docker-wireguard-pia icon indicating copy to clipboard operation
docker-wireguard-pia copied to clipboard

Published 20 hours ago verified publisher icon thrnz

using wireguard with external IP addresses.

Open noumenon272 opened this issue 3 years ago • 4 comments

Nice! I've updated the image so it should be up on Docker Hub shortly. Otherwise check out the most recent pf_forward.sh if you want to manually update it yourself.

I copied this to a new issue as the other one is closed:

I am having trouble getting this setup. I can’t get my transmission container to route. I’ve included the pertinent docker compose configs. any idea where i’m going wrong?

Version: “3.7”
services:
wireguard-pia:
    container_name: wireguard-pia
    image: thrnz/docker-wireguard-pia
    networks:
      vlan60:
        ipv4_address: 192.168.60.45
    volumes:
      - pia:/pia
      - pia-shared:/pia-shared
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - LOCAL_NETWORK=192.168.0.0/16
      - LOC=server
      - USER=user
      - PASS=pass
      - KEEPALIVE=25
      - VPNDNS=1.1.1.1,1.0.0.1,8.8.8.8
      - PORT_FORWARDING=1
      - PORT_PERSIST=1
      - PORT_SCRIPT=${USERDIR}/docker/transmission/port_script.sh
      - FIREWALL=0
      - WG_USERSPACE=0
      - FWD_IFACE=eth0
      - PF_DEST_IP=192.168.80.42
    sysctls:
      # wg-quick fails to set this without --privileged, so set it here i>
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
      # May as well disable ipv6. Should be blocked anyway.
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
  # The container has no recovery logic. Use a healthcheck to catch disco>
    healthcheck:
      test: ping -c 1 www.google.com || exit 1
      interval: 30s
      timeout: 10s
      retries: 3

 transmission:
    image: ghcr.io/linuxserver/transmission
    container_name: transmission
    networks:
      vlan80:
        ipv4_address: 192.168.80.42
    depends_on:
      - wireguard-pia

networks:
 vlan60:
    driver: macvlan
    driver_opts:
      parent: bond0.60
      enable_ipv6: "true"
    ipam:
      config:
        - subnet: 192.168.60.0/24
 vlan80:
    driver: macvlan
    driver_opts:
      parent: bond0.80
      enable_ipv6: "false"
    ipam:
      config:
        - subnet: 192.168.80.0/25
          gateway: 192.168.60.45

Originally posted by @noumenon272 in https://github.com/thrnz/docker-wireguard-pia/issues/20#issuecomment-932737910

noumenon272 avatar Oct 02 '21 12:10 noumenon272

I've not had much experience using macvlan networks with Docker I'm afraid, so nothing immediately jumps out as being wrong. I'll have a poke around if I get the time and try to see if I can get such a setup to work.

thrnz avatar Oct 08 '21 08:10 thrnz

It seems like network_mode: service:xyz does not work when the other container (in this example transmission) publishes ports:

conflicting options: port publishing and the container type network mode

So it seems the network routing is the only real choice.

Any updates here?

tcurdt avatar Apr 29 '23 11:04 tcurdt

Alright. I got this to work. Seems like network_mode: service:xyz is the way to go - but you have to open the ports on the vpn container instead. Saying this is weird is an understatement - but it works.

I'd be still curious if using a dedicated network is an option - somehow.

tcurdt avatar Apr 29 '23 15:04 tcurdt

this is the solution that I came up with also. It works pretty well. i frequently have to restart both my wireguard and transmission containers however.

noumenon272 avatar Apr 29 '23 17:04 noumenon272