Hey, is there a way that I can combine two wireguard containers one of which will be acting as server, listening on LAN, forwarding all the clients’ traffic into a second wireguard container connected to remote VPN? I. e. the second wireguard container would behave as a proxy between the LAN clients and remote VPN.
The thing is, I have trouble configuring such scenatio. I have connected the first (LAN server) network to second via network_mode in docker-compose.
Configurations:
wireguard-server docker:
wireguard-server:
image: lscr.io/linuxserver/wireguard
container_name: wireguard-server
network_mode: service:wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TIMEZONE}
- SERVERPORT=20019
- PEERS=first,second
- PEERDNS=auto
- INTERNAL_SUBNET=10.13.13.0
- ALLOWEDIPS=0.0.0.0/0
volumes:
- /home/host/wireguard-server/config:/config
- /lib/modules:/lib/modules
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
depends_on:
- wireguard
restart: unless-stopped
wireguard-server wg0.conf:
[Interface]
Address = 10.13.13.1
ListenPort = 20019
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# peer_first
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.13.13.2/32
[Peer]
# peer_second
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.13.13.3/32
wireguard client docker:
wireguard:
image: lscr.io/linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TIMEZONE}
volumes:
- /home/host/wireguard/config:/config
- /lib/modules:/lib/modules
ports:
- 20019:20019/udp # wireguard-server's listening port
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
restart: unless-stopped
wireguard client wg0.conf
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.70.100.200/32,fe60:cccc:eeee:bb01::3:9480/128
DNS = 192.168.1.1
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = <<<<< remote VPN endpoint >>>>
The trouble could be that both server and client wireguard containers are creating a VPN interface with the same name - wg0, overwriting each other. Any ideas how to solve this problem? Thanks!