Wireguard outgoing traffic not routed when using rootless docker

I’m currently running a rootless docker installation on Raspberry Pi OS 64bit bullseye (Kernel: 5.10.92) using a Raspberry Pi 4. I use the following command to deploy the wireguard container:

docker run -d --name=wireguard 
--cap-add=NET_ADMIN --cap-add=SYS_MODULE -e PUID=1000 -e PGID=1000 
-e TZ=Europe/Berlin -e SERVERURL=<<my Server address>> -e SERVERPORT=51820 
-e PEERS=5 -e PEERDNS=auto -e INTERNAL_SUBNET=10.10.10.0 -e ALLOWEDIPS=0.0.0.0/0 
-p 51820:51820/udp -v wireguard-config:/config -v /lib/modules:/lib/modules
--sysctl="net.ipv4.conf.all.src_valid_mark=1" --restart always linuxserver/wireguard

The UID and GID are matching the user used to deploy the container. I started a shell inside the container and successfully pinged google.com (i.e. DNS and the connection to my container should work). Additionally, I`m able to connect a device to the wireguard container and successfully ping 10.10.10.1, as well as the containers ip in the docker bridge network. But all traffic with a different destination seems to be dropped. For example, I can’t connect to any servers, that are

  1. connected to the same docker bridge network,
  2. my local network,
  3. the internet.

I checked the iptables rules within the docker container and they are:

root@.......:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT

Wg0 seems to be created inside the container:

root@.........:/# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none 
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Maybe Im overseeing something pretty obvious, but I have no idea what went wrong. Im also able to reproduce the problem with Ubuntu Server 20.04.3 LTS (64-bit).
Do you have any suggestions? Thank you very much in advance!!! :slight_smile:

My containers log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing...
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing...
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-module: executing...
Uname info: Linux c6c572e7707e 5.10.92-v8+ #1514 SMP PREEMPT Mon Jan 17 17:39:38 GMT 2022 aarch64 aarch64 aarch64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
[cont-init.d] 30-module: exited 0.
[cont-init.d] 40-confs: executing...
**** Server mode is selected ****
**** External server address is set to 192.168.1.10 ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.10.10.0 ****
**** AllowedIPs for peers 0.0.0.0/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.10.10.1 to use wireguard docker host's DNS. ****
**** No wg0.conf found (maybe an initial install), generating 1 server and pixel,spectre,janine,site,tab peer/client confs ****
grep: /config/peer*/*.conf: No such file or directory

<<CLIENT CONF QR CODES>>

[cont-init.d] 40-confs: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
.:53
CoreDNS-1.8.7
linux/arm64, go1.17.6, a9adfd5
[#] ip -4 route add 10.10.10.6/32 dev wg0
[#] ip -4 route add 10.10.10.5/32 dev wg0
[#] ip -4 route add 10.10.10.4/32 dev wg0
[#] ip -4 route add 10.10.10.3/32 dev wg0
[#] ip -4 route add 10.10.10.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Hi !

Here got the same problem… did you found any fixes ?
Running arm64 of debian… (RPI4) connection build works perfect, client can be found inside the container etc but no forwarding of any traffic… run the same docker setup on a intel based system it works flawless…

sorry this took so long to reply. We do not offer any support for rootless at all and we have no intention of doing so in the near future.