1

I have two Docker networks:

  • public which is a normal bridge network with access to the host upstream network
  • private which is a bridge, internal: true and hosts a fleet of containers
networks:
  public:
    driver: bridge
  private:
    driver: bridge
    internal: true
    ipam:
      config:
        - subnet: 172.22.0.0/24
          gateway: 172.22.0.1

I want to isolate my fleet of containers from the host upstream network, so that's why I put them into an internal network. However, these hosts still need internet access, which I want to provide via WireGuard to a public VPN service. So I deployed lscr.io/linuxserver/wireguard:latest container into both the public and private networks, with a static IP in the private network.

Additionally, I developed a small sh script for the private containers to modify the route table (requires NET_ADMIN capability):

#!/bin/sh

# Get IP address of `wireguard` container
wireguard_ip=$(getent hosts wireguard | awk '{ print $1 }')

# Update route table
ip route del default
ip route add default via $wireguard_ip

So now my private containers send all their traffic to the wireguard container. However, the containers still cannot reach internet. This is my wg0.conf:

[Interface]
PrivateKey = herpderp
Address = 10.x.x.x/32
DNS = 10.x.x.x
PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE

[Peer]
PublicKey = herpderp
AllowedIPs = 0.0.0.0/0
Endpoint = ip:port

I assume what's left to do is additional networking config to be done in the PostUp and PreDown, which I am not familiar with enough to do at this moment.

The public network is auto-generated by Docker Compose, and currently has this random CIDR: 172.29.0.0/16.

The private network CIDR is fixed at 172.22.0.0/24

Using terminal in the wireguard container, I can see there are 3 interfaces - eth0, eth1 and wg0. It's not clear how Docker decides which of the private/public networks becomes eth0 or eth1, but it looks like the public network becomes eth0 and private network eth1 consistently (again the algorithm is not clear to me, please tell me if you know it).

What additional config do I need to do (particularly in wg0.conf) to add internet connectivity to the containers in private network?

I use the Docker Desktop for Mac v4.16.2, and Docker Compose.

Paya
  • 257
  • 1
  • 4
  • 16

0 Answers0