Hi guys… I have been running all my containers through an wireguard client (mullvad VPN) container’s network. and it took some time to realize how to set it up, I might not have done it the best way but it has been working fine. But now when i’ve been trying to setup a reverse proxy with SWAG and duckdns validation I can’t really figure out how to get it to work while being under my VPN client and I need some assistance…
Please bare with me as I am really new at this… I’ll throw some compose stacks at you and hopefully someone can help.
Oh and Mullvad only allows random port forwarding by way, which is what got this kinda tricky for me
(I use docker with portainer)
Wireguard-client stack:
Code
services:
wireguard:
image: lscr io/linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Stockholm
volumes:
- /docker/mullvadVPN/WG/config:/config
- /lib/modules:/lib/modules
networks:
default:
ipv4_address: 172.20.0.50
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
restart: unless-stopped
networks:
default:
name: wgnet
external: true
(to get every other container to join the wgnet network i just clicked on the container in portainer and removed them from the default network and added the wgnet network)
wg0.conf
Code
[Interface]
PrivateKey = XXX
Address = XXX
DNS = [mullvad’s dns]
PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE; iptables -t nat -A PREROUTING -p tcp --dport [MULLVAD RANDOM PORT FORWARD] -j DNAT --to-destination 172.20.0.11:[MULLVAD RANDOM PORT FORWARD]
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE; iptables -t nat -D PREROUTING -p tcp --dport [MULLVAD RANDOM PORT FORWARD] -j DNAT --to-destination 172.20.0.11:[MULLVAD RANDOM PORT FORWARD][Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 185.213.xxx.xx:51820
(172.20.0.11 is my SWAG instance)
ip routes
pi@NAS:~ $ ip route show
default via 172.20.0.50 dev br-d88af19d36f1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-108d55229171 proto kernel scope link src 172.18.0.1 linkdow n
172.19.0.0/16 dev br-19269d6fbc09 proto kernel scope link src 172.19.0.1 linkdow n
172.20.0.0/24 dev br-d88af19d36f1 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-81d2b26f1238 proto kernel scope link src 172.21.0.1 linkdow n
172.22.0.0/16 dev br-47bd55c0d6e2 proto kernel scope link src 172.22.0.1 linkdow n
172.23.0.0/16 dev br-2a545832dc13 proto kernel scope link src 172.23.0.1 linkdow n
172.24.0.0/16 dev br-ac6719cc92ce proto kernel scope link src 172.24.0.1 linkdow n
172.25.0.0/16 dev br-5c932c20d0d8 proto kernel scope link src 172.25.0.1 linkdow n
172.26.0.0/16 dev br-c28933e2f5ed proto kernel scope link src 172.26.0.1 linkdow n
172.27.0.0/16 dev br-695e55cf5c34 proto kernel scope link src 172.27.0.1 linkdow n
172.28.0.0/16 dev br-a37c6deef224 proto kernel scope link src 172.28.0.1 linkdow n
172.30.0.0/16 dev br-9e76f711a0e0 proto kernel scope link src 172.30.0.1 linkdow n
172.31.0.0/16 dev br-343033a643ee proto kernel scope link src 172.31.0.1 linkdow n
185.213.xxx.xx via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.159
192.168.64.0/20 dev br-f8c6910c5a17 proto kernel scope link src 192.168.64.1 lin kdown
192.168.80.0/20 dev br-9a4a196764c3 proto kernel scope link src 192.168.80.1 lin kdown
SWAG stack:
Code
version: “2.1”
services:
swag:
image: lscr io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=100
- TZ=Europe/Stockholm
- URL= XXX duckdns org
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- DUCKDNSTOKEN=XXX
volumes:
- /docker/swag/config:/config
ports:
- [Mullvad random port forward]:443
- [2nd Mullvad random port forward]:80
restart: unless-stopped
jellyfin.subdomain.conf
Code
server {
listen 443 ssl;
listen [::]:443 ssl;server_name jellyfin.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app jellyfin; set $upstream_port 8096; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; } location ~ (/jellyfin)?/socket { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app jellyfin; set $upstream_port 8096; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; }}
(and in jelly web gui I have 443 as public https port)
I get no error message in any logs whatsoever…
And if I tried my servers LAN adress as my duckdns domains ip (instead of VPN endpoint IP) it works aslong as the port mullvad forwarded is in the URL.
I bet there is something stupid I missed, but as I said this is all new to me.
Thankful for help and advice’s, I have been at this for days lol… and let me know if I don’t provide enough info
thanks love u