Running wireguard in client only mode in a docker container

cav · May 14, 2024, 6:59am

What I want to do:

Use a new wg-network for VyOS in my docker environment.
In my VyOS container, run wireguard in client mode to connect to my paid vpn service.
Make VyOS a sort of the default gateway for other containers in the wg-network.
Connect other containers to wg-network and ensure all the traffic goes out throught the VyOS’ wireguard interface.

What I have been able to do so far:

I have been able to create a VyOS docker image and run it in a container from these instructions.
Have put my wireguard config in /etc/wireguard/wg0.conf (The config works fine btw I’ve tested it in other distros)

What’s the blocker:

When I run the command ip link show - it does not display a wireguard interface.
Output fo wg-quic up command:

# wg-quick up /etc/wireguard/wg0.conf
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.00 seconds...
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.20 seconds...
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.44 seconds...
^C[#] ip link delete dev wg0
Unable to access interface: No such device
[#] ip link delete dev wg0
Cannot find device "wg0"

According to the documentation - a new key-pair needs to be generated for the wireguard interface. However, I’m afraid that it will make it run in a server (or peer) mode and won’t help connect to my paid vpn service because they already have provided me with a public and private keypair which I have put in the wg0.conf file.

Can someone help me troubleshoot this further, please? Much appreciated.

echowings · May 14, 2024, 7:15am

You can directly set up wireguard in Vyos configuration as regards what you want to implement it.

cav · May 14, 2024, 7:51am

I have found this on the documentation page: WireGuard — VyOS 1.2.x (crux) documentation

My vpn service has only provided us with a config file that of this structure in the screenshot.

I’ve tried creating a new wireguard interface but it required another peer, which I don’t have.

I just want to use this config and connect to the vpn service. Any ideas how to do that?

tjh · May 14, 2024, 8:28am

You’re over complicating a simple thing.

edit interface wireguard wg1

tim@example# show
 address 10.172.24.20/24
 description "Wireguard Connection to VPN"
 ip {
     adjust-mss 1380
 }
 peer dodgy_vpn_provider {
     address 192.0.2.1
     allowed-ips 0.0.0.0/0
     persistent-keepalive 25
     port 2224
     public-key The public key under the peer statement I can't copy
 }
 port 2224
 private-key Private Key Under Interface Statement I Can't Copy

This assumes you’re using 1.5 rolling.

cav · May 14, 2024, 10:58am

Yeah I’ve been using 1.5 rolling and like I said before, a wireguard interface does not exist when i launch the container and any attempts to create one fails.

tjh · May 14, 2024, 6:19pm

My apologies, I missed you were running Vyos in a container.

I’m not sure how you’d do this, and I’ll pull my head in (though that config I gave you should work without having to do manual wg0.conf stuff)

echowings · May 15, 2024, 1:59am

Why don’t run wiregurad in vyos with native configuration?

cav · May 15, 2024, 8:39am

This is my first attempt at using VyOS so I’ll appreciate your patience with me.

So far I’ve used two different images in a docker container.

1 - The 1.5 nightly build - Releases · vyos/vyos-rolling-nightly-builds (github.com)
In this one, the wg-quick command with the config specified does not work. I’ve also followed the documentation. I can go into the configure mode and define the wireguard interface IP block and descritpion. But it fails at the point where I define my peer’s endpoint. I don’t think my paid (or dodgy as the word is this forum lol) vpn does not accept that.

The docker hub image - vyos/vyos-build:current (I believe it’s 1.5.x)
This one I can install wireguard-tools and then use the wg0.conf file provided by my vpn provider and get the wireguard interface up and running just fine. However, it doesn’t sit quite right because the ‘configure’ command it not available. It makes me wonder is it even VyOS router OS or is it just simply debian 12?

I just want to configure a container to act as my default gateway in my custom docker network. I thought since VyOS is a router OS, it could just do the job. I guess it’s not that straightforward.

echowings · May 15, 2024, 10:26am

This will be a hard way to do routing with containers in vyos. I implemented all you wanted by myself with Vyos native wireguard configuration. It will be faster since it is a kernel-based wireguard. If you want to set it in the container, it will be harder. Why don’t you try Debian with Docker? You can control it with iptables.

cav · May 15, 2024, 10:39am

Yeah I’ve had some success with debian with docker. Basically, my custom docker network is 172.18.0.0/16, the default gateway is 172.18.0.1/16, and the debian container’s ip is 172.18.0.2

I have created and connected a wireguard interface in that container and then have modified my iptables to serve as a default gateway. Guide link.

Now here’s the problem. Any container that joins this network will have its default gateway set to 0.1 by default. The default gateway can be set to 0.2 but it will need running the container in a privileged mode, which is a massive security issue.

I’ve also tried setting the 0.1 ip address to my debian container’s eth0 (and removed 0.2) - in that case it loses all connectivity. (I’ve tried different combinations of ip route in both inside the container and out on the host as well.)