Home > Blockchain >  Block Internet Access in WireGuard Private Network Using Docker Compose
Block Internet Access in WireGuard Private Network Using Docker Compose

Time:03-12

I'd like to set up a private cloud network using docker-compose that is only accessible via WireGuard. The private network contains multiple services but no service should be accessible from the internet and containers internal to the network should not have internet access. The only port exposed for this network is 51820 for WireGuard.

I have everything working exactly how I want except for one problem: the containers in the private network have internet access. If I block container internet access by specifying internal: true on the custom private network, it breaks access to the wireguard network for all peers/clients.

Here is my docker-compose file:

version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=192.168.100.254
      - INTERNAL_SUBNET=10.10.0.0
      - ALLOWEDIPS=10.10.0.0/16,192.168.100.0/24
    volumes:
      - /root/wireguard/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      private:
        ipv4_address: 192.168.100.10
    restart: unless-stopped
  unbound:
    image: "mvance/unbound:latest"
    volumes:
      - ./unbound:/opt/unbound/etc/unbound/
    networks:
      private:
        ipv4_address: 192.168.100.254
  nginx:
    image: nginx
    networks:
      private:
        ipv4_address: 192.168.100.20


networks:
  private:
#    internal: true # Breaks WireGuard for all clients if uncommented
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24

I'd like to avoid custom iptables rules but I'm open to any suggestions.

CodePudding user response:

I think you want two networks: an internal one to isolate the service containers, and an external one to provide the wireguard container with external access. Somethinglike:

version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=192.168.100.254
      - INTERNAL_SUBNET=10.10.0.0
      - ALLOWEDIPS=10.10.0.0/16,192.168.100.0/24
    volumes:
      - /root/wireguard/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      outside:
      private:
        ipv4_address: 192.168.100.10
    restart: unless-stopped
  unbound:
    image: "mvance/unbound:latest"
    volumes:
      - ./unbound:/opt/unbound/etc/unbound/
    networks:
      private:
        ipv4_address: 192.168.100.254
  nginx:
    image: nginx
    networks:
      private:
        ipv4_address: 192.168.100.10


networks:
  outside:
  private:
    internal: true
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24

This is only a partial solution; you'll need to arrange for your service containers to route through the wireguard container; as currently configured, your containers have a default route of 192.168.100.1, which probably isn't useful.

Also note that you've assigned the same ip address to your wireguard container and to the nginx container (192.168.100.10), which is probably a typo.

Page link:https//www.codepudding.com/Blockchain/332391.html

Prev:Cannot retrieve shell script status in the catch block of groovy/jenkins docker file
Next:Apache Virtual Host isn't Serving Virtual Host 'index.html' at Domain Name
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding