How to proxy requests into wg-easy docker container?

Question

I have VPS running wg-easy docker image and Orange Pi 4B, which is located at home. I want to proxy requests from VPS to Orange Pi thorugh WireGuard tunnel to make a minecraft server for me and my friends. To proxy requests I am going to use nginx (maybe not the best solution, but at least I know how to work with it).

At first, I tried to ping 10.8.0.2 (IP of Orange Pi in WireGuard), but had no response. Then I did next command sudo docker exec -it wg-easy ping 10.8.0.2 and it worked.

vps-user@vps:~$ ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
--- 10.8.0.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4093ms

vps-user@vps:~$ sudo docker exec -it wg-easy ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: seq=0 ttl=65 time=57.427 ms
64 bytes from 10.8.0.2: seq=1 ttl=65 time=56.928 ms
64 bytes from 10.8.0.2: seq=2 ttl=65 time=57.318 ms
^C
--- 10.8.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 56.928/57.224/57.427 ms

So I think my Orange Pi is only accessible within the docker container.

When I researched that question, I found that discussion in GitHub repo. As I understood, there is answer how to proxy exact port. But I find that way little hard, because if I need to add more ports, I have to append more boilerplate and don't mistakes with it.

Also I found --network host argument. I tried to use it within VM. It adds a real wg0 interface and makes pinging peers within host possible. Here is demo, how it works (I changed /etc/sysctl.conf behind the scenes and removed some ifconfig output, left only interface names and IPs)

osboxes@osboxes:~$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0

osboxes@osboxes:~$ sudo docker start wg-easy
[sudo] password for osboxes: 
wg-easy

osboxes@osboxes:~$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1

osboxes@osboxes:~$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.035 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.032/0.033/0.035/0.001 ms

This thing looks good to me, but I am not sure how it exactly does work and little scary to use it on a real server. I watched NetworkChuk's tutorial about docker networks, but, maybe, didn't understand, because English is not my main language.

So is there a better way to access internal docker container network?

Answer 1

I have found out some pros and cons of methods that have been mentioned in question. Also I think that I found the best method to proxy requests.

Changing container network to host

On the one hand, it is the most easy way for beginners to expose internal network. On the other hand it is insecure, because every change in network within the container will influence the host network.

sudo nano /etc/sysctl.conf
# At the end of file you have to add next two lines
net.ipv4.conf.all.src_valid_mark=1
net.ipv4.ip_forward=1

sudo sysctl -p

sudo docker run -d \
  --name=wg-easy \
  -e WG_HOST=YOUR_IP_OR_DOMAIN \
  -e PASSWORD=CHANGE_ME \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --network host \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

Proxying exact port

The most hard way to proxy requests. The only way when I'd use it, if I just need to proxy only one port for one peer.

sudo docker run -d \
  --name=wg-easy \
  -e WG_HOST=YOUR_IP_OR_DOMAIN \
  -e PASSWORD=CHANGE_ME \
  -e "WG_POST_UP=iptables -A FORWARD -i wg0 -j ACCEPT;iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25565 -j DNAT --to-destination 10.8.0.2:25565" \ 
  -e "WG_POST_DOWN=iptables -D FORWARD -i wg0 -j ACCEPT;iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D PREROUTING -t nat -i eth0 -p tcp --dport 25565 -j DNAT --to-destination 10.8.0.2:25565" \ 
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  -p 25565:25565 \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

Here's the cons of solution:

• Hard to manage proxying ports, you can forget to expose port from docker or forget to add command to disable proxying into WG_POST_DOWN
• Hard to proxy multiple same ports for different IP adresses
• You must understand how to work with iptables

Connect the host to WireGuard tunnel

When I researched my question, I also found that comment in GitHub discussions of project. So here is the steps, how to do it.

1. Run a wg-easy container (example from docs)
2. Go to the dashboard and login
3. Add a new client and download it's configuration
4. Go to host and install wireguard: sudo apt install wireguard -y
5. Add a new WireGuard configuration: sudo nano /etc/wireguard/wg0.conf
6. Paste here a configuration from file that you got from dashboard
7. Edit your configuration like below

- AllowedIPs = 0.0.0.0/0, ::/0
+ AllowedIPs = 10.8.0.0/24

8. Run your wireguard tunnel: sudo wg-quick up wg0
9. Now you can reach peers from WireGuard tunnel: ping 10.8.0.1

I think that solution is the best, because there are no need to manage multiple iptable rules to proxy and the only changes to host network are made by your hands.