[BUG] docker host cannot ping client
icsy7867 opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I am losing my mind a little bit. Wireguard server seems to be running great. Clients can connect to it, I can even SSH into the clients from within the docker container after adding openssh.
However, I need to be able to ping and SSH to the clients from the docker host server. However, these seem to go into a black hole of some sort. This is in RHEL9, but i dont see any sort of selinux stuff blocking anything.
The current client has IP Address: 192.168.100.13
docker -exec it wireguard bash
I can ping the wireguard client and SSH into it.
But from the docker host, a simple:
ping 192.168.100.13
Goes into a black hole. I just sits there an returns nothing.
Currently getting the docker IP address of the container:
docker inspect wireguard
and then adding a route on the host server:
ip route add 192.168.100.0/24 via 10.88.0.6
But same thing, ping 192.168.100.13 just seems to hang indefinitely.
Expected Behavior
I should be able to ping a wg client from localhost of my server running the wg container.
Steps To Reproduce
Run wg server
have a client connect.
try to ping the IP address from the host.
Environment
- OS: RHEL9
- How docker service was installed: PodmanCPU architecture
x86-64
Docker creation
Here is my run.sh script for redeploying.... Any help would be appreciated as I am losing my mind....
podman rm -f wireguard
#!/bin/bash
docker run -d \
--name=wireguard \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--cap-add=NET_RAW \
--privileged \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-e SERVERURL=my.server.com `#optional` \
-e SERVERPORT=51820 `#optional` \
-e PEERS=15 `#optional` \
-e PEERDNS='8.8.8.8' `#optional` \
-e INTERNAL_SUBNET=192.168.100.0 `#optional` \
-e ALLOWEDIPS=192.168.100.0/24 `#optional` \
-e PERSISTENTKEEPALIVE_PEERS= `#optional` \
-e LOG_CONFS=true `#optional` \
-p 51820:51820/udp \
-v /lib/modules:/lib/modules `#optional` \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--restart unless-stopped \
linuxserver/wireguard
podman cp $(pwd)/server-init.sh wireguard:/server-init.sh
podman exec -it wireguard sh /server-init.sh
ip route del 192.168.100.0/24
sleep 1
IPADDR=$(podman inspect wireguard | grep "IPAddress" | head -n 1 | awk -F': ' '{print $2}' | cut -d '"' -f2)
ip route add 192.168.100.0/24 via ${IPADDR} dev podman1
ip route add 10.168.100.0/24 via ${IPADDR} dev podman0
### Container logs
```bash
Container itself seems OK...
CoreDNS-1.10.0
linux/amd64, go1.19.9,
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.100.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 192.168.100.9/32 dev wg0
[#] ip -4 route add 192.168.100.8/32 dev wg0
[#] ip -4 route add 192.168.100.7/32 dev wg0
[#] ip -4 route add 192.168.100.6/32 dev wg0
[#] ip -4 route add 192.168.100.5/32 dev wg0
[#] ip -4 route add 192.168.100.4/32 dev wg0
[#] ip -4 route add 192.168.100.3/32 dev wg0
[#] ip -4 route add 192.168.100.2/32 dev wg0
[#] ip -4 route add 192.168.100.16/32 dev wg0
[#] ip -4 route add 192.168.100.15/32 dev wg0
[#] ip -4 route add 192.168.100.14/32 dev wg0
[#] ip -4 route add 192.168.100.13/32 dev wg0
[#] ip -4 route add 192.168.100.12/32 dev wg0
[#] ip -4 route add 192.168.100.11/32 dev wg0
[#] ip -4 route add 192.168.100.10/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
[ls.io-init] done.
Not a bug, and not something we directly provide support for. Also, the info provided is extremely confusing, random IPs and shell scripts referenced. . .
Here are some articles that talk about what you're trying to accomplish:
https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard
https://www.linuxserver.io/blog/advanced-wireguard-container-routing