I’m currently running a rootless docker installation on Raspberry Pi OS 64bit bullseye (Kernel: 5.10.92) using a Raspberry Pi 4. I use the following command to deploy the wireguard container:
docker run -d --name=wireguard
--cap-add=NET_ADMIN --cap-add=SYS_MODULE -e PUID=1000 -e PGID=1000
-e TZ=Europe/Berlin -e SERVERURL=<<my Server address>> -e SERVERPORT=51820
-e PEERS=5 -e PEERDNS=auto -e INTERNAL_SUBNET=10.10.10.0 -e ALLOWEDIPS=0.0.0.0/0
-p 51820:51820/udp -v wireguard-config:/config -v /lib/modules:/lib/modules
--sysctl="net.ipv4.conf.all.src_valid_mark=1" --restart always linuxserver/wireguard
The UID and GID are matching the user used to deploy the container. I started a shell inside the container and successfully pinged google.com (i.e. DNS and the connection to my container should work). Additionally, I`m able to connect a device to the wireguard container and successfully ping 10.10.10.1, as well as the containers ip in the docker bridge network. But all traffic with a different destination seems to be dropped. For example, I can’t connect to any servers, that are
- connected to the same docker bridge network,
- my local network,
- the internet.
I checked the iptables rules within the docker container and they are:
root@.......:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
Wg0 seems to be created inside the container:
root@.........:/# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Maybe Im overseeing something pretty obvious, but I have no idea what went wrong. I
m also able to reproduce the problem with Ubuntu Server 20.04.3 LTS (64-bit).
Do you have any suggestions? Thank you very much in advance!!!
My containers log:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing...
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing...
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
-------------------------------------
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-module: executing...
Uname info: Linux c6c572e7707e 5.10.92-v8+ #1514 SMP PREEMPT Mon Jan 17 17:39:38 GMT 2022 aarch64 aarch64 aarch64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
[cont-init.d] 30-module: exited 0.
[cont-init.d] 40-confs: executing...
**** Server mode is selected ****
**** External server address is set to 192.168.1.10 ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.10.10.0 ****
**** AllowedIPs for peers 0.0.0.0/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.10.10.1 to use wireguard docker host's DNS. ****
**** No wg0.conf found (maybe an initial install), generating 1 server and pixel,spectre,janine,site,tab peer/client confs ****
grep: /config/peer*/*.conf: No such file or directory
<<CLIENT CONF QR CODES>>
[cont-init.d] 40-confs: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
.:53
CoreDNS-1.8.7
linux/arm64, go1.17.6, a9adfd5
[#] ip -4 route add 10.10.10.6/32 dev wg0
[#] ip -4 route add 10.10.10.5/32 dev wg0
[#] ip -4 route add 10.10.10.4/32 dev wg0
[#] ip -4 route add 10.10.10.3/32 dev wg0
[#] ip -4 route add 10.10.10.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE