From c9a3a5775521702e9334ac17673c0862431cb25a Mon Sep 17 00:00:00 2001 From: IronicBadger Date: Wed, 16 Sep 2020 11:27:20 -0400 Subject: [PATCH 1/3] Maintaining local access to attached services --- readme-vars.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/readme-vars.yml b/readme-vars.yml index 30da6ea..4f78ef8 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -84,6 +84,19 @@ app_setup_block: | This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). Both of these approaches have positives and negatives however their setup is out of scope for this document as everyone's network layout and equipment will be different. + + ## Maintaining local access to attached services + + When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so: + + ``` + [Interface] + PrivateKey = + Address = 9.8.7.6/32 + DNS = 8.8.8.8 + PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT ! -d 172.17.0.1/16 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT ! -d 172.17.0.1/16 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + ``` # changelog changelogs: From a28d316fa89dfbf612cf6a2fb3367b316d386028 Mon Sep 17 00:00:00 2001 From: IronicBadger Date: Wed, 16 Sep 2020 11:30:24 -0400 Subject: [PATCH 2/3] a more universal snippet for wireguard --- readme-vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/readme-vars.yml b/readme-vars.yml index 4f78ef8..5fb3a36 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -87,15 +87,15 @@ app_setup_block: | ## Maintaining local access to attached services - When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so: + When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require): ``` [Interface] PrivateKey = Address = 9.8.7.6/32 DNS = 8.8.8.8 - PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT ! -d 172.17.0.1/16 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT ! -d 172.17.0.1/16 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -s $HOMENET -j ACCEPT; iptables -D OUTPUT -s $HOMENET2 -j ACCEPT; iptables -D OUTPUT -s $HOMENET3 -j ACCEPT ``` # changelog From 104301dbd1604eabcfc4933a3b4e23fceb7ae72e Mon Sep 17 00:00:00 2001 From: IronicBadger Date: Wed, 16 Sep 2020 11:33:29 -0400 Subject: [PATCH 3/3] added unsupported disclaimer --- readme-vars.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readme-vars.yml b/readme-vars.yml index 5fb3a36..e510773 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -87,6 +87,8 @@ app_setup_block: | ## Maintaining local access to attached services + ** Note: This is not a supported configuration by Linuxserver.io - use at your own risk. + When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require): ```