Wireguard port in container not reachable

Hi all,

I have setup a new Odroid SBC with DietPi (debian ARM64) plus Docker and Docker Compose, following the guide on docker hub. The container is up and running, but I can’t reach the port. I think it’s a firewall setting inside the container.

My docker-compose.yml:

version: “2.1”
services:
wireguard:
image: ghcr.io/linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- SERVERURL=myurl.com#optional
- SERVERPORT=51820 #optional
- PEERS=5 #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.13.13.0 #optional
- ALLOWEDIPS=192.168.88.0/24 #optional
volumes:
- /docker/app/wireguard/config:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped

My wg0.conf is looking like this:
[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey =
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

My iptables in the host (dietpi):
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT udp – anywhere 172.19.0.2 udp dpt:51820

My iptables in the container:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Every hint / idea is really appreciated.

Thx.

did you forward port 51820/udp from your router to your docker host?

Yes I did. I tried to access the service simply from the same LAN. I don’t reach it. I made also telnet test on the host itself. The port ist blocked. Portainer runs on the same host. No issue.

did you deploy wireguard with portainer?

No, with docker compose by console.

are you only trying to connect via LAN? have you tried connecting from your mobile while on cellular (not wifi)

also, anything in the docker logs? docker logs -f wireguard

I tried all.

First: Celluar
Second: LAN
Third: Port checks directly on the host.

I tried it also on another host, runing dietpi as well. Same issue. I can try it on another OS. I can switch to Ubuntu.

What do you think? Is it a try worth?

I know none of us have ever tested using dietpi; we’ve tested on debian, ubuntu, and raspibian. It’s definitely worth a shot to try on ubuntu if that’s easy for you

it may also be worth joining our discord for quicker live assistance.

All right. I think it’s worth to try. I will change to Ubuntu in the next days. I keep you updated with the results.

Many thanks for your support.

1 Like