Sharing Routes Between Containers

Hey folks,

Is it possible to share the routes from the Wireguard containers with other containers?

What I’m trying to do

  • I’d like people to connect into my Wireguard server running on a docker container shared with Traefik (they would have a 192.168.100.0/24 address)
  • Traefik would be able to route web requests to web servers running on the VPN client’s local machine

My problem

  • I cannot get the Traefik container to ping 192.168.100.2

My workaround

  • If I install Wireguard directly on the host (without using the container), Traefik is able to see the 192.168.100.2 client

My question

Is it possible for Traefik to be able to ping the VPN client when Wireguard is running in its own container?

More details

My host:

  • Ubuntu 20.04
  • Docker version 20.10.6, build 370c289

Here is a picture visualizing what I am trying to do.

Thank you for your help! :raised_hands:

Here is my docker-compose.yml file if anyone has any thoughts:

version: '3.7'

services:

  traefik:
    image: traefik:v2.4
    restart: always
    networks:
        - web-public
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 80
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 443
        mode: host
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./traefik-tunnel-dynamic-conf.yml:/traefik-tunnel-dynamic-conf.yml
      - ./certificates/acme.json:/certificates/acme.json

   wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - SERVERURL=myserver.mydomain.test
      - SERVERPORT=51820
      - PEERS=my-peer
      - PEERDNS=1.1.1.1,1.0.0.1
      - INTERNAL_SUBNET=192.168.100.0
      - ALLOWEDIPS=0.0.0.0/0
    volumes:
      - config:/config
      - /lib/modules:/lib/modules
    ports:
      - "51820:51820/udp"
    networks:
      - web-public
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

volumes:
  config:

networks:
  web-public:
    external: true

With this config

  • I can connect a client to the VPN (getting a 192.168.100.X address)
  • That client can get to the Internet
  • The Traefik container cannot ping the client at 192.168.100.X

Let me know if you have any other questions!

wireguard nats that vpn
so it’s something like 192.168.100.2 → natted to 172.16.0.5 (pretend this is the ip of the wg container) so traefik has no clue about that natted network. You would need to build routes in traefik to go directly like that.

if communications SOURCE from the client, it should work fine (mine does) because that traffic gets natted, return traffic hits your docker host and is natted based on the port (PAT) used back to the appropriate container which then nats it to the vpn subnet. in your case above, they’re both on the same docker network, so we can ignore the host layer of the nat, but traefik still has no clue that there is a 192.168.100.0/24 network. You could probably add it in with something like ip route add 192.168.100.0/24 via <wireguard container ip> dev eth0 but im making a bit of a guess here… im also not sure why pinging from traefik to wg clients matters since they should be able to leverage traefik as a proxy regardless…