Sharing your docker via --net=container:<containername> on a vlan with additional port?

[mannp]

Hi there

Thanks for sharing your container, I have a vpn connection working fine but I cannot get the sharing the docker with other dockers working.

I wondered if anyone had tried and succeeded in sharing with a docker on the same vlan?

Eg you docker at 192.168.70.10 and the docker needing vpn access at 192.168.70.11.... I cannot get access to the http port of the client service when I add the relevant port to your container?

Searches say it should work but seem to be for earlier versions off docker.

I also wondered if the routes in the docker could stop the access too?

Thanks.

[jordanpotter]

Hey @mannp, hope I can help!

Suppose you have two containers: app and wireguard. If you want container app to use Wireguard, you'd run something like:

docker run --net=container:wireguard app

However once you do that, all traffic for app is routed through the wireguard container. So if app serves a webpage on port 80, you wouldn't be able to access that page locally.

To get around this, you can use another container to proxy traffic to app! I've been using the dperson/nginx image, which has worked wonderfully for me.

So my setup is:

1. Run the Wireguard container: docker run --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf jordanpotter/wireguard
2. Run the App container: docker run --name app --net=container:wireguard app
3. Run the Proxy container: docker run --name proxy --link app dperson/nginx -w 'http://app:80/;/'

I think this uses some older features in Docker, but this is what I do for my own use cases.

Note: It's late at night for me, but I'll double-check everything tomorrow 👍

[mannp]

Hi @jordanpotter thanks for the help, much appreciated.

It gave me an idea though that I could perhaps use caddy or traefik in this instance then as I am already using them internally to serve my tls certs, so perhaps they could link into your wireguard docker too.

I will look into my nginx docker too, but once I've explored the others first.

Thanks again :+1:

Edit: Trying with nginx first I get an error relating to the vlan, so I need to read some more about that :) -> Error response from daemon: Cannot link to /wireguard, as it does not belong to the default network

[jordanpotter]

Hey @mannp, wanted to follow-up and hear how Caddy/Traefik are working out! If you'd like, I can whip up a solution with Nginx too!

[ThisIsTheOnlyUsernameAvailable]

@jordanpotter An integrated proxy would be amazing.

I'm presently using wireguard with an HTTP proxy to act as a vpn gateway for my local network, and am looking to move to Docker. Your container looks fantastic, but I need to chain it to a SOCKS or HTTP(s) proxy, to allow LAN clients to access the VPN.

[jordanpotter]

Hey @ThisIsTheOnlyUsernameAvailable, that sounds like a fantastic addition! If this is something you'd find valuable (and I'm sure other people would as well) would you be interested in opening a PR?

If not, I can get around to implementing this in the next week or so.

[mannp]

Hi @jordanpotter apologies for the late reply.

Sorted selective routing for my firewall so use wireguard through that now.

This one can be closed now, for me.

[jordanpotter]

Hey @ThisIsTheOnlyUsernameAvailable, going to close this issue since it sounds like the original question has been answered. If you're still interested in an integrated proxy, would you mind creating a separate issue?