Wireguard multiple simultaneus peers

akera · 19 June 2022 18:22

Hi

First of all thank you for all your exceptional work!! It is highly appreciated!!

Now I suppose I have a configuration problem I fail to solve or find anybody running into the same problem on the internet.

Behaviour
I can set up docker-wireguard and it is working for one device at a time although several peers are specified in the docker compose file.

Expected Behaviour
I would like to provide a VPN solution for my family. Hence several people would simoutaneusly connect to my server using their individual config.

Config
wg0.conf

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <very-secret-key-1>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_ELITEBOOKFP
PublicKey = <public-key-elitebookfp>
PresharedKey = <preshared-key-elitebookfp>
AllowedIPs = 10.13.13.6/32

[Peer]
# peer_URS
PublicKey = <public-key-urs>
PresharedKey = <preshared-key-urs>
AllowedIPs = 10.13.13.7/32

... 3 more

peer_ELITEBOOKFP.conf

[Interface]
Address = 10.13.13.6
PrivateKey = <private-key-interface-elitebookfp>
ListenPort = 51820
DNS = <mydns>

[Peer]
PublicKey = <public-key-peer-1>
PresharedKey = <preshared-key-elitebookfp>
Endpoint = <myip>:51820
AllowedIPs = 0.0.0.0/0

peer_URS.conf

[Interface]
Address = 10.13.13.7
PrivateKey = <private-key-urs>
ListenPort = 51820
DNS = <mydns>

[Peer]
PublicKey = <public-key-peer-1> --> same as in peer-ELITEBOOKFP.conf
PresharedKey = <preshared-key-urs>
Endpoint = <myip>:51820
AllowedIPs = 0.0.0.0/0

Suspects
I suspect there is a problem with the publicKey in the peer config, as it is always the same.

Important
I have never touched these files. They were all autogenerated. I would not want to touch those files in order to keep everything automated.

Questions:

Is my suspicion correct. If yes, what can be done about it?
If that is not the problem: what is?

Thank you for your help
akrea

driz · 19 June 2022 19:31

couple things, public keys are public, you dont need to hide them ever.
the peer public key on a peer config is the public key of your server, they should all be the same. the public key in wg0.conf should be diff for each peer listed though.

please provide your docker compose/run snippet and container logs via pastebin or similar so we can attempt to help you.
Also, what is the host OS you’re running this on?

akera · 20 June 2022 19:58

hi driz

Thank you for helping out. As i prepared to replicate the problem today - it did not occur (at least not for two mobile devices using mobile connection). Last time this happened all devices were in the same wifi-network (vacation). I will continue testing and come back as soon as I know how to reliably recreate the issue.

System is Ubuntu 20.04 LTS and Docker

Client:
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.2
 Git commit:        20.10.12-0ubuntu2~20.04.1
 Built:             Wed Apr  6 02:14:38 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.2
  Git commit:       20.10.12-0ubuntu2~20.04.1
  Built:            Thu Feb 10 15:03:35 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.9-0ubuntu1~20.04.4
  GitCommit:        
 runc:
  Version:          1.1.0-0ubuntu1~20.04.1
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:

Docker compose snippet:

    wireguard:
        image: ghcr.io/linuxserver/wireguard
        container_name: wireguard
        cap_add:
            - NET_ADMIN
            - SYS_MODULE
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=$TZ
            - SERVERURL=auto # wireguard.domain.com #optional
            - SERVERPORT=51820 #optional
            - PEERS=ELITEBOOKFP,URS,FRAENZI,FAIRPHONESANDY,FAIRPHONESTEFAN #optional
            - PEERDNS=<mydns> #optional
            - INTERNAL_SUBNET=10.13.13.0 #optional
            - ALLOWEDIPS=0.0.0.0/0 #optional
        volumes:
            - $APPDATADIR/wireguard/config:/config
            - /lib/modules:/lib/modules
        ports:
            - 51820:51820/udp
        sysctls:
            - net.ipv4.conf.all.src_valid_mark=1
        restart: unless-stopped

driz · 20 June 2022 20:22

Sounds good man, at least you’ve isolated the potential problem down a bit with this latest test!