Hi,
its seems docker iptables rules break the iptables when wg-quick up proceed, any references how to reconfigure ?
docker installation break wireguard connection
Re: docker installation break wireguard connection
I did a fresh install with pihole and wireguard. I have correct access from my mobile through Wireguard to my local lan and to general web.
Later I did install docker and it broke my connection.
I had a look at iptables before and after:
Wireguard:
After Docker install:
The only difference is that the "-A POSTROUTING -o wlan0 -j MASQUERADE" in the nat table is missing.
I did try to add it with iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE but it did not work.
EDIT:
Just spotted I had missed a change in the first lines.
The *filter :FORWARD ACCEPT [0:0] is now DROP!!!
Changing it to ACCEPT seems to fix the issue. Guess Docker is doing this for security, but not sure how can it be modified safely.
@boosterhq
@MichaIng
Later I did install docker and it broke my connection.
I had a look at iptables before and after:
Wireguard:
Code: Select all
# Generated by xtables-save v1.8.2 on Sun Aug 11 13:57:26 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sun Aug 11 13:57:26 2019
# Generated by xtables-save v1.8.2 on Sun Aug 11 13:57:26 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sun Aug 11 13:57:26 2019
After Docker install:
Code: Select all
# Generated by xtables-save v1.8.2 on Sun Aug 11 14:28:57 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Aug 11 14:28:57 2019
# Generated by xtables-save v1.8.2 on Sun Aug 11 14:28:57 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o NONE -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Aug 11 14:28:57 2019
I did try to add it with iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE but it did not work.
EDIT:
Just spotted I had missed a change in the first lines.
The *filter :FORWARD ACCEPT [0:0] is now DROP!!!
Changing it to ACCEPT seems to fix the issue. Guess Docker is doing this for security, but not sure how can it be modified safely.
@boosterhq
@MichaIng
Re: docker installation break wireguard connection
@jvteleco
I just remembered the issue the other way round, that Docker fails to start with VPN enabled, if bridged networking is enabled: viewtopic.php?p=18196#p18196
If you don't require it (inter-container communication) you can disable it as mentioned in the link.
I guess it depends on the start order. When starting WireGuard first and Docker afterwards, probably Docker fails, with WireGuard first and Docker afterwards, probably WireGuard fails as you describe it. The latter is default on DietPi since WireGuard starts on earlier boot stage and Docker at very last. I hope disabling bridged network makes Docker skip iptables rules.
I just remembered the issue the other way round, that Docker fails to start with VPN enabled, if bridged networking is enabled: viewtopic.php?p=18196#p18196
If you don't require it (inter-container communication) you can disable it as mentioned in the link.
I guess it depends on the start order. When starting WireGuard first and Docker afterwards, probably Docker fails, with WireGuard first and Docker afterwards, probably WireGuard fails as you describe it. The latter is default on DietPi since WireGuard starts on earlier boot stage and Docker at very last. I hope disabling bridged network makes Docker skip iptables rules.