I have VPS running wg-easy docker image and Orange Pi 4B, which is located at home. I want to proxy requests from VPS to Orange Pi thorugh WireGuard tunnel to make a minecraft server for me and my friends. To proxy requests I am going to use nginx
(maybe not the best solution, but at least I know how to work with it).
At first, I tried to ping 10.8.0.2
(IP of Orange Pi in WireGuard), but had no response. Then I did next command sudo docker exec -it wg-easy ping 10.8.0.2
and it worked.
vps-user@vps:~$ ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
--- 10.8.0.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4093ms
vps-user@vps:~$ sudo docker exec -it wg-easy ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: seq=0 ttl=65 time=57.427 ms
64 bytes from 10.8.0.2: seq=1 ttl=65 time=56.928 ms
64 bytes from 10.8.0.2: seq=2 ttl=65 time=57.318 ms
^C
--- 10.8.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 56.928/57.224/57.427 ms
So I think my Orange Pi is only accessible within the docker container.
When I researched that question, I found that discussion in GitHub repo. As I understood, there is answer how to proxy exact port. But I find that way little hard, because if I need to add more ports, I have to append more boilerplate and don't mistakes with it.
Also I found --network host
argument. I tried to use it within VM. It adds a real wg0
interface and makes pinging peers within host possible. Here is demo, how it works (I changed /etc/sysctl.conf
behind the scenes and removed some ifconfig
output, left only interface names and IPs)
osboxes@osboxes:~$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
osboxes@osboxes:~$ sudo docker start wg-easy
[sudo] password for osboxes:
wg-easy
osboxes@osboxes:~$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
osboxes@osboxes:~$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.035 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.032/0.033/0.035/0.001 ms
This thing looks good to me, but I am not sure how it exactly does work and little scary to use it on a real server. I watched NetworkChuk's tutorial about docker networks, but, maybe, didn't understand, because English is not my main language.
So is there a better way to access internal docker container network?