docker installation break wireguard connection

Hi,

its seems docker iptables rules break the iptables when wg-quick up proceed, any references how to reconfigure ?

I did a fresh install with pihole and wireguard. I have correct access from my mobile through Wireguard to my local lan and to general web.
Later I did install docker and it broke my connection.
I had a look at iptables before and after:

Wireguard:

# Generated by xtables-save v1.8.2 on Sun Aug 11 13:57:26 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sun Aug 11 13:57:26 2019
# Generated by xtables-save v1.8.2 on Sun Aug 11 13:57:26 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sun Aug 11 13:57:26 2019

After Docker install:

# Generated by xtables-save v1.8.2 on Sun Aug 11 14:28:57 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Aug 11 14:28:57 2019
# Generated by xtables-save v1.8.2 on Sun Aug 11 14:28:57 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o NONE -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Aug 11 14:28:57 2019

The only difference is that the “-A POSTROUTING -o wlan0 -j MASQUERADE” in the nat table is missing.

I did try to add it with iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE but it did not work.

EDIT:
Just spotted I had missed a change in the first lines.
The *filter :FORWARD ACCEPT [0:0] is now DROP!!!
Changing it to ACCEPT seems to fix the issue. Guess Docker is doing this for security, but not sure how can it be modified safely.
boosterhq
MichaIng

jvteleco
I just remembered the issue the other way round, that Docker fails to start with VPN enabled, if bridged networking is enabled: https://dietpi.com/forum/t/vpn-breaks-docker/3207/2
If you don’t require it (inter-container communication) you can disable it as mentioned in the link.

I guess it depends on the start order. When starting WireGuard first and Docker afterwards, probably Docker fails, with WireGuard first and Docker afterwards, probably WireGuard fails as you describe it. The latter is default on DietPi since WireGuard starts on earlier boot stage and Docker at very last. I hope disabling bridged network makes Docker skip iptables rules.