Port Forward? #58
Comments
|
you can use an nginx reverse proxy for that |
|
Care to elaborate? I have a wire guard client connected to a vpn service. They forward a port, which should go to the wire guard client docker container itself. Even if I use nginx, it's not clear how I'd get the wireguard docker container to forward the port to nginx (or anything else) because it's just going to die inside the docker container because it doesn't know where to send the traffic that wasn't initiated internally. |
|
This is not a bug, but a question about how to set up something custom. In a nutshell, you'd have the other container use wireguard client's network stack. Then you can either have the container listen on that port, or have nginx listen on that port and reverse proxy. There are other methods as well, but all are beyond the scope of this. We don't officially provide support for that. Feel free to drop by our discord to discuss. |
|
It's a feature request not a how-to. I've tried what you suggested, and it didn't work if there were multiple docker containers as clients. I.e: Wireguard Client The Wireguard client needs to forward incoming traffic on 5597 to Container B, nothing else. This would need to also work for: Wireguard Client It should forward by IP address in that case outside of the container. Presumably this would setup IP tables based on the environment variables passed to go and redirect the ports properly. |
|
FYI if anyone else stumbles across this issue - You can enable external traffic coming in through VPN on a given port by adding this to the PostUp and PreDown section of your wg0.conf: Where 1234 is your port (perhaps given to you by your VPN provider). |
|
@julianpoy Thanks! How does one specify the dns or ip of the docker container or other destination? |
|
If you're using the service:containername pattern, the other container should be bound to the same network stack and should work without any changes. If you're using a user-defined network, you'll have to add some rules to forward to the desired container IP. |
|
@julianpoy I am attaching my wireguard container to my Traefik reverse proxy network, with a static IP, and am then funneling the linuxserver qbittorrent container through it via network_mode: service:wireguard. With a combination of your PostUp and PreDown above, combined with the suggested LAN access, I believe I have it working. I can hit qBit at my subdomain, all my subdomains still reflect their Cloudflare IPs via ping, but doing a Last thing to determine is if the port forwarding works on the torrent client properly as I cannot seem to get netcat working to test Mullvad's port checker tool. To forward the Wireguard traffic through my router/etc., would I need to port forward the wireguard port of 51820 instead of my prior qBit port of 51419? Thanks very much. Relevant compose: |
|
The problem with using service:wireguard is that if the wireguard endpoint goes down, it almost always crashes the other containers that are linked with service:wireguard.. Hence why I'd like to create a docker network for them and then have it redirect traffic to the specified container that isn't dependant on the service:wireguard but also have that network have a gateway of the wireguard client docker. |
If you find a way please let me know or post |
That should never happen as Wireguard doesn't have any concept of an endpoint going down and will continue sending traffic regardless. Child containers would lose internet access but if that's enough to crash them then the applications running in those containers are bad. |
|
Quick question; I'm also trying to get port forwarding set up. I have added custom IP routing in the config file like mentioned above, do I need to also add If anyone has any ideas let me know! |
|
@BrodyStone21 I've since gotten this working, with forwarding as well as webUI with Traefik. The key is to forward the forwarded port of your VPN provider on the Wireguard container and not the torrent container, and then also ensure the torrent container uses that port for traffic. Separately, ensure the webui port of the torrent client is set with your reverse proxy of choice, in my case Traefik. |
|
@undaunt so lets say I have forwarded port 1234, should I go to my wireguard docker container and do I just made a Reddit post here with all of my configs if you wouldn't mind taking a look I would appreciate it! |
@julianpoy - I've got the above rules in my iptables. When I use something like this to check if the port is open using the IP of the container VPN, it comes back as a closed port. Any ideas? |
|
@jjarthur Hello, I have the same problem, did you find a solution ? |
No, I never found a solution unfortunately. Let me know if you find one that works for you. |
|
@spider1163 and @jjarthur I managed to get this working forever ago. Make sure you're using a VPN that supports port forwarding, then enable it and copy down your port. You're going to want the blow lines under the I hope this helps |
@BrodyStone21 I have test this setting and they don't work. Please guide me on this...:
The Pi with wireguard client connects correctly to the Pi with wireguard server, and I can ping devices on the same VPN network. (From the PC i can ping the wireguard client container and viceversa.) I need to be able to connect through the VPN network to:
FYI I'm using portainer to launch stack of individual services. WireGuard Stack PLEX Stack WireGuard Server config My RaspberryPi WireGuard Client Config: |
|
@jotadominguez the problem is that you're trying to forward port 32400. You won't do that here. First, you need a VPN that supports port forwarding. I use Mullvad, but there are others out there. Mullvad allows randomly generating a port forwarded port. For this example, let's say that Mullvad assigned is 68734. You would replace Let's say your Plex container is called plex, and your VPN container is called vpn. Inside of your plex compose file, you will want to bind the plex network mode to your vpn. I use docker run, so this would look like You're currently using the host network mode, so your VPN and Plex containers are on two different networks. |
No, so the only place I'm putting the forwarded ports from the VPN provider are within qBittorrent as the 'Port used for incoming connections.' Everything else is just networking the containers together and the postup/predown wireguard scripts. Keep in mind that the qBittorrent container will be operating only within the Wireguard network if you attach it to wireguard, and within the wireguard network, we're forwarding the port the provided has sent us. The configs I posted above are moreso about the local wireguard container port 51820 to my host OS for wireguard connectivity, and then I'm forwarding port (example) 8081 as the "WEBUI_PORT" on qBittorrent's container as an environmental variable. I'm then putting that same port as the Traefik loadbalancer port on the Wireguard container so I can see the qBittorrent webui via my local reverse proxy, and also exposing it to the host. I may not need to expose it to the host and only expose 51820, but I haven't bothered to test removing it. Let me paste my actual configs without variables making it harder to read. Here is my wg0.conf postup and predown scripts. Obviously I'm not including my private key and my server, etc. Here is my qB container (1 of 5, I actually am load balancing my traffic based on number of torrents so the containers don't bog down) Here is wireguard, and I'm removing the lines for the other four containers so its easier to read. I'm generating a file from Mullvad as well to download my wg0.conf but unlike @BrodyStone21 I'm not specifying a forwarded port within the preup/postdown and my trackers still see me as open and available for seeding. |
Expected Behavior
I should be able to give a list of ports and destination IPs/docker containers to forward ports to for incoming traffic on the wireguard client.
Current Behavior
Doesn't appear to be possible to handle port forwarding.
The text was updated successfully, but these errors were encountered: