docker-wireguard-pia icon indicating copy to clipboard operation
docker-wireguard-pia copied to clipboard

Published 20 hours ago verified publisher icon thrnz

Documentation - Using network_mode: service

Open adamburley opened this issue 2 years ago • 4 comments

Updated readme.md and docker-compose.yaml to clarify how network_mode: service works and that LOCAL_NETWORK is required to access web management portals on connected containers.

adamburley avatar May 24 '22 13:05 adamburley

Thanks for this. Port forwarding and adding access to the LAN isn't strictly needed to access services running on the vpn container's network stack. It might be preferable to use a reverse proxy connected via a Docker bridge network so the vpn doesn't have direct access the LAN.

Adding a note about port forwarding with that caveat though might be worthwhile. Especially as it needs to be set on the vpn container rather than the service's own container in order for it to function, which isn't exactly intuitive.

How does this look?

thrnz avatar Jun 20 '22 02:06 thrnz

That works. I would move to using an actual docker image for the container since it makes it easier for people to get a successful test with the example code. I tend to be over-verbose with this kind of setup since so many people trying to use the container are relatively new to containers and often to tunneling and proxying.

Would you object to splitting the examples out to separate docker-compose files? That way you have an example of each "right" way to configure service access.

adamburley avatar Jun 24 '22 01:06 adamburley

Hello, I am trying to add another service and keep getting this error Error response from daemon: conflicting options: port publishing and the container type network mode

I’ve changed things around a few times and no matter what there is always an error about network mode.

rastacalavera avatar Aug 29 '22 12:08 rastacalavera

That error can happen when ports are set on the other container rather than the vpn's container. It's a bit counter intuitive, but the other container essentially inherits the vpn container's network stack, so stuff like ports have to be set on the vpn container instead. For example, to run a socks proxy thats accessible to the lan on port 1080:

version: '3'
services:
    vpn:
        image: thrnz/docker-wireguard-pia
        volumes:
            - pia-dat:/pia
        ports:
            - 1080:1080
        cap_add:
            - NET_ADMIN
        environment:
            - LOCAL_NETWORK=192.168.1.0/24
            - LOC=swiss
            - USERNAME=xxxx
            - PASSWORD=xxxx
        sysctls:
            - net.ipv4.conf.all.src_valid_mark=1

    socks-proxy:
        image: serjs/go-socks5-proxy
        network_mode: "service:vpn"

volumes:
    pia-dat:

Regarding the PR, I'm going to add some working examples to the wiki showing some common setups to help people get started. It might be more useful and accessible that way rather than trying to stuff everything into a single example docker-compose file.

thrnz avatar Aug 30 '22 01:08 thrnz