Closed dragon2611 closed 4 years ago
From reddit:
I don't think the example docker-compose config in the Readme works, the App itself ran but it couldn't configure wireguard, thankfully that's easy to fix, PR submitted
I don't think PSK works, at least it didn't seem to for me - if you edit the wireguard server config and generate a PSK the PSK gets inserted into the client configs but doesn't seem to get inserted into the server side config, viewing the server config after editing reveals no PSK line.
could you consider adding a default DNS option, rather than having to edit it on the peer configuration for each one generated, it seems to default to the endpoint.
I've fiddled alot with the network_mode and while it works well to run it with host network, you can no longer reverse proxy with dockerized solutions such as jwilder/nginx-proxy. I'll add a comment about the pro/cons for running with and without network_mode: host. It should work without network_mode: host. I've tried both on Arch Linux and Hetzner ubuntu server now and it works fine in both cases.
I'm not able to reproduce this. The PSK is generated fine here.
Sure!
I'll see if I can track this down while I write ubuntu guide.
1) You can Reverse proxy it with in host mode, but the proxy would be connecting to the host IP, you need firewall rules to stop people bypassing the proxy (Mines behind Traefik 2.x, I did have to do it as a static config rather than have Traefik configure from docker like the other containers).
Wireguard manager ran without using host mode networking but it didn't seem to actually configure wireguard on my machine, that said it could be something specific to my environment.
2) It generated the PSK fine but didn't seem to add it to the server config, it did however add it to the peer configs, the PSK is also not shown when you view the WG0 config in wireguard manager.
Not firewall, but without the host networking the WG utility in the container can't see/configure wireguard on the host, I'm not running it on the default network but rather an existing docker network that has both this container and Traefik on.
Edit:
I did also try it on the default network that docker-compose creates if you don't specify one, same issue, app runs fine but wireguard doesn't actually get configured.
Hi, it is correct that you cannot see the WireGuard interfaces from the host in bridge mode, but they should appear inside the container. Could you access the shell of the running docker and verify if they appear there or not in bridge mode?
As long as you forward necessary ports, it should work fine with bridge mode
bash-5.0# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.100.1/24 scope global wg0
valid_lft forever preferred_lft forever
187: eth0@if188: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.4/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
From bridge-mode instance
I'll check tomorrow as not in a position to do so at the moment.
It seems I made an incorrect assumption that wireguard had to run on the host due to the kernel component.
Now I understand what the second port forward is for!
Since docker containers use the kernel of the host, this is surprisingly convenient when running wg in docker, especially with 5.6+
Update the docker-compose example in the readme to use host network, without this wireguard wasn't getting configured, at least on the Ubuntu 18.04 VM I was testing on.