docker-wireguard icon indicating copy to clipboard operation
docker-wireguard copied to clipboard

Published 20 hours ago verified publisher icon ironhalik

docker-wireguard with IPv6

Open christianbur opened this issue 6 years ago • 3 comments

i am using a vserver (Hetzner) with ipv6 (/64 network). To use native ipv6 with wireguard (in the docker container) I had to do the following.

docker-compose.yml

version: '2.1'
services:
  wireguard:
      image: cb/wireguard    
      build:
        context: ./Dockerfiles/
        args: 
          - "ubuntu_codename=bionic"
      container_name: 'wireguard'
      restart: 'unless-stopped'
      sysctls:
        - "net.ipv4.ip_forward=1"
        - "net.ipv6.conf.all.disable_ipv6=0"
        - "net.ipv6.conf.all.forwarding=1"
        - "net.ipv6.conf.default.forwarding=1"
      cap_add:
        - NET_ADMIN 
        - SYS_MODULE
      volumes:
        - /lib/modules/:/lib/modules/:rw
        - ./conf/:/etc/wireguard/:rw
      environment:
        - "TZ=${TZ}"
      ports:
       - "52333:52333/udp"
      networks:
        network-wireguard:
           ipv6_address: fdcb:37eb:3cf0:73c3::100


networks:
  network-wireguard:
    enable_ipv6: true
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet:  fdcb:37eb:3cf0:73c3::/64

To use the current time zone in Conainer, I add the package "tzdata" in the Dockerfile.

wg0.conf

[Interface]
Address = 100.64.100.1/24, 2a03:4444:88:4077::100:1/112
#SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT

ListenPort = 52333
PrivateKey = xxx

[Peer]
# client 1
PublicKey = xxxx
PresharedKey = xxx
AllowedIPs = 100.64.100.101/32, 2a03:4444:88:4077::100:101/128

[Peer]
# client 2
PublicKey = xxxx
PresharedKey = xxxx
AllowedIPs = 100.64.100.102/32, 2a03:4444:88:4077::100:102/128

On the vserver (host) the following script must be executed at each start to route the Ipv6 network to the Unique Local Unicast of the Docker container. Unfortunately I haven't found a way to execute the script automatically when starting the conainer yet.

export INTERFACE_EXTERN=eth0
export GLOBAL_IPV6_PREFIX=$(ip addr show dev ${INTERFACE_EXTERN} | sed -e's/^.*inet6 \([^ ]*\)::.* global .*$/\1/;t;d')
ip -6 route add ${GLOBAL_IPV6_PREFIX}::100:0/112 via $(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' wireguard)

/sbin/ip -6 neigh add proxy ${GLOBAL_IPV6_PREFIX}::100:1 dev ${INTERFACE_EXTERN}
/sbin/ip -6 neigh add proxy ${GLOBAL_IPV6_PREFIX}::100:101 dev ${INTERFACE_EXTERN}
/sbin/ip -6 neigh add proxy ${GLOBAL_IPV6_PREFIX}::100:102 dev ${INTERFACE_EXTERN}
sysctl -w net.ipv6.conf.default.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.proxy_ndp=1

INFO: ${GLOBAL_IPV6_PREFIX} = 2a03:4444:88:4077

With OpenVPN I did the same thing https://github.com/kylemanna/docker-openvpn/issues/366

Test: http://ipv6-test.com/

christianbur avatar Feb 20 '19 20:02 christianbur

First of all, thanks a million, it solved my problem I give you how I do it automatically:

on my docker-compose.yml

version: '2.4'

networks:
  wg:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 10.20.1.0/24
        - subnet: fd00:1::/64

services:
  wg:
    build: github.com/celogeek/wireguard-docker
    volumes:
      - ./conf/wireguard:/etc/wireguard
      - /lib/modules:/lib/modules
    networks:
      wg:
        ipv6_address: fd00:1::100
    sysctls:
      - "net.ipv4.ip_forward=1"
      - "net.ipv6.conf.all.disable_ipv6=0"
      - "net.ipv6.conf.all.forwarding=1"
      - "net.ipv6.conf.default.forwarding=1"
    ports:
      - "5555:5555/udp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    logging:
      options:
        max-size: "2m"
        max-file: "5"
    depends_on:
      - wg-compagnion

  wg-compagnion:
    image: alpine:edge
    command: ["ip", "-6", "route", "add", "YOUR_IPV6_RANGE::/112", "via", "fd00:1::100"]
    network_mode: host
    cap_add:
      - NET_ADMIN
      - SYS_MODULE

in my sysctl.conf

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

I have installed "ndppd" daemon to automatically create the neigh proxy for me on incoming/outcoming connection.

in my /etc/ndppd.conf:

route-ttl 30000
proxy enp4s0 {
   router yes
   timeout 500
   ttl 30000
   rule YOUR_IPV6_RANGE/112 {
     static
   }
}

So to summarize, I have a daemon that handles ndp proxy, I have static ip to easy the companion config, and I have a companion that creates the route before wg starts.

celogeek avatar May 30 '19 17:05 celogeek

@celogeek

Hi, I've tried every combination of what you've got here on my system and so far have been unable to get this working. The issue is that no containers on the wg network appear to be able to do outbound ipv6 connections.

Sorry for using this github issue for support, but I've really been attempting to get this going for a couple of days now and it's driving me mad.

cooperaj avatar Dec 04 '19 11:12 cooperaj

Your server needs to have an ipv6 and be able to add more for this to work. I have a host on OVH, they give a /64 block. So I can use a part of it for my wg connection.

The Wg server and client config also need to have an ipv6 configuration.

Your server (host) needs to be able to connect in ipv6.

vincent-ogury avatar Dec 05 '19 07:12 vincent-ogury