Hello selfhosters,
I have two ip routes on my selfhosted server:
- The first and default one is routing throught my ISP router.
- The second one is a Wireguard connection that is imported and managed via Network Manager with the below options so it does not interfere with the default route.
sudo nmcli con modify wg ipv4.never-default true
sudo nmcli con modify wg ipv6.never-default true
sudo nmcli con modify wg ipv6.routes '::/0'
sudo nmcli con modify wg ipv6.route-metric 1000
I could test this setup with
curl ifconfig.me // IP from ISP
curl --interface wg ifconfig.me // IP of the VPN
Right now I would like to tell docker to create a bridge network that routes outgoing traffic from that bridge network throught the second (the VPN) route but I am struggling to do it.
I’ve tried to do this
docker network create vpn-net -o com.docker.network.host_ipv4=10.x.y.z // VPN inet obtained via ip addr show
but it does not work.
Do you have any suggestion about it ? Thank you very much!
You must log in or # to comment.
I’ve never used network manager on a server and don’t understand your routing configuration, im assuming you have wg0 configured to have a default route (ip route list).
You should be able to connect a docker network to the vpn by using a macvlan insted of a bridge type network and set the parent interface of it to the wg0 interface.
docker network create -d macvlan \ --subnet=<internal vpn network>/24 \ --gateway=<gateway ip> \ -o parent=wg0 vpn-netmodified from the docker documentation
Probably also set an ip-range on the network to make the auto assigned ips not conflict with other wireguard nodes (see linked documentation).
Make sure the allowed ips in the wireguard configs are set correctly.
You can also do ipv6 like this, see the end of the linked documentation page.
First off, take this for what it is: a guy who can follow instructions but does not understand all the inner workings of docker.
I use Gluetun and have a set of apps that I run through it. They are all in the same compose file. Each of the ports is defined in the Gluetun section and not with the individual app. Then each app’s network_mode is set to service:gluetun
This routes all the traffic for those apps through the VPN while maintaining my regular network for everything else.
I second this. Gluetun makes it so easy, working with docker’s internal networking is such a pain.
This was my thought as well. Anything by that requires VPN is added to that stack and if I can bind it to the “tun” device I do - but the container requires gluten to be up.
So I got back to my server, and here’s what I do:
gluetun settings:
services: gluetun: *snip* ports: *snip* - 8090:8090 # port for qbittorrent *snip*qbittorrent (in the same compose.yml):
qbittorrent: image: linuxserver/qbittorrent:latest container_name: qbittorrent environment: *snip* - WEBUI_PORT=8090 *snip* network_mode: service:gluetun # run on the vpn network depends_on: gluetun: condition: service_healthy *snip*Also, in qbittorrent settings you can bind it to a network device. In my case it’s “tun0.” This same thing can probably be done w/ a docker network in a gluetun container and separate containers that rely on that network being up, but I haven’t looked into it. Right now, I have 2 other services that require VPN, and I’m looking at possibly 1 or 2 more. That’s pretty manageable as a single stack, I think.
Yep, this is exactly what I do.
