How to access wireguard server host over its dockered wireguard VPN?

Question

Situation: A Raspberry Pi 4B with Ubunut 22.04LTS running Docker compose. I installed docker compose with wireguard server from linuxserver.io. https://docs.linuxserver.io/images/docker-wireguard/?h=wireguard

After a bit fiddling, I got it working. Internet goes via this Wireguard server when I enable the connection. Even on my Android phone it works: I installed Rethink (a combined firewall + wg client), enabled it and connected to 4G (and diabled wifi) and got my home IP address and normal internet access via the Pi over mobile network. But the question is: I cannot access the Raspberry Pi over this VPN. When I use an OpenVPN client connected to a server also on the same Pi, I can just connect to 10.8.0.1 via SSH or Web (Pi-hole).

But the gateway to Wireguard appears to be 10.9.0.1 but it has no open ports. And the other network (Docker ?) has 172.18.0.1 which has only open ports 53 (DNS) and 8080. The same happens when I connect my Macbook with wireguard: it does have internet, but no access to the Pi.

Is there a way to connect to the host of the Wireguard docker server ?

Answer 1

Finally I found out. I assumed that the IP 10.9.0.1 (of the wg server) was the correct IP, but found out that the bridge is the correct one. Output of ip a:

5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:09:44:60:5f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: br-c8b529baa05a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ba:39:b6:2f brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c8b529baa05a
       valid_lft forever preferred_lft forever
    inet6 fe80::42:baff:fe39:b62f/64 scope link 
       valid_lft forever preferred_lft forever
8: veth4a5f552@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c8b529baa05a state UP group default 
    link/ether fa:1b:96:68:d3:3c brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::f81b:96ff:fe68:d33c/64 scope link 
       valid_lft forever preferred_lft forever

That address is 172.18.0.1 of the bridge br- where changes every session (why ?), but the IP fortunately not.

So I used this '172.18.0.1' as DNS server and ssh-ing into that address initally did not work, as I has not whitelisted this (indoor) IP range '172.18.0.0/24' in ufw. After I whitelisted this in ufw, I could view the web interface, ssh into it by using this brige IP address.

And because of setting this as DNS, Pi Hole also worked over the wg VPN and I double checked it by installing another peer config into an Android wg client (Rethink) with the same DNS setting and connected the cellphone with 4G (and wifi OFF).

The result was that the outdoor IP of my cellphone was my home IP rather than the carrier's IP. And ould ssh into my Pi using the same bridge IP. All traffic goes via PiHole as well. Exactly the same as I connect my cellphone with OpenVPN to the Pi as I also have an OpenVPN server on the same Pi.

Here an example of my peer conf:

[Interface]
Address = 10.9.0.2
PrivateKey = <PKEY>
DNS = 172.18.0.1

[Peer]
PublicKey = <PUB>
PresharedKey = <PRE>
Endpoint = <myhomeip>:51820
#AllowedIPs = 0.0.0.0/0
AllowedIPs = 0.0.0.0/0,192.168.0.0/24

Even the latter 192.168.0.0 is not strictly needed.