Need help routing Wireguard container traffic through Gluetun container

Submitted ⁨⁨5⁩ ⁨months⁩ ago⁩ by ⁨scapeg0at@midwest.social⁩ to ⁨selfhosted@lemmy.world⁩

What I’m looking to do is to route WAN traffic from my personal wireguard server through a gluetun container. So that I can connect a client my personal wireguard server and have my traffic still go through the gluetun VPN as follows:

client <–> wireguard container <–> gluetun container <–> WAN

I’ve managed to set both the wireguard and gluetun container up in a docker-compose file and made sure they both work independently (I can connect a client the the wireguard container and the gluetun container is successfully connecting to my paid VPN for WAN access). However, I cannot get route traffic from the wireguard container through the gluetun container.

Since I’ve managed to set both up independently I don’t believe that there is an issue with the docker-compose file I used for setup. What I believe to be the issue is either the routing rules in my wireguard container, or the firewall rules on the gluetun container.

I tried following this linuxserver.io guide to get the following wg0.conf template for my wireguard container:

[Interface]
Address = ${INTERFACE}.1
ListenPort = 51820
PrivateKey = $(cat /config/server/privatekey-server)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
# Adds fwmark 51820 to any packet traveling through interface wg0
PostUp = wg set wg0 fwmark 51820
# If a packet is not marked with fwmark 51820 (not coming through the wg connection) it will be routed to the table "51820".
# PostUp = ip -4 rule add not fwmark 51820 table 51820
# Creates a table ("51820") which routes all traffic through the gluetun container
PostUp = ip -4 route add 0.0.0.0/0 via 172.22.0.100
# If the traffic is destined for the subnet 192.168.1.0/24 (internal) send it through the default gateway.
PostUp = ip -4 route add 192.168.1.0/24 via 172.22.0.1
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

Along with the default firewall rules of the gluetun container

Chain INPUT (policy DROP 13 packets, 1062 bytes)
 pkts bytes target     prot opt in     out     source               destination
15170 1115K ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
14403   12M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60 ACCEPT     0    --  eth0   *       0.0.0.0/0            172.22.0.0/24

Chain FORWARD (policy DROP 4880 packets, 396K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 360 packets, 25560 bytes)
 pkts bytes target     prot opt in     out     source               destination
15170 1115K ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0
12716 1320K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      eth0    172.22.0.100         172.22.0.0/24
    1   176 ACCEPT     17   --  *      eth0    0.0.0.0/0            68.235.48.107        udp dpt:1637
 1349 81068 ACCEPT     0    --  *      tun0    0.0.0.0/0            0.0.0.0/0

When I run the wireguard container with this configuration I can successfully connect my client however I cannot connect to any website, or ping any IP.

During my debugging process I ran tcpdump on the docker network both containers are in which showed me that my client is successfully sending packets to the wireguard container, but that no packets were sent from my wireguard container to the gluetun container. The closest I got to this was the following line:

17:27:38.871259 IP 10.13.13.1.domain > 10.13.13.2.41280: 42269 ServFail- 0/0/0 (28)

Which I believe is telling me that the wireguard server is trying, and failing, to send packets back to the client.

I also checked the firewall rules of the gluetun container and got the following results:

Chain INPUT (policy DROP 13 packets, 1062 bytes)
 pkts bytes target     prot opt in     out     source               destination
18732 1376K ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
16056   12M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60 ACCEPT     0    --  eth0   *       0.0.0.0/0            172.22.0.0/24

Chain FORWARD (policy DROP 5386 packets, 458K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 360 packets, 25560 bytes)
 pkts bytes target     prot opt in     out     source               destination
18732 1376K ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0
14929 1527K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      eth0    172.22.0.100         172.22.0.0/24
    1   176 ACCEPT     17   --  *      eth0    0.0.0.0/0            68.235.48.107        udp dpt:1637
 1660 99728 ACCEPT     0    --  *      tun0    0.0.0.0/0            0.0.0.0/0

Which shows that the firewall for the gluetun container is dropping all FORWARD traffic which (as I understand it) is the sort of traffic I’m trying to set up. What is odd is that I don’t see any of those packets in the tcpdump of the docker network.

Has anyone successfully set this up or have any indication on what I should try next? At this point any ideas would be helpful, whether that be more debugging steps or recommendations for routing/firewall rules.

While there have been similar posts on this topic (Here and Here) the responses on both did not really help me.

source

Comments

Sort:hotnew top

CumBroth@discuss.tchncs.de ⁨5⁩ ⁨months⁩ ago
[deleted]
source
- scapeg0at@midwest.social ⁨5⁩ ⁨months⁩ ago
  Thank you for the reply! I’ve been busy the last couple of days so I just got around to looking back at this.
  
  I tested out your advice and setup a wireguard container with the MASQUERADE NAT rule and it worked! However, when I tried it out again with the gluetun container. I’m still running into issues, but there is progress!
  
  With my setup before when I connect my client to the wireguard network I would get a “no network” error. Now when I try access the internet the connection times out. Still not ideal, but at least it’s a different error than before!
  
  With the MASQUERADE NAT rule in place, running tcpdump on the docker network shows that at least the two containers are talking to each other:
  
  17:04:29.927415 IP 172.22.0.2 > 172.22.0.100: ICMP echo request, id 4, seq 9823, length 64 17:04:29.927466 IP 172.22.0.100 > 172.22.0.2: ICMP echo reply, id 4, seq 9823, length 64
  
  but I still cannot get any internet access through the wireguard tunnel.
  
  When exploring around the gluetun config I confirmed that the MASQUERADE rule was actually set:
  
  Chain PREROUTING (policy ACCEPT 2933 packets, 316K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 839 packets, 86643 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12235 packets, 741K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 11408 packets, 687K bytes) pkts bytes target prot opt in out source destination 2921 284K MASQUERADE 0 -- * eth+ 0.0.0.0/0 0.0.0.0/0
  
  I think that the issue may be the default firewall rules of the gluetun block all traffic besides the VPN traffic via the main iptable:
  
  Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2236 164K ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 11914 12M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 87 15792 ACCEPT 0 -- eth0 * 0.0.0.0/0 172.22.0.0/24 Chain FORWARD (policy DROP 381 packets, 22780 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 76 packets, 5396 bytes) pkts bytes target prot opt in out source destination 2236 164K ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0 8152 872K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * eth0 172.22.0.100 172.22.0.0/24 1 176 ACCEPT 17 -- * eth0 0.0.0.0/0 213.152.187.229 udp dpt:1637 212 12843 ACCEPT 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
  
  I tried adding simple iptables rules such as iptables -A FORWARD -i tun+ -j ACCEPT (and the same with eth+ as the interface) but with no luck.
  
  If you think you can help I’ll be down to try out other solutions, or if you need more information I can post it when I have time. If you don’t think this will be an easy fix I can revert back to the wireguard-wireguard container setup since that worked. I tried to get this setup working so I could leverage the gluetun kill-switch/restart.
  
  source
  - CumBroth@discuss.tchncs.de ⁨5⁩ ⁨months⁩ ago
    I think you already have a kill-switch (of sorts) in place with the two Wireguard container setup, since you lose client connectivity (except to the local network, since there’s a separate route for that) if any of the following happens:
    
    “Client” container is spun down
    
    The Wireguard interface inside the “client” container is spun down (you can try this out by execing “wg-quick down wg0” inside the container)
    
    or even if the interface is up but the VPN connection is down (try changing the endpoint IP to a random one instead of the correct one provided by your VPN service provider)
    
    I can’t be 100% sure, because I’m not a networking expert, but this seems like enough of a “kill-switch” to me. I’m not sure what you mean by leveraging the restart. One of the things that I found annoying about the Gluetun approach is that I would have to restart every container that depends on its network stack if Gluetun itself gets restarted/updated.
    
    But anyway, I went ahead and messed around on a VPS with the Wireguard+Gluetun approach and I got it working. I am using the latest version of The Linuxserver.io Wireguard container and Gluetun at the time of writing. There are two things missing in the Gluetun firewall configuration you posted:
    
    A MASQUERADE rule on the tunnel, meaning the tun0 interface.
    
    Gluetun is configured to drop all FORWARD packets (filter table) by default. You’ll have to change that chain rule to ACCEPT. Again, I’m not a network expert, so I’m not sure whether or not this compromises the kill-switch in any way, at least in any relevant way to the desired setup.
    
    First, here’s the docker compose setup I used:
    
    networks: wghomenet: name: wghomenet ipam: config: - subnet: 172.22.0.0/24 gateway: 172.22.0.1 services: gluetun: image: qmcgaw/gluetun container_name: gluetun cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - ./config:/gluetun environment: - VPN_SERVICE_PROVIDER=<your stuff here> - VPN_TYPE=wireguard # - WIREGUARD_PRIVATE_KEY=<your stuff here> # - WIREGUARD_PRESHARED_KEY=<your stuff here> # - WIREGUARD_ADDRESSES=<your stuff here> # - SERVER_COUNTRIES=<your stuff here> # Timezone for accurate log times - TZ= <your stuff here> # Server list updater # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list - UPDATER_PERIOD=24h sysctls: - net.ipv4.conf.all.src_valid_mark=1 networks: wghomenet: ipv4_address: 172.22.0.101 wireguard-server: image: lscr.io/linuxserver/wireguard container_name: wireguard-server cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=1001 - TZ=<your stuff here> - INTERNAL_SUBNET=10.13.13.0 - PEERS=chromebook volumes: - ./config/wg-server:/config - /lib/modules:/lib/modules #optional restart: always ports: - 51820:51820/udp networks: wghomenet: ipv4_address: 172.22.0.5 sysctls: - net.ipv4.conf.all.src_valid_mark=1
    
    You already have your “server” container properly configured. Now for Gluetun: I exec into the container docker exec -it gluetun sh. Then I set the MASQUERADE rule on the tunnel: iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE. And finally, I change the FORWARD chain policy in the filter table to ACCEPT iptables -t filter -P FORWARD ACCEPT.
    
    Note on the last command: In my case I did iptables-legacy because all the rules were defined there already (iptables gives you a warning if that’s the case), but your container’s version may vary. I saw different behavior/setup on the testing container I spun up on the VPS compared to the one I have running on my homelab.
    
    Good luck, and let me know if you run into any issues!
    
    source
    -> View More Comments

Decronym@lemmy.decronym.xyz ⁨5⁩ ⁨months⁩ ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
NAT	Network Address Translation
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

[Thread #885 for this sub, first seen 24th Jul 2024, 20:25] [FAQ] [Full list] [Contact] [Source code]

source

NegativeLookBehind@lemmy.world ⁨5⁩ ⁨months⁩ ago
This might be a dumb question, but are the interface names correct in your configurations?

source