[SOLVED] Advanced Wireguard Hub: No internet connection

geoff · 15 January 2025 01:41

I am trying to set up the wireguard docker container as in Advanced Wireguard Hub, with one container as both server and client.

I set up the server using the default configuration in the readme, I connect my clients and everything works. Clients can ping each other and the Internet.

After adding wg1.conf and wg2.conf and restarting the server, I can no longer ping the Internet. Clients can still ping each other.

I have port 51820 forwarded from my home router to the wireguard server, firewall disabled.

docker-compose.yml

wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERPORT=51820
      - PEERS=phone,laptop
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Before adding wg1.conf and wg2.conf, everything works as it should:

    [user@host wireguard] $ docker compose exec wireguard ip address show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host proto kernel_lo 
           valid_lft forever preferred_lft forever
    3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
        link/none 
        inet 10.13.13.1/32 scope global wg0
           valid_lft forever preferred_lft forever
    78: eth0@if79: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
        link/ether 02:42:ac:13:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
        inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0
           valid_lft forever preferred_lft forever

    [user@host wireguard] $ docker compose exec wireguard ip route show
    default via 172.19.0.1 dev eth0 
    10.13.13.2 dev wg0 scope link 
    10.13.13.3 dev wg0 scope link 
    172.19.0.0/16 dev eth0 proto kernel scope link src 172.19.0.2

    [user@host wireguard] $ docker compose exec wireguard ip rule
    0:      from all lookup local
    32766:  from all lookup main
    32767:  from all lookup default
    
    [user@host wireguard] $ docker compose exec wireguard ping -c4 -I wg0 10.13.13.2
    PING 10.13.13.2 (10.13.13.2) from 10.13.13.1 wg0: 56(84) bytes of data.
    64 bytes from 10.13.13.2: icmp_seq=1 ttl=64 time=222 ms
    64 bytes from 10.13.13.2: icmp_seq=2 ttl=64 time=153 ms
    64 bytes from 10.13.13.2: icmp_seq=3 ttl=64 time=392 ms
    64 bytes from 10.13.13.2: icmp_seq=4 ttl=64 time=303 ms

    --- 10.13.13.2 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3004ms
    rtt min/avg/max/mdev = 152.731/267.369/392.109/89.508 ms


    [user@host wireguard] $ docker compose exec wireguard ping -c4 -I eth0 1.1.1.1
    PING 1.1.1.1 (1.1.1.1) from 172.19.0.2 eth0: 56(84) bytes of data.
    64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=8.33 ms
    64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=8.06 ms
    64 bytes from 1.1.1.1: icmp_seq=3 ttl=55 time=11.8 ms
    64 bytes from 1.1.1.1: icmp_seq=4 ttl=55 time=11.2 ms

    --- 1.1.1.1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3004ms
    rtt min/avg/max/mdev = 8.064/9.828/11.766/1.646 ms

wg1.conf (Mullvad)

    [Interface]
    PrivateKey = MuLlVaDpRiVaTeKeY=
    Address = mull.vad.ip.addr/32
    Table = 55111

    PostUp = ip rule add pref 10001 from 10.13.13.0/24 lookup 55111
    PreDown = ip rule del from 10.13.13.0/24 lookup 55111

    [Peer]
    PublicKey = MuLlVaDPeErPuBlIcKeY=

    AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 10.0.0.0/13, 10.8.0.0/14, 10.12.0.0/16, 10.13.0.0/21, 10.13.8.0/22, 10.13.12.0/24, 10.13.14.0/23, 10.13.16.0/20, 10.13.32.0/19, 10.13.64.0/18, 10.13.128.0/17, 10.14.0.0/15, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.0.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3

    Endpoint = mull.vad.end.point:51820
    PersistentKeepalive = 25

wg2.conf (Proton)

    [Interface]
    PrivateKey = PrOtOnPrIvAtEkEy=
    Address = pro.ton.ip.addr/32
    Table = 55112

    PostUp = ip rule add pref 10002 from 10.13.13.0/24 lookup 55112
    PreDown = ip rule del from 10.13.13.0/24 lookup 55112

    [Peer]
    PublicKey = PrOtOnPeErPuBlIvKeY=

    AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 10.0.0.0/13, 10.8.0.0/14, 10.12.0.0/16, 10.13.0.0/21, 10.13.8.0/22, 10.13.12.0/24, 10.13.14.0/23, 10.13.16.0/20, 10.13.32.0/19, 10.13.64.0/18, 10.13.128.0/17, 10.14.0.0/15, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.0.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3

    Endpoint = pro.ton.end.point:51820
    PersistentKeepalive = 25

After adding wg1.conf and wg2.conf, I can’t reach the Internet, clients can still reach each other:

    [user@host wireguard] $ docker compose exec wireguard ip address show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host proto kernel_lo 
           valid_lft forever preferred_lft forever
    3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
        link/none 
        inet 10.13.13.1/32 scope global wg0
           valid_lft forever preferred_lft forever
    4: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
        link/none 
        inet 10.72.213.75/32 scope global wg1
           valid_lft forever preferred_lft forever
    5: wg2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
        link/none 
        inet 10.2.0.2/32 scope global wg2
           valid_lft forever preferred_lft forever
    80: eth0@if81: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
        link/ether 02:42:ac:13:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
        inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0
           valid_lft forever preferred_lft forever
           
    [user@host wireguard] $ docker compose exec wireguard ip route show
    default via 172.19.0.1 dev eth0 
    10.13.13.2 dev wg0 scope link 
    10.13.13.3 dev wg0 scope link 
    172.19.0.0/16 dev eth0 proto kernel scope link src 172.19.0.2

    [user@host wireguard] $ docker compose exec wireguard ip rule
    0:      from all lookup local
    10001:  from 10.13.13.0/24 lookup 55111
    10002:  from 10.13.13.0/24 lookup 55112
    32766:  from all lookup main
    32767:  from all lookup default

    [user@host wireguard] $ docker compose exec wireguard ping -c4 -I wg0 10.13.13.2
    PING 10.13.13.2 (10.13.13.2) from 10.13.13.1 wg0: 56(84) bytes of data.
    64 bytes from 10.13.13.2: icmp_seq=1 ttl=64 time=132 ms
    64 bytes from 10.13.13.2: icmp_seq=2 ttl=64 time=51.8 ms
    64 bytes from 10.13.13.2: icmp_seq=3 ttl=64 time=77.5 ms
    64 bytes from 10.13.13.2: icmp_seq=4 ttl=64 time=101 ms

    --- 10.13.13.2 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 51.759/90.444/131.518/29.414 ms


    [user@host wireguard] $ docker compose exec wireguard ping -c4 -I eth0 1.1.1.1
    PING 1.1.1.1 (1.1.1.1) from 172.19.0.2 eth0: 56(84) bytes of data.
    64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=16.9 ms
    64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=19.9 ms
    64 bytes from 1.1.1.1: icmp_seq=3 ttl=55 time=17.8 ms
    64 bytes from 1.1.1.1: icmp_seq=4 ttl=55 time=23.7 ms

    --- 1.1.1.1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 16.935/19.574/23.727/2.624 ms


    [user@host wireguard] $ docker compose exec wireguard ping -c4 -I wg1 1.1.1.1
    PING 1.1.1.1 (1.1.1.1) from 10.72.213.75 wg1: 56(84) bytes of data.

    --- 1.1.1.1 ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 3059ms


    [user@host wireguard] $ docker compose exec wireguard ping -c4 -I wg2 1.1.1.1
    PING 1.1.1.1 (1.1.1.1) from 10.2.0.2 wg2: 56(84) bytes of data.

    --- 1.1.1.1 ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 3058ms

I tried adding the Mullvad/Proton interface IP adresses to Disallowed IPs when calculating Allowed IPs, but it made no difference.

I think I am missing a routing step, or there is an issue with my config files, but I don’t have the networking knowledge to debug this.

Thank you for reading if you got this far!

geoff · 15 January 2025 01:49

Logs from each attempt.

Before adding wg1.conf and wg2.conf:

    [user@host wireguard] $ docker compose up
    [+] Running 1/0
     ✔ Container wireguard  Created                                                                                                                                                                                                                                                                                        0.0s 
    Attaching to wireguard
    wireguard  | [migrations] started
    wireguard  | [migrations] no migrations found
    wireguard  | usermod: no changes
    wireguard  | ───────────────────────────────────────
    wireguard  | 
    wireguard  |       ██╗     ███████╗██╗ ██████╗
    wireguard  |       ██║     ██╔════╝██║██╔═══██╗
    wireguard  |       ██║     ███████╗██║██║   ██║
    wireguard  |       ██║     ╚════██║██║██║   ██║
    wireguard  |       ███████╗███████║██║╚██████╔╝
    wireguard  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
    wireguard  | 
    wireguard  |    Brought to you by linuxserver.io
    wireguard  | ───────────────────────────────────────
    wireguard  | 
    wireguard  | To support the app dev(s) visit:
    wireguard  | WireGuard: https://www.wireguard.com/donations/
    wireguard  | 
    wireguard  | To support LSIO projects visit:
    wireguard  | https://www.linuxserver.io/donate/
    wireguard  | 
    wireguard  | ───────────────────────────────────────
    wireguard  | GID/UID
    wireguard  | ───────────────────────────────────────
    wireguard  | 
    wireguard  | User UID:    1000
    wireguard  | User GID:    1000
    wireguard  | ───────────────────────────────────────
    wireguard  | Linuxserver.io version: 1.0.20210914-r4-ls63
    wireguard  | Build-date: 2025-01-09T11:22:53+00:00
    wireguard  | ───────────────────────────────────────
    wireguard  |     
    wireguard  | Uname info: Linux c43f89c75b64 6.12.6-1-rpi-16k #1 SMP PREEMPT Fri Dec 20 07:29:33 MST 2024 aarch64 GNU/Linux
    wireguard  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
    wireguard  | **** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
    wireguard  | ****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****
    wireguard  | **** Server mode is selected ****
    wireguard  | **** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of 81.152.127.234 ****
    wireguard  | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
    wireguard  | **** Internal subnet is set to 10.13.13.0 ****
    wireguard  | **** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
    wireguard  | **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
    wireguard  | **** Server mode is selected ****
    wireguard  | **** No changes to parameters. Existing configs are used. ****
    wireguard  | [custom-init] No custom files found, skipping...
    wireguard  | .:53
    wireguard  | CoreDNS-1.11.3
    wireguard  | linux/arm64, go1.21.8, 
    wireguard  | **** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
    wireguard  | **** Activating tunnel /config/wg_confs/wg0.conf ****
    wireguard  | [#] ip link add wg0 type wireguard
    wireguard  | [#] wg setconf wg0 /dev/fd/63
    wireguard  | [#] ip -4 address add 10.13.13.1 dev wg0
    wireguard  | [#] ip link set mtu 1420 up dev wg0
    wireguard  | [#] ip -4 route add 10.13.13.3/32 dev wg0
    wireguard  | [#] ip -4 route add 10.13.13.2/32 dev wg0
    wireguard  | [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
    wireguard  | **** All tunnels are now active ****
    wireguard  | [ls.io-init] done.

After adding wg1.conf and wg2.conf:

    [user@host wireguard] $ docker compose up
    [+] Running 1/0
     ✔ Container wireguard  Created                                                                                                                                                                                                                                                                                        0.0s 
    Attaching to wireguard
    wireguard  | [migrations] started
    wireguard  | [migrations] no migrations found
    wireguard  | usermod: no changes
    wireguard  | ───────────────────────────────────────
    wireguard  | 
    wireguard  |       ██╗     ███████╗██╗ ██████╗
    wireguard  |       ██║     ██╔════╝██║██╔═══██╗
    wireguard  |       ██║     ███████╗██║██║   ██║
    wireguard  |       ██║     ╚════██║██║██║   ██║
    wireguard  |       ███████╗███████║██║╚██████╔╝
    wireguard  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
    wireguard  | 
    wireguard  |    Brought to you by linuxserver.io
    wireguard  | ───────────────────────────────────────
    wireguard  | 
    wireguard  | To support the app dev(s) visit:
    wireguard  | WireGuard: https://www.wireguard.com/donations/
    wireguard  | 
    wireguard  | To support LSIO projects visit:
    wireguard  | https://www.linuxserver.io/donate/
    wireguard  | 
    wireguard  | ───────────────────────────────────────
    wireguard  | GID/UID
    wireguard  | ───────────────────────────────────────
    wireguard  | 
    wireguard  | User UID:    1000
    wireguard  | User GID:    1000
    wireguard  | ───────────────────────────────────────
    wireguard  | Linuxserver.io version: 1.0.20210914-r4-ls63
    wireguard  | Build-date: 2025-01-09T11:22:53+00:00
    wireguard  | ───────────────────────────────────────
    wireguard  |     
    wireguard  | Uname info: Linux c43f89c75b64 6.12.6-1-rpi-16k #1 SMP PREEMPT Fri Dec 20 07:29:33 MST 2024 aarch64 GNU/Linux
    wireguard  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
    wireguard  | **** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
    wireguard  | ****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****
    wireguard  | **** Server mode is selected ****
    wireguard  | **** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of 81.152.127.234 ****
    wireguard  | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
    wireguard  | **** Internal subnet is set to 10.13.13.0 ****
    wireguard  | **** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
    wireguard  | **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
    wireguard  | **** Server mode is selected ****
    wireguard  | **** No changes to parameters. Existing configs are used. ****
    wireguard  | [custom-init] No custom files found, skipping...
    wireguard  | .:53
    wireguard  | CoreDNS-1.11.3
    wireguard  | linux/arm64, go1.21.8, 
    wireguard  | **** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
    wireguard  | **** Found WG conf /config/wg_confs/wg1.conf, adding to list ****
    wireguard  | **** Found WG conf /config/wg_confs/wg2.conf, adding to list ****
    wireguard  | **** Activating tunnel /config/wg_confs/wg0.conf ****
    wireguard  | [#] ip link add wg0 type wireguard
    wireguard  | [#] wg setconf wg0 /dev/fd/63
    wireguard  | [#] ip -4 address add 10.13.13.1 dev wg0
    wireguard  | [#] ip link set mtu 1420 up dev wg0
    wireguard  | [#] ip -4 route add 10.13.13.3/32 dev wg0
    wireguard  | [#] ip -4 route add 10.13.13.2/32 dev wg0
    wireguard  | [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
    wireguard  | **** Activating tunnel /config/wg_confs/wg1.conf ****
    wireguard  | [#] ip link add wg1 type wireguard
    wireguard  | [#] wg setconf wg1 /dev/fd/63
    wireguard  | [#] ip -4 address add 10.72.213.75/32 dev wg1
    wireguard  | [#] ip link set mtu 1420 up dev wg1
    wireguard  | [#] ip -4 route add 192.168.0.0/24 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.12.0/24 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.2.0/23 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.14.0/23 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.4.0/22 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.8.0/22 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.8.0/21 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.0.0/21 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.16.0/20 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.16.0/20 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.32.0/19 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.32.0/19 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.64.0/18 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.64.0/18 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.168.128.0/17 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.13.128.0/17 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.169.0.0/16 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.12.0.0/16 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.170.0.0/15 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.14.0.0/15 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.172.0.0/14 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.8.0.0/14 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.160.0.0/13 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.0.0.0/13 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.176.0.0/12 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.16.0.0/12 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.128.0.0/11 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.32.0.0/11 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.192.0.0/10 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.64.0.0/10 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 192.0.0.0/9 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 10.128.0.0/9 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 193.0.0.0/8 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 11.0.0.0/8 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 8.0.0.0/7 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 194.0.0.0/7 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 196.0.0.0/6 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 12.0.0.0/6 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 200.0.0.0/5 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 0.0.0.0/5 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 208.0.0.0/4 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 16.0.0.0/4 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 32.0.0.0/3 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 224.0.0.0/3 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 64.0.0.0/2 dev wg1 table 55111
    wireguard  | [#] ip -4 route add 128.0.0.0/2 dev wg1 table 55111
    wireguard  | [#] ip rule add pref 10001 from 10.13.13.0/24 lookup 55111
    wireguard  | **** Activating tunnel /config/wg_confs/wg2.conf ****
    wireguard  | [#] ip link add wg2 type wireguard
    wireguard  | [#] wg setconf wg2 /dev/fd/63
    wireguard  | [#] ip -4 address add 10.2.0.2/32 dev wg2
    wireguard  | [#] ip link set mtu 1420 up dev wg2
    wireguard  | [#] ip -4 route add 192.168.0.0/24 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.12.0/24 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.2.0/23 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.14.0/23 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.4.0/22 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.8.0/22 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.8.0/21 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.0.0/21 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.16.0/20 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.16.0/20 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.32.0/19 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.32.0/19 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.64.0/18 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.64.0/18 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.168.128.0/17 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.13.128.0/17 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.169.0.0/16 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.12.0.0/16 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.170.0.0/15 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.14.0.0/15 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.172.0.0/14 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.8.0.0/14 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.160.0.0/13 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.0.0.0/13 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.176.0.0/12 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.16.0.0/12 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.128.0.0/11 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.32.0.0/11 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.192.0.0/10 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.64.0.0/10 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 192.0.0.0/9 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 10.128.0.0/9 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 193.0.0.0/8 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 11.0.0.0/8 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 8.0.0.0/7 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 194.0.0.0/7 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 196.0.0.0/6 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 12.0.0.0/6 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 200.0.0.0/5 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 0.0.0.0/5 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 208.0.0.0/4 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 16.0.0.0/4 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 32.0.0.0/3 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 224.0.0.0/3 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 64.0.0.0/2 dev wg2 table 55112
    wireguard  | [#] ip -4 route add 128.0.0.0/2 dev wg2 table 55112
    wireguard  | [#] ip rule add pref 10002 from 10.13.13.0/24 lookup 55112
    wireguard  | **** All tunnels are now active ****
    wireguard  | [ls.io-init] done.

quietsy · 15 January 2025 11:27

What do you have on wg0.conf / server.conf?
It would be easier if you open a thread on discord under #container-support

geoff · 15 January 2025 22:02

Thank you, I have opened a thread on discord, with a link back here for the logs.

wg0.conf (generated by the container):

    [Interface]
    Address = 10.13.13.1
    ListenPort = 51820
    PrivateKey = InTeRfAcEpRiVaTeKeY=
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

    [Peer]
    # peer_phone
    PublicKey = PhOnEpUbLiCkEy=
    PresharedKey = PhOnEpReShArEdKeY=
    AllowedIPs = 10.13.13.2/32

    [Peer]
    # peer_laptop
    PublicKey = LaPtOpPuBlIcKeY=
    PresharedKey = LaPtOpPrEsHaReDkEy=
    AllowedIPs = 10.13.13.3/32

templates/server.conf (default included with container):

```
[Interface]
Address = ${INTERFACE}.1
ListenPort = 51820
PrivateKey = $(cat /config/server/privatekey-server)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

geoff · 15 January 2025 22:26

Solved, by completing all the steps in the article. Thank you for your help.