docker installation break wireguard connection

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
boosterhq
Posts: 1
Joined: Thu Jul 11, 2019 6:17 am

docker installation break wireguard connection

Post by boosterhq »

Hi,

its seems docker iptables rules break the iptables when wg-quick up proceed, any references how to reconfigure ?
jvteleco
Posts: 1
Joined: Sun Aug 11, 2019 3:25 pm

Re: docker installation break wireguard connection

Post by jvteleco »

I did a fresh install with pihole and wireguard. I have correct access from my mobile through Wireguard to my local lan and to general web.
Later I did install docker and it broke my connection.
I had a look at iptables before and after:

Wireguard:

Code: Select all

# Generated by xtables-save v1.8.2 on Sun Aug 11 13:57:26 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sun Aug 11 13:57:26 2019
# Generated by xtables-save v1.8.2 on Sun Aug 11 13:57:26 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sun Aug 11 13:57:26 2019

After Docker install:

Code: Select all

# Generated by xtables-save v1.8.2 on Sun Aug 11 14:28:57 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Aug 11 14:28:57 2019
# Generated by xtables-save v1.8.2 on Sun Aug 11 14:28:57 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o NONE -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Aug 11 14:28:57 2019

The only difference is that the "-A POSTROUTING -o wlan0 -j MASQUERADE" in the nat table is missing.

I did try to add it with iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE but it did not work.

EDIT:
Just spotted I had missed a change in the first lines.
The *filter :FORWARD ACCEPT [0:0] is now DROP!!!
Changing it to ACCEPT seems to fix the issue. Guess Docker is doing this for security, but not sure how can it be modified safely.
@boosterhq
@MichaIng
User avatar
MichaIng
Site Admin
Posts: 2287
Joined: Sat Nov 18, 2017 6:21 pm

Re: docker installation break wireguard connection

Post by MichaIng »

@jvteleco
I just remembered the issue the other way round, that Docker fails to start with VPN enabled, if bridged networking is enabled: viewtopic.php?p=18196#p18196
If you don't require it (inter-container communication) you can disable it as mentioned in the link.

I guess it depends on the start order. When starting WireGuard first and Docker afterwards, probably Docker fails, with WireGuard first and Docker afterwards, probably WireGuard fails as you describe it. The latter is default on DietPi since WireGuard starts on earlier boot stage and Docker at very last. I hope disabling bridged network makes Docker skip iptables rules.
Post Reply