search

jordanpotter / docker-wireguard

Simple image for running a WireGuard client with a kill switch
MIT License
143 stars 37 forks source link

Remove need for running in privileged mode #3

Closed bobbypage closed 4 years ago

bobbypage commented 4 years ago

To remove the need for running privileged mode, set the necessary net.ipv4.conf.all.src_valid_mark=1 sysctl via docker and modify the /usr/bin/wg-quick script from setting the sysctl

Fixes #2

jordanpotter commented 4 years ago

I just tested this on a machine running Debian buster with kernel 4.19.0-9-amd64.

$ docker run --rm --name docker-wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v /etc/wireguard/mullvad.conf:/etc/wireguard/mullvad.conf docker-wireguard
[#] ip link add mullvad type wireguard
[#] wg setconf mullvad /dev/fd/63
[#] ip -4 address add <redacted>/32 dev mullvad
[#] ip link set mtu 1420 up dev mullvad
[#] resolvconf -a mullvad -m 0 -x
[#] wg set mullvad fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
skipping setting net.ipv4.conf.all.src_valid_mark
[#] echo skipping setting net.ipv4.conf.all.src_valid_mark
[#] iptables-restore -n
skipping ipv6 killswitch setup since ipv6 interface was not found...

Then:

$ docker run -it --rm --net=container:docker-wireguard appropriate/curl http://httpbin.org/ip
curl: (6) Could not resolve host: httpbin.org

Do you get a different result on your machine?

bobbypage commented 4 years ago

Huh, that's strange it works on my side. I'm testing this on Ubuntu 20.04.1 LTS, kernel 5.4.0-42-generic

$ sudo docker build -t bobbypage/docker-wireguard:latest .
Sending build context to Docker daemon    171kB
Step 1/4 : FROM ubuntu:20.04
 ---> 4e2eef94cd6b
Step 2/4 : RUN apt-get update && apt-get install -y openresolv iptables iproute2 wireguard
 ---> Using cache
 ---> f395a406a71c
Step 3/4 : COPY entrypoint.sh /entrypoint.sh
 ---> b0e63f5f4527
Step 4/4 : ENTRYPOINT ["/entrypoint.sh"]
 ---> Running in 94dac4dd08be
Removing intermediate container 94dac4dd08be
 ---> 8362dcf93eaf
Successfully built 8362dcf93eaf
Successfully tagged bobbypage/docker-wireguard:latest
$ sudo docker run --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v $(pwd)/config/mullvad/mullvad-ca10-ipv4.conf:/etc/wireguard/mullvad.conf bobbypage/docker-wireguard:latest
$ sudo docker run --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v $(pwd)/config/mullvad/mullvad-ca10-ipv4.conf:/etc/wireguard/mullvad.conf bobbypage/docker-wireguard:latest
[#] ip link add mullvad type wireguard
[#] wg setconf mullvad /dev/fd/63
[#] ip -4 address add <redacted> dev mullvad
[#] ip link set mtu 1420 up dev mullvad
[#] resolvconf -a mullvad -m 0 -x
[#] wg set mullvad fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] echo skipping setting net.ipv4.conf.all.src_valid_mark
skipping setting net.ipv4.conf.all.src_valid_mark
[#] iptables-restore -n
$ sudo docker run -it --rm --net=container:wireguard appropriate/curl http://httpbin.org/ip
{
  "origin": "<SERVER_IP>"
}
jordanpotter commented 4 years ago

Hrmm, give me a few minutes to check my wireguard config... 🤔

jordanpotter commented 4 years ago

I was mistaken! The wireguard configuration I was using for testing was being used by another wireguard instance, which caused the conflict. We're good now 👍