CODEWITHSUNDEEP
dockerwireguard
Kenny
Kenny

Reputation: 83

Cant connect to wireguard docker on rpi4 from outside LAN

I have fresh install of Rasbian on my rpi4, installed docker with portainer and wireguard as vpn server from https://github.com/wg-easy/wg-easy

I have forward port UDP 51820 on my router (tested 9000 port of portainer and its open) but i cant connect from outside to wireguard and port 51820 is closed

my ip route looks like

pi@raspberrypi:~ $ ip route
default via 192.168.100.1 dev eth0 proto dhcp src 192.168.100.3 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-4911ad3199ee proto kernel scope link src 172.18.0.1
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.3 metric 100

iptables -L -v

sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 196K   48M DOCKER-USER  all  --  any    any     anywhere             anywhere
 196K   48M DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
23135   20M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
  159  8284 DOCKER     all  --  any    docker0  anywhere             anywhere
18618 9665K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
 170K   31M ACCEPT     all  --  any    br-4911ad3199ee  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 6041  362K DOCKER     all  --  any    br-4911ad3199ee  anywhere             anywhere
14320 5318K ACCEPT     all  --  br-4911ad3199ee !br-4911ad3199ee  anywhere             anywhere
 6025  362K ACCEPT     all  --  br-4911ad3199ee br-4911ad3199ee  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    4   176 ACCEPT     tcp  --  !br-4911ad3199ee br-4911ad3199ee  anywhere             172.18.0.2           tcp dpt:2016
   12   576 ACCEPT     tcp  --  !br-4911ad3199ee br-4911ad3199ee  anywhere             172.18.0.2           tcp dpt:2015
   51  2668 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.3           tcp dpt:9000
    0     0 ACCEPT     tcp  --  !br-4911ad3199ee br-4911ad3199ee  anywhere             172.18.0.4           tcp dpt:https
    0     0 ACCEPT     tcp  --  !br-4911ad3199ee br-4911ad3199ee  anywhere             172.18.0.4           tcp dpt:http
   18   936 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:51821
    0     0 ACCEPT     udp  --  !docker0 docker0  anywhere             172.17.0.2           udp dpt:51820

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
18618 9665K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere
14320 5318K DOCKER-ISOLATION-STAGE-2  all  --  br-4911ad3199ee !br-4911ad3199ee  anywhere             anywhere
 234K   70M RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere
    0     0 DROP       all  --  any    br-4911ad3199ee  anywhere             anywhere
33363   18M RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 234K   70M RETURN     all  --  any    any     anywhere             anywhere

as You can see there is pockets on TCP 51821 - im connecting on my LAN to wireguard dashboard but UDP is 0

iptables -L -v -t nat is:

pi@raspberrypi:~ $ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
23948 1932K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  135  9290 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere
  233 15196 MASQUERADE  all  --  any    !br-4911ad3199ee  172.18.0.0/16        anywhere
    0     0 MASQUERADE  tcp  --  any    any     172.18.0.2           172.18.0.2           tcp dpt:2016
    0     0 MASQUERADE  tcp  --  any    any     172.18.0.2           172.18.0.2           tcp dpt:2015
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.3           172.17.0.3           tcp dpt:9000
    0     0 MASQUERADE  tcp  --  any    any     172.18.0.4           172.18.0.4           tcp dpt:https
    0     0 MASQUERADE  tcp  --  any    any     172.18.0.4           172.18.0.4           tcp dpt:http
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.2           172.17.0.2           tcp dpt:51821
    0     0 MASQUERADE  udp  --  any    any     172.17.0.2           172.17.0.2           udp dpt:51820

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 any     anywhere             anywhere
    0     0 RETURN     all  --  br-4911ad3199ee any     anywhere             anywhere
    4   176 DNAT       tcp  --  !br-4911ad3199ee any     anywhere             anywhere             tcp dpt:2016 to:172.18.0.2:2016
   11   528 DNAT       tcp  --  !br-4911ad3199ee any     anywhere             anywhere             tcp dpt:2015 to:172.18.0.2:2015
   51  2668 DNAT       tcp  --  !docker0 any     anywhere             anywhere             tcp dpt:9000 to:172.17.0.3:9000
    0     0 DNAT       tcp  --  !br-4911ad3199ee any     anywhere             anywhere             tcp dpt:20443 to:172.18.0.4:443
    0     0 DNAT       tcp  --  !br-4911ad3199ee any     anywhere             anywhere             tcp dpt:20080 to:172.18.0.4:80
   17   884 DNAT       tcp  --  !docker0 any     anywhere             anywhere             tcp dpt:51821 to:172.17.0.2:51821
    0     0 DNAT       udp  --  !docker0 any     anywhere             anywhere             udp dpt:51820 to:172.17.0.2:51820

so i really dont know where is issue

my wireguard config is

wg0.conf

# Server
[Interface]
PrivateKey = ____________
Address = 10.8.0.1/24
ListenPort = 51820
PreUp = 
PostUp =  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; 
PreDown = 
PostDown =  iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; 


# Client: ____________
[Peer]
PublicKey = ___________
PresharedKey = _____________
AllowedIPs = 10.8.0.2/32

and yes i have ip forward set to 1

net.ipv4.ip_forward = 1

Upvotes: 1

Views: 78

Answers (0)

Related Questions