leomos
Document the `dwgd.route` option in the readme
Hi ! After coming up with my own hacky solution to use the wireguard interface as the default route inside the containers, I looked into properly adding it to your plugin. That's when I noticed the dwgd.route option in your code.
Do I understand correctly that adding the following line to my docker-compose.yml will route all traffic that is not local to the default docker network through my wireguard peer ?
networks:
wgnet:
driver: dwgd
driver_opts:
dwgd.route: 0.0.0.0/0
[...other options documented in the readme]
If you confirm this is correct, I will submit a pull request to document this in the README.
Hello,
you are correct and can send a pull request.
Just to be super-pedantic, the route can be anything: if you set that value to 192.168.0.1/24 it would route every packet destined to that subnet over the wireguard interface.
Unfortunately as of today it is not possible to add more than one route; but it should be easy enough to implement this feature if needed.
Thanks a lot for filing this!
Shouldn't the driver take into account the gateway specified in the command line, and then we wouldn't need to setup '0.0.0.0/0' as a route? I don't see any reference in code to the gateway parameter being consumed by the driver. @leomos can you shed some light on this?
I tried it after the author replied to me. It did not work as I originally envisioned it so I gave up and went back to my hacky way on doing this
#!/bin/bash
NETWORK=your_dwgd_network_name
HOSTIP=10.0.0.1
function route_dev_wg {
PID=$(docker inspect --format {{.State.Pid}} $1)
echo $1
if [ -z $PID ]; then
return
fi
echo "$1:$PID"
nsenter -n -t $PID ip route del default
nsenter -n -t $PID ip route add default dev wg0
nsenter -n -t $PID ip route add $HOSTIP dev eth0
}
export -f route_dev_wg
docker network inspect --format '{{ range .Containers }}{{ .Name }}
{{end}}' $NETWORK | head -n -1 | while read -r container; do
route_dev_wg $container
done
docker events --filter network=$NETWORK | awk 'match($0, /network connect [0-9a-f]+ \(container=([0-9a-f]+),/, cap) { print cap[1]; fflush() }' | while read -r container; do
route_dev_wg $container
done
Thank you for sharing your script!
The problem with the current implementation is that the routes are added as static routes, but docker doesn't understand it is dealing with a default route. Because of that, if you add another network to a container - for example a bridge, docker will see that the dwgd network doesn't provide a default route and will create a default route via the other network. You'll get an annoying message saying the container wasn't able to be created because 0.0.0.0/0 already exists. Currently dwgd doesn't use the gateway parameter, even though it is specified in the documentation as the way to create the network.
I will try to return a gw/gw6 member in the structure at line 268 from the link @leomos gave above, which I think should fix both problems - I need to confirm.
thanks @pcouy and @vladwing for the discussion.
@pcouy if you could try @vladwing's code from PR and tell us if it solves your problem that would be great.
@vladwing the DisableGatewayService: true was probably the wrong solution, thanks for sending the PR. I will continue discussion on the PR itself.
I don't really have the time right now, but I'll make sure to try the PR next time I'm working on my home server