Hi,

I have a wireguard interface like this:

3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet6 fd60:1141:233e:2977:d0e:b410:d5b1:171b/64 scope global 
       valid_lft forever preferred_lft forever

And I am attempting to publish a container's port on this interface for the other wireguard peers.

So I start ipv6nat like this:
docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro -v /lib/modules:/lib/modules:ro --privileged --net=host robbertkl/ipv6nat

Then I create a network like this:
docker network create --ipv6 --subnet=fd00:dead:beef::/48 -o "com.docker.network.bridge.host_binding_ipv6"=fd60:1141:233e:2977:d0e:b410:d5b1:171b my-network
As you can see, I am binding the network to the address of the wireguard interface.

Next, I run an nginx just for testing:
docker run -d -p 8080:80 --network my-network nginx

I expect to be able to to use curl [fd60:1141:233e:2977:d0e:b410:d5b1:171b]:8080 from a wireguard peer and see the nginx default page. Instead, curl throws this error:
curl: (7) Failed to connect to fd60:1141:233e:2977:d0e:b410:d5b1:171b port 8080: Connection refused

Pinging through wireguard works, so this does not seem to be the problem.

Also netstat -tulpn lists:

tcp6       0      0 :::8080          :::*           LISTEN      4116/docker-proxy

Seems like the port is not bound to the correct IP/interface.

I don't know if it helps: I am on Ubuntu 4.15.0-1021-aws on an aws lightsail instance.

I have exhausted my knowledge here, so I am hoping for some help here.

Thanks!

@max-tet Can you post your output for iptables -nvL and ip6tables -nvL?

I implemented a workaround in the meantime and now I tried to reproduce the setup that caused the problem. But I simply could not do it. In fact, while trying I got it to work in the way I originally planned to. So this is no longer relevant and I am closing the issue.
(If only all bug reports were so easy to solve! 😉 )