I am trying to route traffic coming from a docker network ... I have Wireguard up and running, and unlike the examples in the docs that route ALL the traffic through the VPN based on destination, I am trying to route only SOME of the traffic based on source network, policy routing, then on destination.
Essentially I want all the traffic coming from 10.30.0.0 (docker bridge network) going through he wg0 interface, except for traffic that is going back to the same network or my lan. So essentially just outbound internet traffic.
I have it working ... sort of ... using static routes.
post-up ip rule add from 10.30.0.0/16 table 200
post-up ip route add default via a.b.c.d metric 2 table 200
post-up ip route add blackhole default metric 3 table 200
post-up ip route add 192.168.0.0/16 via 192.168.0.1 table 200
post-up ip route add 10.30.0.0/16 via 10.30.0.1 table 200
Using table 200 for all traffic coming from 10.30.0.0 default route is through wg0. The fallback route is a blackhole, kill switch in case wg0 goes down.
Next two routes take care of routing anything internal around wg0, otherwise the containers can't talk to each other on the networks or any webgui's can't be accessed. This works perfectly.
EXCEPT I call these routes in /etc/network/interfaces.d/wg0 so that the interfaces gets created and brought up in boot, with the proper routes. Everything is fine except for this route:
post-up ip route add 10.30.0.0/16 via 10.30.0.1 table 200
It fails because the docker bridge isn't up yet when wg0 comes up, so it can't create the route because the gateway is missing. For the time being I hacked it together and used "@reboot" in cron to bring up this route after the docker network is up.
Is there a more elegant solution? I thought of marking all the packets coming from 10.30.0.0 that are not destined for 10.30.0.0 or 192.168.0.0 and (iptables -s 10.30.0.0/16 ! -d 192.168.0.0/16 etc etc) to avoid having to use that route, but I cannot figure it out for the life of me.
Appreciate any help
