Activity - I think you already have a kill-switch (of sorts) in place with the two...

CumBroth , 4 days ago (edited 4 days ago)

I think you already have a kill-switch (of sorts) in place with the two Wireguard container setup, since your clients lose internet access (except to the local network, since there’s a separate route for that on the Wireguard “server” container") if any of the following happens:

“Client” container is spun down
The Wireguard interface inside the “client” container is spun down (you can try this out by execing wg-quick down wg0 inside the container)
or even if the interface is up but the VPN connection is down (try changing the endpoint IP to a random one instead of the correct one provided by your VPN service provider)

I can’t be 100% sure, because I’m not a networking expert, but this seems like enough of a “kill-switch” to me. I’m not sure what you mean by leveraging the restart. One of the things that I found annoying about the Gluetun approach is that I would have to restart every container that depends on its network stack if Gluetun itself got restarted/updated.

But anyway, I went ahead and messed around on a VPS with the Wireguard+Gluetun approach and I got it working. I am using the latest versions of The Linuxserver.io Wireguard container and Gluetun at the time of writing. There are two things missing in the Gluetun firewall configuration you posted:

A MASQUERADE rule on the tunnel, meaning the tun0 interface.
Gluetun is configured to drop all FORWARD packets (filter table) by default. You’ll have to change that chain rule to ACCEPT. Again, I’m not a networking expert, so I’m not sure whether or not this compromises the kill-switch in any way, at least in any way that’s relevant to the desired setup/behavior. You could potentially set a more restrictive rule to only allow traffic coming in from <wireguard_container_IP>, but I’ll leave that up to you. You’ll also need to figure out the best way to persist the rules through container restarts.

First, here’s the docker compose setup I used:


<span style="color:#323232;">networks:
</span><span style="color:#323232;">  wghomenet:
</span><span style="color:#323232;">    name: wghomenet
</span><span style="color:#323232;">    ipam:
</span><span style="color:#323232;">      config:
</span><span style="color:#323232;">        - subnet: 172.22.0.0/24
</span><span style="color:#323232;">          gateway: 172.22.0.1
</span><span style="color:#323232;">
</span><span style="color:#323232;">services:
</span><span style="color:#323232;">  gluetun:
</span><span style="color:#323232;">    image: qmcgaw/gluetun
</span><span style="color:#323232;">    container_name: gluetun
</span><span style="color:#323232;">    cap_add:
</span><span style="color:#323232;">      - NET_ADMIN
</span><span style="color:#323232;">    devices:
</span><span style="color:#323232;">      - /dev/net/tun:/dev/net/tun
</span><span style="color:#323232;">    ports:
</span><span style="color:#323232;">      - 8888:8888/tcp # HTTP proxy
</span><span style="color:#323232;">      - 8388:8388/tcp # Shadowsocks
</span><span style="color:#323232;">      - 8388:8388/udp # Shadowsocks
</span><span style="color:#323232;">    volumes:
</span><span style="color:#323232;">      - ./config:/gluetun
</span><span style="color:#323232;">    environment:
</span><span style="color:#323232;">      - VPN_SERVICE_PROVIDER=<your stuff here>
</span><span style="color:#323232;">      - VPN_TYPE=wireguard
</span><span style="color:#323232;">      # - WIREGUARD_PRIVATE_KEY=<your stuff here>
</span><span style="color:#323232;">      # - WIREGUARD_PRESHARED_KEY=<your stuff here>
</span><span style="color:#323232;">      # - WIREGUARD_ADDRESSES=<your stuff here>
</span><span style="color:#323232;">      # - SERVER_COUNTRIES=<your stuff here>
</span><span style="color:#323232;">      # Timezone for accurate log times
</span><span style="color:#323232;">      - TZ= <your stuff here>
</span><span style="color:#323232;">      # Server list updater
</span><span style="color:#323232;">      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
</span><span style="color:#323232;">      - UPDATER_PERIOD=24h
</span><span style="color:#323232;">    sysctls:
</span><span style="color:#323232;">      - net.ipv4.conf.all.src_valid_mark=1
</span><span style="color:#323232;">    networks:
</span><span style="color:#323232;">      wghomenet:
</span><span style="color:#323232;">        ipv4_address: 172.22.0.101
</span><span style="color:#323232;">
</span><span style="color:#323232;">  wireguard-server:
</span><span style="color:#323232;">    image: lscr.io/linuxserver/wireguard
</span><span style="color:#323232;">    container_name: wireguard-server
</span><span style="color:#323232;">    cap_add:
</span><span style="color:#323232;">      - NET_ADMIN
</span><span style="color:#323232;">    environment:
</span><span style="color:#323232;">      - PUID=1000
</span><span style="color:#323232;">      - PGID=1001
</span><span style="color:#323232;">      - TZ=<your stuff here>
</span><span style="color:#323232;">      - INTERNAL_SUBNET=10.13.13.0
</span><span style="color:#323232;">      - PEERS=chromebook
</span><span style="color:#323232;">    volumes:
</span><span style="color:#323232;">      - ./config/wg-server:/config
</span><span style="color:#323232;">      - /lib/modules:/lib/modules #optional
</span><span style="color:#323232;">    restart: always
</span><span style="color:#323232;">    ports:
</span><span style="color:#323232;">      - 51820:51820/udp
</span><span style="color:#323232;">    networks:
</span><span style="color:#323232;">      wghomenet:
</span><span style="color:#323232;">        ipv4_address: 172.22.0.5
</span><span style="color:#323232;">    sysctls:
</span><span style="color:#323232;">      - net.ipv4.conf.all.src_valid_mark=1
</span>

You already have your “server” container properly configured. Now for Gluetun: I exec into the container docker exec -it gluetun sh. Then I set the MASQUERADE rule on the tunnel: iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE. And finally, I change the FORWARD chain policy in the filter table to ACCEPT iptables -t filter -P FORWARD ACCEPT.

Note on the last command: In my case I did iptables-legacy because all the rules were defined there already (iptables gives you a warning if that’s the case), but your container’s version may vary. I saw different behavior on the testing container I spun up on the VPS compared to the one I have running on my homelab.

Good luck, and let me know if you run into any issues!

EDIT: The rules look like this afterwards:

Output of iptables-legacy -vL -t filter:


<span style="color:#323232;">Chain INPUT (policy DROP 0 packets, 0 bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">10710  788K ACCEPT     all  --  lo     any     anywhere             anywhere
</span><span style="color:#323232;">16698   14M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
</span><span style="color:#323232;">    1    40 ACCEPT     all  --  eth0   any     anywhere             172.22.0.0/24
</span><span style="color:#323232;">
</span><span style="color:#323232;"># note the ACCEPT policy here
</span><span style="color:#323232;">Chain FORWARD (policy ACCEPT 3593 packets, 1681K bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">
</span><span style="color:#323232;">Chain OUTPUT (policy DROP 0 packets, 0 bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">10710  788K ACCEPT     all  --  any    lo      anywhere             anywhere
</span><span style="color:#323232;">13394 1518K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
</span><span style="color:#323232;">    0     0 ACCEPT     all  --  any    eth0    dac4b9c06987         172.22.0.0/24
</span><span style="color:#323232;">    1   176 ACCEPT     udp  --  any    eth0    anywhere             connected-by.global-layer.com  udp dpt:1637
</span><span style="color:#323232;">  916 55072 ACCEPT     all  --  any    tun0    anywhere             anywhere
</span>

And the output of iptables -vL -t nat:


<span style="color:#323232;">Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">
</span><span style="color:#323232;">Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">
</span><span style="color:#323232;">Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">    0     0 DOCKER_OUTPUT  all  --  any    any     anywhere             127.0.0.11
</span><span style="color:#323232;">
</span><span style="color:#323232;"># note the MASQUERADE rule here
</span><span style="color:#323232;">Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">    0     0 DOCKER_POSTROUTING  all  --  any    any     anywhere             127.0.0.11
</span><span style="color:#323232;">  312 18936 MASQUERADE  all  --  any    tun+    anywhere             anywhere
</span><span style="color:#323232;">
</span><span style="color:#323232;">Chain DOCKER_OUTPUT (1 references)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">    0     0 DNAT       tcp  --  any    any     anywhere             127.0.0.11           tcp dpt:domain to:127.0.0.11:39905
</span><span style="color:#323232;">    0     0 DNAT       udp  --  any    any     anywhere             127.0.0.11           udp dpt:domain to:127.0.0.11:56734
</span><span style="color:#323232;">
</span><span style="color:#323232;">Chain DOCKER_POSTROUTING (1 references)
</span><span style="color:#323232;"> pkts bytes target     prot opt in     out     source               destination
</span><span style="color:#323232;">    0     0 SNAT       tcp  --  any    any     127.0.0.11           anywhere             tcp spt:39905 to::53
</span><span style="color:#323232;">    0     0 SNAT       udp  --  any    any     127.0.0.11           anywhere             udp spt:56734 to::53
</span><span style="color:#323232;">
</span>