I run a wireguard enpoint as a docker container on my server with roadwarrior clients connecting to it via LTE:
The real server address is a static public IP. The client config is as follows (irrelevant parts excluded):
[Interface]
Address = 10.254.99.2
[Peer]
AllowedIps = 10.254.99.1/32
Endpoint = 192.168.5.55
This works fine if I ping the client from within the docker container. But since I also want to reach the client from the docker host, I add a route on the server:
ip route add 10.254.99.0/24 via 172.17.0.2 dev docker0 src 192.168.5.55
Accordingly, I add the src
address to the list of AllowedIps on the server:
[Peer]
AllowedIps = 10.254.99.1/32, 192.168.5.55/32
And with this things stop working. I cannot ping the client, neither from the server nor from within the container anymore. If I allow all Ips on the client instead, everything works as expected:
[Peer]
AllowedIps = 0.0.0.0/0
But I don't want to route all traffic through the tunnel. What's the proper way to do this?