Wireguard : NAT-PMP support

skuizy · 12 August 2023 15:25

Hello,

I have a setup where my qbittorrent container network goes trough my wireguard container, which is connected to Pronton VPN, on a server supporting port forwarding.

As port forwarding with proton VPN seems dynamic, I’m trying to use this MOD which requests a port to the VPN server and updates qbittorrent config acordingly.

This setup works fine with a baremetal wireguard setup (at least it can request the openning of the port via NAT-PMP). In this scenario my docker-compose lokks like this :

version: “3.8”
services:
qbittorrent:
image: linuxserver/qbittorrent
container_name: qbittorrent
env_file: .env
environment:
- PUID=33
- PGID=33
- UMASK_SET=002
- DOCKER_MODS=ghcr .io/fusetim/external_natpmp_qbittorrent:8b9e4e0a4e832433b5a974a5bbde355cb916d16a
- NATPMP_GATEWAY_IP=10.2.0.1
volumes:
- ./qbittorrent/config:/config
networks:
frontend:
restart: always

And I’ve folowed theses steps to route my container throuh the tunnel :

docker-compose up -d
ip netns add vpn
ip -n vpn link set lo up
ip link add tun0 type wireguard
ip link set tun0 netns vpn
ip netns exec vpn wg setconf tun0 /etc/wireguard/wg1.conf
ip -n vpn link set tun0 netns $(docker inspect -f ‘{{.State.Pid}}’ “qbittorrent”)
docker exec --privileged qbittorrent ip addr add 10.2.0.2/32 dev tun0
docker exec --privileged qbittorrent ip link set tun0 up
docker exec --privileged qbittorrent ip route replace default dev tun0

However it keeps failing when used with wireguard container and I realy dont know why, nor how to go further on this topic.

For the record, my docker-compose looks like this :

version: “3.8”
services:
wireguard:
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
env_file: .env
volumes:
- ./wireguard/config:/config
- /usr/src:/usr/src
ports:
- “51820:51820/udp”
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: always
networks:
backend:
aliases:
- qbittorrent
qbittorrent:
image: linuxserver/qbittorrent
container_name: qbittorrent
env_file: .env
environment:
- PUID=33
- PGID=33
- UMASK_SET=002
- DOCKER_MODS=ghcr .io/fusetim/external_natpmp_qbittorrent:8b9e4e0a4e832433b5a974a5bbde355cb916d16a
- NATPMP_GATEWAY_IP=10.2.0.1
volumes:
- ./qbittorrent/config:/config
network_mode: “service:wireguard”
depends_on:
- wireguard
restart: always

Issue on the MOD repo can be followed here

driz · 21 August 2023 13:00

As this is not our mod we do not support it. Opening an issue with the dev is the correct course of action and it looks like you have already done so.

Additionally, routing a container through another container is not within our support scope. Here is some reading material you can reference

Pt1: Routing Docker Host And Container Traffic Through WireGuard | LinuxServer.io
Pt2: https://www.linuxserver.io/blog/advanced-wireguard-container-routing

Spad: Wireguard as a VPN client in Docker using PIA
Quietsy: VPN Route - Advanced Configurations (virtualize.link)
Tokugero: Docker-Compose with Mu… | Phil’s Notes (tokugero.com)