AKZN Notes

Archives for My Lazy and Forgetful Mind

Docker Wireguard + Mikrotik

Last Modified on

todo :

  • make ip address obtained from docker-compose > hostnet static/persistent
  • add clearer documentation about docker-compose > hostnet

Installation

Prequisities

  • MIkrotik
    1. RouterOS v.7.1 and above

Docker Wireguard Setup

  • Make sure Docker is installed
  • Using docker-compose

    # docker-compose.yml
    version: '3'
    services:
      wireguard:
        image: lscr.io/linuxserver/wireguard
        container_name: wireguard
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=Asia/Jakarta
    #      - SERVERURL=wireguard.[domain].com #optional
          - SERVERPORT=11621 #optional
          - PEERS=3 #optional
          - PEERDNS=auto #optional
          - INTERNAL_SUBNET=10.13.13.0 #optional
          - ALLOWEDIPS=10.13.13.0/24 #optional
        volumes:
          - /var/docker_volume/wireguard_data_1/config:/config
          - /lib/modules:/lib/modules
        ports:
          - 11621:51820/udp
        sysctls:
          - net.ipv4.conf.all.src_valid_mark=1
        restart: unless-stopped
        command: # optional for custom configuration i.e:iptables nat
          - /bin/bash
          - -c
          - |
            sh /config/iptables.sh
            /init
    
        networks:
          - hostnet
    
    networks:
      hostnet:
        name: hostnet
        ipam:
          driver: default
          config:
          - subnet: "172.168.3.0/24"
            gateway: "172.168.3.1"

     
     
    OPTIONAL script, this one is for port forwarding

    # iptables.sh
    
    #!/bin/bash
    
    # open all host port to client, NOT RECOMMENDED
    #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    
    # port forward, need masquarade below to work
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.168.3.1:80
    iptables -t nat -A PREROUTING -p udp --dport 1812 -j DNAT --to-destination 172.168.3.1:1812
    iptables -t nat -A PREROUTING -p udp --dport 1813 -j DNAT --to-destination 172.168.3.1:1813
    
    # masquarade port
    iptables -A POSTROUTING -t nat -p tcp -d 172.168.3.1 --dport 80 -j MASQUERADE
    iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1812 -j MASQUERADE
    iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1813 -j MASQUERADE

Host route to container

Because docker container are entirely separeted from host, we cant ping from host to container. To resolve that, we add route via container gateway

ip route add 10.13.13.0/24 via 172.168.3.3

10.13.13.0/24 is wireguard subnet
172.168.3.3 is wireguard ip address obtained from hostnet docker-compose.yml
<br>
above command will lost on reboot, to make it persistent, the easiest way is using cron (because docker container network are always recreated on reboot)

# sudo crontab -e

add this to crontab

# route to openvpn docker
@reboot sleep 60 && sudo ip route add 10.13.13.0/24 via 172.168.3.3

sleep is required to wait docker interface to be created

Mikrotik Setup

To find where client config file are, client config file is saved on volumes : parameter from docker-compose.yml

  1. Make Wireguard Interface.
    Listen Port : 51820 #value from docker-compose.yml `port` parameter 2nd part 
    Private Key : secret key on client cfg file from wireguard server created above.
  2. Make Wireguard Peer.
    Public Key : public key on client cfg file from wireguard server created above.
    Endpoint : your server public ip address, listed on client config too
    Endpoint Port : 11621 #get it from client cfg too.
    Allowed Address : 10.13.13.0/24 #get it from client config.
    Persisten KeepAlive : 00:00:25 #this option is required
  3. Add wireguard alocated ip for client to Mikrotik Address List
    Address : 10.13.13.7/24 #get it from client cfg
    Network : 10.13.13.0 #wireguard server network
    Interface : [interface name you created on step 1 above]
  4. There is no sign to established conection other than from last handshake (on peer menu) and ping to wireguard server ip.

cheatsheet

  • docker compose down
    docker-compose down
  • docker compose up
    docker-compose up -d
  • List Connected Client
    docker exec wireguard wg show

Leave a Reply

Your email address will not be published.