Closed bobbyl140 closed 5 months ago
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
A human has marked this issue as invalid, this likely happened because the issue template was not used in the creation of the issue.
you've not provided enough info.
wg show
is as follows:
endpoint: 192.168.25.145:55156
The endpoint's address is obviously not within the Docker subnet because it's a physical device on cellular.we only test and support docker, podman can do things differently. We definitively do not support rootless podman, though it can also work
The IPs CAN matter when you describe an issue involving the IPs being on the host but show nothing about the IPs. for example a common issue we see are people making their wireguard subnet be the same as their lan subnet. It would show what you described and would be an unsupported config.
so for info, your statement is that client IPs (assuming wireguard clients?) are all on the container host.
your INTERNAL_SUBNET=172.24.5.0 #optional
means your clients should have an IP in the 172.24.5.0/24 range
when you show that endpoint, my assumption is that your home LAN is 192.168.25.0/24 perhaps? (this is why IPs matter, im having to make assumptions), so if this is what you mean by client ips are the container's host, then yes, this is abnormal and makes it look as if you were connecting to the VPN from within your LAN (like on wifi) but if your docker host itself IS 192.168.25.145, then you have something weird setup. Nothing stands out in your compose and it's similar to mine. My suggestion is to test using docker, but in the meantime I'll see if anyone wants to take a look at this (but dont get your hopes up, as it's unsupported)
Hi, I'm sorry, I see what you're saying now. I apologize for being blunt. My home LAN is 10.0.0.0/24, the Docker (Podman) subnetting I have includes the 192.168.25.0/24 range. So when I connect from a client, no matter on my home LAN, on cellular, or anywhere else, it always shows the client's IP as my host machine's IP on that Docker subnet. The internal subnet I have set to 172.24.5.0/24 to align with my other VPN services elsewhere.
to ensure i understand, do you mean that when your vpn'd client accesses something (say.. a webpage) which shows what IP connected to it, you are seeing your docker host ip? if yes, that is normal. docker (and podman) nat things from inside the container to the outside so the source is your docker host. similarly when you have a single public ip and your many hosts internally access an external site, they all see that one WAN ip. To NOT have that happen, and this is very out of scope of support, you would need to ROUTE that traffic rather than NAT it.
No, the IP shown on https://whatismyipaddress.com is in fact the WAN IP of my Docker host. That I expect. The issue is, for administrative purposes, I'd like to be able to see from the Docker host where clients are connecting from (say, the IP of a coffee shop). Which I realize may or may not be possible due to how Docker works, but if this is something that can be changed, that would be a useful feature. For example, running wg show
on my server with native WireGuard shows the public IP of the client outside of the VPN tunnel.
Now that I think about it, would this be possible with a bridged network setup for this Docker container?
No, the IP shown on https://whatismyipaddress.com is in fact the WAN IP of my Docker host. That I expect. The issue is, for administrative purposes, I'd like to be able to see from the Docker host where clients are connecting from (say, the IP of a coffee shop). Which I realize may or may not be possible due to how Docker works, but if this is something that can be changed, that would be a useful feature. For example, running
wg show
on my server with native WireGuard shows the public IP of the client outside of the VPN tunnel.
ahh you should be seeing that yes, in my endpoints, i see the public ip of the specific peer.
Now that I think about it, would this be possible with a bridged network setup for this Docker container?
in your compose, you are using a bridged network setup (which is what we support and recommend)
I mean like adding network_mode: bridge
, since that exposes the actual port on the host.
I mean like adding
network_mode: bridge
, since that exposes the actual port on the host.
not typing any network mode means you are using bridge
i think it might be best for you to come on our discord, truthfully, you have something going on and it's not a container issue, so probably best to sort it out in our live chat rather than ghi
not typing any network mode means you are using bridge
I meant to say host networking. I'm sorry, it's been a while since I did that kind of thing in Docker and I don't have my terms straight by any means. As in, the ports aren't isolated over the virtual interface and are set up directly on the host.
i think it might be best for you to come on our discord, truthfully, you have something going on and it's not a container issue, so probably best to sort it out in our live chat rather than ghi
Fair enough. I'll join that soon.
I meant to say host networking. I'm sorry, it's been a while since I did that kind of thing in Docker and I don't have my terms straight by any means. As in, the ports aren't isolated over the virtual interface and are set up directly on the host.
We don't support host, but you're already in an unsupported setup with podman, so IMO test all the things :D
Fair enough. I'll join that soon.
With that, I'll go ahead and close this and hopefully we can get you working on discord.
Is there an existing issue for this?
Current Behavior
When running
wg show
in the container, all the IPs are the host system's IP on the Docker subnet.Expected Behavior
If possible, these should be the real IPs.
Steps To Reproduce
podman exec -it wireguard wg show
Environment
CPU architecture
x86-64
Docker creation
Container logs