Docker breaking Wireguard external connectivity

I’m pulling my hair out with this one. So I used dietpi to set up a few applications. Primarily PiHole and Wireguard. Everything was working fine. I then used dietpi-software to install docker which broke Wireguard. If I connect my client to the Wireguard server it authenticates ok. If I attempt to visit a url I can see the DNS query appearing in the pi hole logs but no external site will actually load.

I’ve seen a few instances of this issue come up and they seem to be focused on two potential issues. The first is docker creating a bunch of unhelpful iptables rules. So I flushed all rules out of iptables (for trouble shooting) and it didn’t make a difference. The other is an issue with the bridge network docker creates causing a clash of addresses, so I deleted the bridge network. This also didn’t solve the issue.

If I uninstall docker (using dietpi-software) Wireguard goes back to functioning correctly again (after a reboot and wg-quick down then up). I’ve been using Wireguard and pi hole for a while but not through dietpi without issue but have never had docker running on the same machine.

So I’m completely stumped. I can’t think what else would be causing the issue if it’s not iptables (and assuming flushing would remove that as a variable - unless I’m wrong?) and not docker network causing a clash (I can see through ip addr that it’s not using the same address space). Anyone got any ideas?

Latest dietpi on a RPi 3B.


many thanks for your message. I found this old entry on our board

It looks similar to what you described.

Basically following should fix it during run. Unfortunately it doesn’t seems to be be boot persistent or it get’s overwritten by docker all the time?

iptables --policy FORWARD ACCEPT

Found this on docker docs

not sure what is best way to add the ACCEPT rule to the DOCKER-USER chain. But following was working on my test

iptables -I DOCKER-USER -i eth0 -o wg0 -j ACCEPT
apt install iptables-persistent

Maybe there is a better option. Need to say, I’m not a Docker specialist.