I am currently trying to figure out the correct way to route "all" traffic of specific (rootless) docker containers through Wireguard while on the one hand preventing any leakage (if the connection/Wireguard fails - prevent any internet access) and on the other hand allow LAN connections (192.168.0.0/16) to access the UIs of the container's services.
The thing I tried first was to route the traffic through a linuxserver/wireguard container with killswitch - this had some downsides:
- if the wg-quick config was faulty the wireguard connection was never established (+ killswitch IPTables rules never added), which lead to complete leakage of any traffic.
- local access of any of the services was only possible inside the container
To permit local traffic one could modify the IPTables rules and add routing rules (see e.g. here) which sadly wasn't working for me. I furthermore tested rnd1783's procedure from his recent question on Reddit which seemed to work, but like him, I am unsure whether that correctly solves my intentions (note the single answer by rcN9).
rcN9 seems to recommend using network namespaces (see e.g. here or here), but I am unsure whether that would be possible in a semi root (rootless docker/podman, prefer not to use root, but would if there is no other way) and container "style" environment.
What would be the best possible solution to my intentions:
- rootless containers (rootless docker, podman)
- prevent any leakage
- allow LAN access (to UIs)
This should be independent of any distribution, but I will mention it to be on the safe side: looking for a solution which works with Debian.
EDIT 1:
- I could make use of a secondary (physical) network interface if that could help me.