Thank you for the reply! I’ve been busy the last couple of days so I just got around to looking back at this.
I tested out your advice and setup a wireguard container with the MASQUERADE
NAT rule and it worked! However, when I tried it out again with the gluetun container. I’m still running into issues, but there is progress!
With my setup before when I connect my client to the wireguard network I would get a “no network” error. Now when I try access the internet the connection times out. Still not ideal, but at least it’s a different error than before!
With the MASQUERADE
NAT rule in place, running tcpdump
on the docker network shows that at least the two containers are talking to each other:
17:04:29.927415 IP 172.22.0.2 > 172.22.0.100: ICMP echo request, id 4, seq 9823, length 64
17:04:29.927466 IP 172.22.0.100 > 172.22.0.2: ICMP echo reply, id 4, seq 9823, length 64
but I still cannot get any internet access through the wireguard tunnel.
When exploring around the gluetun config I confirmed that the MASQUERADE
rule was actually set:
Chain PREROUTING (policy ACCEPT 2933 packets, 316K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 839 packets, 86643 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12235 packets, 741K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 11408 packets, 687K bytes)
pkts bytes target prot opt in out source destination
2921 284K MASQUERADE 0 -- * eth+ 0.0.0.0/0 0.0.0.0/0
I think that the issue may be the default firewall rules of the gluetun block all traffic besides the VPN traffic via the main iptable:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2236 164K ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
11914 12M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
87 15792 ACCEPT 0 -- eth0 * 0.0.0.0/0 172.22.0.0/24
Chain FORWARD (policy DROP 381 packets, 22780 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 76 packets, 5396 bytes)
pkts bytes target prot opt in out source destination
2236 164K ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
8152 872K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT 0 -- * eth0 172.22.0.100 172.22.0.0/24
1 176 ACCEPT 17 -- * eth0 0.0.0.0/0 213.152.187.229 udp dpt:1637
212 12843 ACCEPT 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
I tried adding simple iptables rules such as iptables -A FORWARD -i tun+ -j ACCEPT
(and the same with eth+
as the interface) but with no luck.
If you think you can help I’ll be down to try out other solutions, or if you need more information I can post it when I have time. If you don’t think this will be an easy fix I can revert back to the wireguard-wireguard container setup since that worked. I tried to get this setup working so I could leverage the gluetun kill-switch/restart.
I tried out your solution and it worked! I thought it was an iptables / firewall issue on the gluetun end but I didn’t know which table the packets were going through.
There’s also a way to set persistent iptable rules via gluetun, the docs are here
Thank you for your help! I’ll clean up my configs, and post my working configs and setup process!