Docker breaking Wireguard external connectivity

Having issues with your DietPi installation or found a bug? Post it here.
Post Reply
Posts: 1
Joined: Sat Sep 12, 2020 9:37 pm

Docker breaking Wireguard external connectivity

Post by essjay2009 »

I'm pulling my hair out with this one. So I used dietpi to set up a few applications. Primarily PiHole and Wireguard. Everything was working fine. I then used dietpi-software to install docker which broke Wireguard. If I connect my client to the Wireguard server it authenticates ok. If I attempt to visit a url I can see the DNS query appearing in the pi hole logs but no external site will actually load.

I've seen a few instances of this issue come up and they seem to be focused on two potential issues. The first is docker creating a bunch of unhelpful iptables rules. So I flushed all rules out of iptables (for trouble shooting) and it didn't make a difference. The other is an issue with the bridge network docker creates causing a clash of addresses, so I deleted the bridge network. This also didn't solve the issue.

If I uninstall docker (using dietpi-software) Wireguard goes back to functioning correctly again (after a reboot and wg-quick down then up). I've been using Wireguard and pi hole for a while but not through dietpi without issue but have never had docker running on the same machine.

So I'm completely stumped. I can't think what else would be causing the issue if it's not iptables (and assuming flushing would remove that as a variable - unless I'm wrong?) and not docker network causing a clash (I can see through ip addr that it's not using the same address space). Anyone got any ideas?

Latest dietpi on a RPi 3B.
User avatar
Posts: 4804
Joined: Sat Nov 16, 2019 12:49 am

Re: Docker breaking Wireguard external connectivity

Post by Joulinar »


many thanks for your message. I found this old entry on our board viewtopic.php?f=11&t=6119

It looks similar to what you described.

Basically following should fix it during run. Unfortunately it doesn't seems to be be boot persistent or it get's overwritten by docker all the time?

Code: Select all

iptables --policy FORWARD ACCEPT
Found this on docker docs ... n-a-router

not sure what is best way to add the ACCEPT rule to the DOCKER-USER chain. But following was working on my test

Code: Select all

iptables -I DOCKER-USER -i eth0 -o wg0 -j ACCEPT
apt install iptables-persistent
Maybe there is a better option. Need to say, I'm not a Docker specialist.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply