Dockerized Wireguard with killswitch doesn't allow the local access of a service sharing the network

Question

I have two containers linuxserver/wireguard and X on Ubuntu (server) 20.04.

X has a WebUI on port q that I would like to access via my local network (192.168.178.0/24 - fritzbox).

They are configured that X uses the same 'network' as linuxserver/wireguard (via docker's --net=container:wireguard). Additionally the port q used by X is specified via -p q:q on linuxserver/wireguard.

So

• docker create --name=wireguard [...] -p q:q linuxserver/wireguard
• docker create --name=X [...] --net=container:wireguard -e WebUI_Port=q X

Additionally I supply the sysctls net.ipv4.conf.all.src_valid_mark=1 and net.ipv6.conf.all.disable_ipv6=0.

The client file wg0.conf of wireguard is not setup as follows:

[Interface]
PrivateKey = [...]
Address = [...]
DNS = [...]

PostUp =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = [...]
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = [...]

Starting both containers I was hoping to get access to the WebUI, but sadly this wasn't the case. As I am not sure whether this is a docker or wireguard related problem, hopefully you can help out here.

I additionally tried adding the rules

ip route add 192.168.178.0/24 via $(ip route show default | awk '/default/ {print $3}')

(as an extra command) and

! -d 192.168.178.0/24

(inside the iptables command), but haven't gotten any results. In the logs of linuxserver/wireguard I only find sysctl: setting key "net.ipv4.conf.all.src_valid_mark": Read-only file system as differing output.

Answer 1

It doesn't matter what your routes are if your iptable is rejecting everything with a LOCAL route.

NOTE!! I can not vouch for the security of this, as it is something I pieced together from various sources...

What you need to do is allow the traffic through the firewall for just your service, hopefully maintaining the kill switch for everything except that single port.

This is what worked for me after I added the required routes:

On the PostUp: iptables -A INPUT -p tcp -m tcp --dport <port> -j ACCEPT The syntax or position of this is important. I believe the -A adds it to the end, although I also added it after the first iptables command to be safe.

On the PreDown: iptables -D INPUT -p tcp -m tcp --dport <port> -j ACCEPT

And I was able to use the specified port after that. Make sure you get your routes right as well. The linuxserver/wireguard readme has an (unofficial) pair of scripts to get that done, although they note that it is not an official recommendation.