How to route a docker container’s traffic through a Wireguard container

December 3rd, 2021 by Russell Leave a reply »

This seemed really difficult to find all of the information in one place on how to properly configure this setup. Here’s what my compose file looks like to make this happen:

version: "3"
services:
wireguard-torguard:
image: linuxserver/wireguard
container_name: wireguard-torguard
restart: unless-stopped
volumes:
- '/etc/WireguardData/config:/config'
- '/etc/WireguardData/lib/modules:/lib/modules:ro'
environment:
- PUID=1003
- PGID=1004
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
ports:
- "8080:8080" #qBittorrent

qbittorrent:
image: lscr.io/linuxserver/qbittorrent
container_name: qbittorrent
depends_on:
- wireguard-torguard
network_mode: service:wireguard-torguard
#ports:
# - 6881:6881
# - 6881:6881/udp
# - 8080:8080
environment:
- PUID=987
- PGID=1001
- TZ=America/Chicago
- WEBUI_PORT=8080
volumes:
- /mnt/QBittorrentData:/config
- /mnt/Torrents/Completed:/downloads
- /mnt/Torrents/Downloading:/incomplete
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped

 

Add the following to wg0.conf for your Wireguard container if you want to make port 8080 accessible on your LAN (you probably do):

PostUp = DROUTE=$(ip route | grep default | awk ‘{print $3}’); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! –mark $(wg show %i fwmark) -m addrtype ! –dst-type LOCAL -j REJECT

PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! –mark $(wg show %i fwmark) -m addrtype ! –dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

Leave a Reply