Handshake not working in bridge mode (but in host mode)


I’m using latest raspian lite with latest docker.
Docker version 20.10.8, build 3967b7d

I use dynv6 (ipv6 only), because I’ve no public IPv4 address.

Setup linuxserver/wireguard in network host mode with iptables -P FORWARD ACCEPT on the host works fine, so wg0 and the peers are seems to be setuped correctly.

Using the container in bridge mode breaks the handshaking process (with/out iptables -P FORWARD ACCEPT).

I try to comprehend the network setup and routes and cant find any error.

Also I can post the host outputs of

sudo iptables -L -v -n
sudo netstat -tunlp
ps -feww | grep <PID>
sudo docker network inspect bridge

if this is necessary.


docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/Berlin \
  -e SERVERURL=**** \
  -e PEERS=**** \
  -p 51820:51820/udp \
  -v /var/lib/docker/volumes/wireguard_config/_data:/config \
  -v /lib/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing... 
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/

Brought to you by linuxserver.io
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
User uid:    1000
User gid:    1000

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing... 
Uname info: Linux 01cbddcd73ca 5.10.52-v7+ #1441 SMP Tue Aug 3 18:10:09 BST 2021 armv7l armv7l armv7l GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Server mode is selected ****
**** External server address is set to ckuvpn.dynv6.net ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to ****
**** AllowedIPs for peers, ::/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to to use wireguard docker host's DNS. ****
**** Server mode is selected ****
**** No changes to parameters. Existing configs are used. ****
[cont-init.d] 30-config: exited 0.
[cont-init.d] 90-custom-folders: executing... 
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-scripts: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add dev wg0
[#] ip -4 route add dev wg0
[#] ip -4 route add dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
linux/arm, go1.16.4, 053c4d5

maybe this is the problem?

Most likely, yes. Ipv6 is quirky in docker and we have no plans to work on anything related to it at this time. Perhaps when more of us have ipv6 addresses we will reconsider.

I would suggest running wg on the host itself where ipv6 will work fine (assuming you set things up properly)