Wireguard,SWAG to Gluetun-Client with services doesn't connect properly

Hi I am struggling setting up my network. I habe a VPS on the internet and a home network which I want to connect via docker wireguard. On the VPS will be a wireguard container as server and a SWAG container


version: "3"
    image: lscr.io/linuxserver/swag:latest
    container_name: reverse_proxy
    hostname: "swag"
      - NET_ADMIN
      - PUID=1001
      - PGID=1001
      - TZ=Europe/London
      - URL=my.domain.de
      - VALIDATION=dns
      - SUBDOMAINS=wildcard
      - DNSPLUGIN=my.plugin
      - EMAIL=my.email@provider.com
      - ./swag:/config
      - 443:443
      - 80:80 #optional
    restart: unless-stopped

    depends_on: [unbound, pihole]
    image: linuxserver/wireguard
    container_name: wireguard
      - NET_ADMIN
      - SYS_MODULE
      - PUID=1001
      - PGID=1001
      - TZ=Europe/London # Change to your timezone
      - SERVERPORT=51820
      - SERVERURL=
      - PEERS=3
      - ./wireguard:/config
      - /lib/modules:/lib/modules
      - 51820:51820/udp
      - 25565:25565 # Port I want to forward
      - 32400:32400 # Port I want to forward
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

    name: proxy
    driver: bridge
        - subnet:

my wg0.conf at server site looks like:

Address =
ListenPort = 51820
PrivateKey = xxxxxxxxxxxxxxxxx
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

# peer_plex
PublicKey = xxxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxxxxx
AllowedIPs =

# peer_minecraft
PublicKey = xxxxxxxxxxxxx
PresharedKey =xxxxxxxxxxxxxxxxxxxxx
AllowedIPs =

and on the client site I have a gluetun container and some other container (minecraft server with network: service:gluetun). The Firewall option in gluetun is disabled.

My Problem is, I want to set the reverse proxy to my one client with my Plex server at but my reverse_proxy container has no connection to this client.
And I want to Port forward a VPS port (via port mapping) to my minecraft client.

I can without a problem ping from to or but only my wireguard server at can ping The reverse_proxy at cannot ping And the same with the minecraft-client at

I tried editing the wg0.conf server site with PostUp and PostDown

PostUp=iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25565 -j DNAT --to

and the same for PostDown but this only resolted in seeing the ping and the online status of the minecraft server but i could not log in. tcpdump showed me that no packages where going out (length=0) only coming in.

13:37:51.950636 IP home.ip.2784 > server.ip.25565: Flags [.], ack 1079, win 1020, options [nop,nop,sack 1 {3839:4005}], length 0

And for the Plex Server

PostUp=iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 32400 -j DNAT --to

I am not quite sure what to do. I also tried using the linuxserver/wireguard container as client but then even pinging from the server didn’t work. I am rather new to the whole vpn stuff and routing via ip route or iptables is not at all my area. Can someone help me or is it even possible right now?

this is a networking issue, but you’ve not described your network(s) well enough.

i will make something up and you can run with it. If i have a wg tunnel from A to B
A( <–> B( i’m going to be able to ping across that tunnel from A and B just fine because WG injects routed based on Allowed_ips. You have said you can do this.

Router <–> Stuff1( → ( <–> ( ← Stuff2( <–> Router

You want stuff1 to be able to reach Stuff2, across the tunnel. You need routes. You are looking at wireguard, but wireguard has routes, the host running wireguard has routes.

you need to tell your ROUTER on your lan (ISP router) that to get to goto the
to allow return traffic (tcp ack at a minimum) you need to tell the router on B that to reach go to

ip route add via on A’s router
ip route add via on B’s router

your traffic will try to egress to your ISP because the subnet is not local, when it gets there, it’ll see the static route and goto your A or B (wg instance) your wg instances already have routes to those subnets and it will simply traverse the tunnel.

note, i do not help people with network issues, you just caught me in a nice mood, i won’t provide further assistance for this, best wishes