Route local network traffic to wireguard network in container

[tvories]

I'm struggling to figure out how to route my local network traffic BACK through the wireguard connection to the external peer. My peers connect great, they can access local resources. However, I can't figure out how to route traffic BACK to the external peer through the docker container. Is this possible?

[tvories]

Here is a bad drawing of my issue

[cmulk]

I see what you mean. First I would use the flag to disable MASQUERADE NAT as this will cause you problems routing back.

I think you have the right idea, putting the static route on the internal network to provide the path back to the VPN network (that's what I would do). The next part is that you should use --network host to put the container in host networking mode, which will create the wireguard interface on the host machine itself. This will make that interface available to the internal network so that those machines can route back through it. You will also need to make sure ip forwarding is enabled on that host if not already, and appropriate firewall rules are there to allow forwarding.

You are essentially needing to use wireguard as if it is installed on the host itself, which may actually be easier than using docker in this case!

[tvories]

Thanks for the insight. I was trying to avoid having a special server just for my vpn, but I have thought more than once in this process that it may be easier that way.

That being said, I wouldn't mind trying to figure this out if it's possible. I understand using the --network host mode, but I am such a noob when it comes to iptables that I am not sure how to set it up to forward it properly.

Do you have any suggestions for the proper commands to set up iptables to forward properly from the host to the container?

[htilly]

@tvories I might have the same setup as you. I made a fork and did some changes. https://github.com/htilly/wireguard-docker

You need to supply the environment LOCAL_NETWORK to the config for this to work.

Was that what you were looking for ?

[tvories]

@htilly i have not had a chance to try that out yet, but I am going to give it a shot. I will close this ticket in the meantime.

[BobWs]

Did you manage to get this to work? I’m looking for something similar. In my case I’m when the wg client is connected to the wg docker vpn I can connect to my local network via the local IP addresses but I would also like to do that via sub domains and that isn’t working now.