lib/modules:/lib/modules
    environment:
      - TZ
      - PUID
      - PGID
    labels:
      ## Disable watchtower automatic updates
      - com.centurylinklabs.watchtower.enable=false
      ## Enable Traefik
      - traefik.enable=true
      ## HTTP Routers
      - traefik.http.routers.qb-rtr.entrypoints=https
      - traefik.http.routers.qb-rtr.rule=Host(`qb.$DOMAINNAME`)
      ## Middlewares
      - traefik.http.routers.qb-rtr.middlewares=chain-no-ratelimit@file
      ## HTTP Services
      - traefik.http.routers.qb-rtr.service=qb-svc
      - traefik.http.services.qb-svc.loadbalancer.server.port=8081

I'm generating a file from Mullvad as well to download my wg0.conf but unlike @BrodyStone21 I'm not specifying a forwarded port within the preup/postdown and my trackers still see me as open and available for seeding.

from docker-wireguard.

you can use an nginx reverse proxy for that

from docker-wireguard.

Care to elaborate? I have a wire guard client connected to a vpn service. They forward a port, which should go to the wire guard client docker container itself. Even if I use nginx, it's not clear how I'd get the wireguard docker container to forward the port to nginx (or anything else) because it's just going to die inside the docker container because it doesn't know where to send the traffic that wasn't initiated internally.

from docker-wireguard.

This is not a bug, but a question about how to set up something custom.

In a nutshell, you'd have the other container use wireguard client's network stack. Then you can either have the container listen on that port, or have nginx listen on that port and reverse proxy. There are other methods as well, but all are beyond the scope of this. We don't officially provide support for that.

Feel free to drop by our discord to discuss.

from docker-wireguard.

@julianpoy Thanks! How does one specify the dns or ip of the docker container or other destination?

from docker-wireguard.

If you're using the service:containername pattern, the other container should be bound to the same network stack and should work without any changes.

If you're using a user-defined network, you'll have to add some rules to forward to the desired container IP.

from docker-wireguard.

@julianpoy I am attaching my wireguard container to my Traefik reverse proxy network, with a static IP, and am then funneling the linuxserver qbittorrent container through it via network_mode: service:wireguard. With a combination of your PostUp and PreDown above, combined with the suggested LAN access, I believe I have it working.

I can hit qBit at my subdomain, all my subdomains still reflect their Cloudflare IPs via ping, but doing a docker exec -ti qb bash -c 'curl https://am.i.mullvad.net/connected' gives me a proper Mullvad IP whereas any other container that isn't qbit or wireguard is giving my home IP.

Last thing to determine is if the port forwarding works on the torrent client properly as I cannot seem to get netcat working to test Mullvad's port checker tool. To forward the Wireguard traffic through my router/etc., would I need to port forward the wireguard port of 51820 instead of my prior qBit port of 51419? Thanks very much. Relevant compose:

# Wireguard VPN - Client Mode
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    restart: unless-stopped
    networks:
      traefik-proxy:
        ipv4_address: 192.168.50.100
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    security_opt:
      - no-new-privileges
    ports:
      - "51820:51820/udp"
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    volumes:
      - ${DOCKERDIR}/wireguard:/config # Drop your provider conf in as wg0.conf
      - /lib/modules:/lib/modules
    environment:
      - TZ
      - PUID
      - PGID

# qBittorrent - Torrent Downloader - Private Trackers
  qb:
    image: linuxserver/qbittorrent
    container_name: qb
    restart: unless-stopped
    network_mode: service:wireguard
    #networks:
    #  - $TRAEFIK_NETWORK
    security_opt:
      - no-new-privileges
    #ports:
    #  - "51419:51413"
    #  - "51419:51413/udp"
    volumes:
      - ${DOCKERDIR}/qb:/config
      - ${DLDIR}:/downloads
      - ${DLDIR}/watched/general:/watched
      - ${DLDIR}/torrents/general:/torrents
    environment:
      - TZ
      - PUID
      - PGID
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.qb-rtr.entrypoints=https"
      - "traefik.http.routers.qb-rtr.rule=Host(`qb.$DOMAINNAME`)"
      ## Middlewares
      - "traefik.http.routers.qb-rtr.middlewares=chain-authelia@file"
      ## HTTP Routers
      - "traefik.http.routers.qb-rtr.service=qb-svc"
      - "traefik.http.services.qb-svc.loadbalancer.server.port=8080"

from docker-wireguard.

The problem with using service:wireguard is that if the wireguard endpoint goes down, it almost always crashes the other containers that are linked with service:wireguard.. Hence why I'd like to create a docker network for them and then have it redirect traffic to the specified container that isn't dependant on the service:wireguard but also have that network have a gateway of the wireguard client docker.

from docker-wireguard.

The problem with using service:wireguard is that if the wireguard endpoint goes down, it almost always crashes the other containers that are linked with service:wireguard.. Hence why I'd like to create a docker network for them and then have it redirect traffic to the specified container that isn't dependant on the service:wireguard but also have that network have a gateway of the wireguard client docker.

If you find a way please let me know or post

from docker-wireguard.

The problem with using service:wireguard is that if the wireguard endpoint goes down, it almost always crashes the other containers that are linked with service:wireguard.. Hence why I'd like to create a docker network for them and then have it redirect traffic to the specified container that isn't dependant on the service:wireguard but also have that network have a gateway of the wireguard client docker.

That should never happen as Wireguard doesn't have any concept of an endpoint going down and will continue sending traffic regardless. Child containers would lose internet access but if that's enough to crash them then the applications running in those containers are bad.

from docker-wireguard.

Quick question; I'm also trying to get port forwarding set up. I have added custom IP routing in the config file like mentioned above, do I need to also add -p portnumber:portnumber to my container? Which one? I have a qbittorrent container that's using my wireguard container as its network.

If anyone has any ideas let me know!

from docker-wireguard.

@BrodyStone21 I've since gotten this working, with forwarding as well as webUI with Traefik. The key is to forward the forwarded port of your VPN provider on the Wireguard container and not the torrent container, and then also ensure the torrent container uses that port for traffic.

Separately, ensure the webui port of the torrent client is set with your reverse proxy of choice, in my case Traefik.

# Wireguard - Performant VPN
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    restart: always
    networks:
      - $TRAEFIK_NETWORK
    security_opt:
      - no-new-privileges:true
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
    ports:
      - 51820:51820
      - $WG_QB_PORT:$WG_QB_PORT
    volumes:
      - $DOCKERDIR/wireguard:/config
      - /lib/modules:/lib/modules
    environment:
      - TZ
      - PUID
      - PGID
    labels:
      ## Disable watchtower automatic updates to keep VPN online
      - com.centurylinklabs.watchtower.enable=false
      ## Enable Traefik
      - traefik.enable=true
      ## HTTP Routers
      - traefik.http.routers.qb-rtr.entrypoints=https
      - traefik.http.routers.qb-rtr.rule=Host(`qb.$DOMAINNAME`)
      ## Middlewares
      - traefik.http.routers.qb-rtr.middlewares=chain-authelia@file
      ## HTTP Services
      - traefik.http.routers.qb-rtr.service=qb-svc
      - traefik.http.services.qb-svc.loadbalancer.server.port=$WG_QB_PORT

# qBittorrent - Torrent Downloader
  qb:
    image: ghcr.io/linuxserver/qbittorrent
    container_name: qb
    restart: unless-stopped
    network_mode: service:wireguard
    security_opt:
      - no-new-privileges:true
    depends_on:
      - wireguard
    volumes:
      - $DOCKERDIR/qb:/config
      - $DLDIR:/downloads
      - $DLDIR/watched:/watched
      - $DLDIR/torrents:/torrents
    environment:
      - TZ
      - PUID
      - PGID
      - WEBUI_PORT=$WG_QB_PORT # Listening port 54819

from docker-wireguard.

@undaunt so lets say I have forwarded port 1234, should I go to my wireguard docker container and do -p 1234:1234 and then set QB to listen on that port? Is that it or am I missing something?

I just made a Reddit post here with all of my configs if you wouldn't mind taking a look I would appreciate it!

from docker-wireguard.

FYI if anyone else stumbles across this issue - You can enable external traffic coming in through VPN on a given port by adding this to the PostUp and PreDown section of your wg0.conf:

PostUp = FORWARDEDPORT=1234; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; ...rest of your PostUp config...
PreDown = FORWARDEDPORT=1234; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; ...rest of your PreDown config...

Where 1234 is your port (perhaps given to you by your VPN provider).
Note the "...rest of your PostUp config..." at the end of both of those lines.

@julianpoy - I've got the above rules in my iptables. When I use something like this to check if the port is open using the IP of the container VPN, it comes back as a closed port. Any ideas?

from docker-wireguard.

@jjarthur Hello, I have the same problem, did you find a solution ?

from docker-wireguard.

@jjarthur Hello, I have the same problem, did you find a solution ?

No, I never found a solution unfortunately. Let me know if you find one that works for you.

from docker-wireguard.

@spider1163 and @jjarthur I managed to get this working forever ago. Make sure you're using a VPN that supports port forwarding, then enable it and copy down your port. You're going to want the blow lines under the [Interface] section in wg0.conf

PostUp = FORWARDEDPORT=12345; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = FORWARDEDPORT=12345; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

I hope this helps

@BrodyStone21 I have test this setting and they don't work.

Please guide me on this...:
My network is as follow

1. RaspberryPi with Wireguard server (IP: 172.27.66.10)
2. PC with wireguard client (IP: 172.27.66.11)
3. RaspberryPi with Docker with containers of wireguard client (IP: 172.27.66.12), plex (Port 32400). and also need port SSH (22) on host

The Pi with wireguard client connects correctly to the Pi with wireguard server, and I can ping devices on the same VPN network. (From the PC i can ping the wireguard client container and viceversa.)

I need to be able to connect through the VPN network to:

• The Plex container using port 32400 from the PC and,
• The SSH port on the HOST of the RaspberryPi wireguard client

FYI I'm using portainer to launch stack of individual services.
Thanks in advanced for any help you can give me.

WireGuard Stack

---
version: '3.7'

services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    restart: unless-stopped
    networks:
      - backbone
    volumes:
      - 'config:/config'
      - '/lib/modules:/lib/modules:ro'
    environment:
      - PUID=1000
      - PGID=1000
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

volumes:
  config:

networks:
  backbone:
    driver: bridge

PLEX Stack

---
version: "2.1"
services:
  plex:
#    image: lscr.io/linuxserver/plex:latest
    image: linuxserver/plex:latest
    container_name: plex
    network_mode: host
#    network_mode: container:wireguard
    environment:
      - PUID=1000
      - PGID=1000
      - VERSION=docker
      - PLEX_CLAIM= claim-2NySzVz_t9roGv351B76
    volumes:
      - config:/config
      - /media/HDD/media:/media
    restart: unless-stopped
volumes:
  config:

WireGuard Server config

server:
  addresses:
    - 172.27.66.10
  dns:
    - 192.168.7.100
  host: some-domain.duckdns.org

peers:
  - name: PC
    addresses:
      - 172.27.66.11
    allowed_ips: []
    client_allowed_ips: []
  - name: RaspberryPi
    addresses:
      - 172.27.66.12
    allowed_ips: []
    client_allowed_ips: []

My RaspberryPi WireGuard Client Config:

[Interface]
PrivateKey = WF2zFAZ5zOE.................3h+RztV/k0=
Address = 172.27.66.12
DNS = 192.168.7.100

PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT; HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT


[Peer]
PublicKey = eBD9odlKu...............................rTPWLsvyk=
Endpoint = some-domain.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

from docker-wireguard.

@jotadominguez the problem is that you're trying to forward port 32400. You won't do that here.

First, you need a VPN that supports port forwarding. I use Mullvad, but there are others out there. Mullvad allows randomly generating a port forwarded port. For this example, let's say that Mullvad assigned is 68734.

You would replace FORWARDEDPORT=12345; to FORWARDEDPORT=68734; inside of wg0.conf

Let's say your Plex container is called plex, and your VPN container is called vpn.

Inside of your plex compose file, you will want to bind the plex network mode to your vpn. I use docker run, so this would look like --net=container:vpn.

You're currently using the host network mode, so your VPN and Plex containers are on two different networks.

from docker-wireguard.