Use first wireguard container as server acting like proxy to second wireguard client container

LSIO Discussion Container Support
1

Hey, is there a way that I can combine two wireguard containers one of which will be acting as server, listening on LAN, forwarding all the clients’ traffic into a second wireguard container connected to remote VPN? I. e. the second wireguard container would behave as a proxy between the LAN clients and remote VPN.

The thing is, I have trouble configuring such scenatio. :frowning_face_with_open_mouth: I have connected the first (LAN server) network to second via network_mode in docker-compose.

Configurations:
wireguard-server docker:

  wireguard-server:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard-server
    network_mode: service:wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TIMEZONE}
      - SERVERPORT=20019
      - PEERS=first,second
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
    volumes:
      - /home/host/wireguard-server/config:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    depends_on:
       - wireguard
    restart: unless-stopped

wireguard-server wg0.conf:

[Interface]
Address = 10.13.13.1
ListenPort = 20019
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_first 
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.13.13.2/32

[Peer]
# peer_second
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.13.13.3/32

wireguard client docker:

  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TIMEZONE}
    volumes:
      - /home/host/wireguard/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 20019:20019/udp # wireguard-server's listening port
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    restart: unless-stopped

wireguard client wg0.conf

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.70.100.200/32,fe60:cccc:eeee:bb01::3:9480/128
DNS = 192.168.1.1   

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXX                    
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = <<<<< remote VPN endpoint >>>>

The trouble could be that both server and client wireguard containers are creating a VPN interface with the same name - wg0, overwriting each other. Any ideas how to solve this problem? Thanks!

2

@Didide Did you ever find a solution? I’m looking into doing the exact same thing.