search

masipcat / wireguard-go-docker

Wireguard docker image
https://hub.docker.com/r/masipcat/wireguard-go
GNU General Public License v3.0
182 stars 42 forks source link

Docker name resolution #6

Closed davidsarkany closed 4 years ago

davidsarkany commented 4 years ago

Hi!

I want connect my other docker container through wireguard. I can connect with ip (example: 172.18.0.7), but the local dns resolution (example: mysql) don't work. How can i fix it?

masipcat commented 4 years ago

I think you need to do something like this: https://github.com/masipcat/wireguard-go-docker#basic--kube-dns

Assuming the ip of the docker dns is 172.18.0.1:

In the wg config of the peer that wants the dns resolution:

[Interface]
...
# Configure dns ip address as dns resolver in you local machine
PostUp = printf "nameserver 172.18.0.1" | resolvconf -a %i

[Peer]
...
# Change AllowedIPs to 172.18.0.0/16 if you only want to connect to tunnel to other containers
AllowedIPs = 172.18.0.0/16

EDIT: fixed ip address in line PostUp = printf "nameserver 172.18.0.1" | resolvconf -a %i

davidsarkany commented 4 years ago

I think I want something else.

For example:

I have a mariadb container on "mysql" network. I add the wireguard to "mysql" network.

version: '3.3'
services:
  wireguard:
    container_name: wireguard
    image: masipcat/wireguard-go:latest
    restart: unless-stopped
    cap_add:
     - NET_ADMIN
     - SYS_MODULE
    sysctls:
     - net.ipv4.ip_forward=1
    volumes:
     - /dev/net/tun:/dev/net/tun
     - ./config:/etc/wireguard
    environment:
     - WG_COLOR_MODE=always
     - LOG_LEVEL=info
    ports:
     - 587:587/udp
    restart: always
    networks:
      - mysql

networks:
  mysql:
    external:
      name: mysql

When i enter the wireguard container can i lookup the mariadb hostname.

docker exec -ti wireguard sh
# nslookup mariadb
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:

Non-authoritative answer:
Name:   mariadb
Address: 172.19.0.5

It's great, name resolve work inside container with the default docker dns resolver. (127.0.0.11) So my question, how can i use this dns resolver on my pc through wiregurard? (Windows 10)

wg0.conf (server)

[Interface]
Address = 10.99.0.1/24
ListenPort = 587
PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -t nat -A POSTROUTING -s 10.99.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = 
AllowedIPs = 10.99.0.2/32

[Peer]
PublicKey = 
AllowedIPs = 10.99.0.3/32

Client config (Windows 10)

[Interface]
PrivateKey = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
Address = 10.99.0.2/32
DNS = ?

[Peer]
PublicKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/0
Endpoint = my-domain:587
masipcat commented 4 years ago

I'm not sure... If the port 53 is binded inside the wireguard container for address (0.0.0.0/0), then using 10.99.0.1 should work as a dns resolver. Otherwise, maybe you need to setup a BIND9 a way to expose the docker dns resolver.