Wireguard,SWAG to Gluetun-Client with services doesn't connect properly

curo1305 · 6 January 2023 22:58

Hi I am struggling setting up my network. I habe a VPS on the internet and a home network which I want to connect via docker wireguard. On the VPS will be a wireguard container as server and a SWAG container

docker-yaml:

version: "3"
services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: reverse_proxy
    hostname: "swag"
    networks:
      proxy:
        ipv4_address: 10.2.0.10
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/London
      - URL=my.domain.de
      - VALIDATION=dns
      - SUBDOMAINS=wildcard
      - DNSPLUGIN=my.plugin
      - EMAIL=my.email@provider.com
    volumes:
      - ./swag:/config
    ports:
      - 443:443
      - 80:80 #optional
    restart: unless-stopped

  wireguard:
    depends_on: [unbound, pihole]
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/London # Change to your timezone
      - SERVERPORT=51820
      - SERVERURL=1.2.3.4
      - PEERS=3
      - INTERNAL_SUBNET=10.2.2.0
    volumes:
      - ./wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
      - 25565:25565 # Port I want to forward
      - 32400:32400 # Port I want to forward
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      proxy:
        ipv4_address: 10.2.0.40

networks:
  proxy:
    name: proxy
    driver: bridge
    ipam:
      config:
        - subnet: 10.2.0.0/24
          gateway: 10.2.0.1

my wg0.conf at server site looks like:

[Interface]
Address = 10.2.2.1
ListenPort = 51820
PrivateKey = xxxxxxxxxxxxxxxxx
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_plex
PublicKey = xxxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxxxxx
AllowedIPs = 10.2.2.2/32

[Peer]
# peer_minecraft
PublicKey = xxxxxxxxxxxxx
PresharedKey =xxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.2.2.3/32

and on the client site I have a gluetun container and some other container (minecraft server with network: service:gluetun). The Firewall option in gluetun is disabled.

My Problem is, I want to set the reverse proxy to my one client with my Plex server at 10.2.2.2:32400 but my reverse_proxy container has no connection to this client.
And I want to Port forward a VPS port (via port mapping) to my minecraft client.

I can without a problem ping from 10.2.2.2 to 10.2.0.1 or 10.2.2.1 but only my wireguard server at 10.2.2.1 can ping 10.2.2.2. The reverse_proxy at 10.2.0.10 cannot ping 10.2.2.2. And the same with the minecraft-client at 10.2.2.3.

I tried editing the wg0.conf server site with PostUp and PostDown

PostUp=...
PostUp=iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25565 -j DNAT --to 10.2.2.3:25565

and the same for PostDown but this only resolted in seeing the ping and the online status of the minecraft server but i could not log in. tcpdump showed me that no packages where going out (length=0) only coming in.

13:37:51.950636 IP home.ip.2784 > server.ip.25565: Flags [.], ack 1079, win 1020, options [nop,nop,sack 1 {3839:4005}], length 0

And for the Plex Server

PostUp=...
PostUp=iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 32400 -j DNAT --to 10.2.2.2:32400

I am not quite sure what to do. I also tried using the linuxserver/wireguard container as client but then even pinging from the server didn’t work. I am rather new to the whole vpn stuff and routing via ip route or iptables is not at all my area. Can someone help me or is it even possible right now?

driz · 8 January 2023 16:32

this is a networking issue, but you’ve not described your network(s) well enough.

i will make something up and you can run with it. If i have a wg tunnel from A to B
A(10.0.0.0/24) <–> B(10.5.0.0/24) i’m going to be able to ping across that tunnel from A and B just fine because WG injects routed based on Allowed_ips. You have said you can do this.

Router <–> Stuff1(192.168.1.0/24) → (192.168.1.20)A(10.0.0.0/24) <–> (172.100.32.20)B(10.5.0.0/24) ← Stuff2(172.100.32.0/24) <–> Router

You want stuff1 to be able to reach Stuff2, across the tunnel. You need routes. You are looking at wireguard, but wireguard has routes, the host running wireguard has routes.

you need to tell your ROUTER on your lan (ISP router) that to get to 172.100.32.0/24 goto the 192.168.1.20
to allow return traffic (tcp ack at a minimum) you need to tell the router on B that to reach 192.168.1.0/24 go to 172.100.32.20.

eg:
ip route add 172.100.32.0/24 via 192.168.1.20 on A’s router
ip route add 192.168.1.0/24 via 172.100.32.20 on B’s router

your traffic will try to egress to your ISP because the subnet is not local, when it gets there, it’ll see the static route and goto your A or B (wg instance) your wg instances already have routes to those subnets and it will simply traverse the tunnel.

note, i do not help people with network issues, you just caught me in a nice mood, i won’t provide further assistance for this, best wishes