Contents
todo :
- make ip address obtained from docker-compose > hostnet static/persistent
- add clearer documentation about docker-compose > hostnet
Installation
Prequisities
- MIkrotik
- RouterOS v.7.1 and above
Docker Wireguard Setup
- Make sure Docker is installed
-
Using
docker-compose
# docker-compose.yml version: '3' services: wireguard: image: lscr.io/linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=Asia/Jakarta # - SERVERURL=wireguard.[domain].com #optional - SERVERPORT=11621 #optional - PEERS=3 #optional - PEERDNS=auto #optional - INTERNAL_SUBNET=10.13.13.0 #optional - ALLOWEDIPS=10.13.13.0/24 #optional volumes: - /var/docker_volume/wireguard_data_1/config:/config - /lib/modules:/lib/modules ports: - 11621:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped command: # optional for custom configuration i.e:iptables nat - /bin/bash - -c - | sh /config/iptables.sh /init networks: - hostnet networks: hostnet: name: hostnet ipam: driver: default config: - subnet: "172.168.3.0/24" gateway: "172.168.3.1"
OPTIONAL script, this one is for port forwarding# iptables.sh #!/bin/bash # open all host port to client, NOT RECOMMENDED #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # port forward, need masquarade below to work iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.168.3.1:80 iptables -t nat -A PREROUTING -p udp --dport 1812 -j DNAT --to-destination 172.168.3.1:1812 iptables -t nat -A PREROUTING -p udp --dport 1813 -j DNAT --to-destination 172.168.3.1:1813 # masquarade port iptables -A POSTROUTING -t nat -p tcp -d 172.168.3.1 --dport 80 -j MASQUERADE iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1812 -j MASQUERADE iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1813 -j MASQUERADE
Host route to container
Because docker container are entirely separeted from host, we cant ping from host to container. To resolve that, we add route via container gateway
ip route add 10.13.13.0/24 via 172.168.3.3
10.13.13.0/24 is wireguard subnet
172.168.3.3 is wireguard ip address obtained from hostnet docker-compose.yml
<br>
above command will lost on reboot, to make it persistent, the easiest way is using cron (because docker container network are always recreated on reboot)
# sudo crontab -e
add this to crontab
# route to openvpn docker
@reboot sleep 60 && sudo ip route add 10.13.13.0/24 via 172.168.3.3
sleep is required to wait docker interface to be created
Mikrotik Setup
To find where client config file are, client config file is saved on
volumes :
parameter from docker-compose.yml
- Make Wireguard Interface.
Listen Port : 51820 #value from docker-compose.yml `port` parameter 2nd part Private Key : secret key on client cfg file from wireguard server created above.
- Make Wireguard Peer.
Public Key : public key on client cfg file from wireguard server created above. Endpoint : your server public ip address, listed on client config too Endpoint Port : 11621 #get it from client cfg too. Allowed Address : 10.13.13.0/24 #get it from client config. Persisten KeepAlive : 00:00:25 #this option is required
- Add wireguard alocated ip for client to Mikrotik Address List
Address : 10.13.13.7/24 #get it from client cfg Network : 10.13.13.0 #wireguard server network Interface : [interface name you created on step 1 above]
- There is no sign to established conection other than from
last handshake
(on peer menu) and ping to wireguard server ip.
cheatsheet
- docker compose down
docker-compose down
- docker compose up
docker-compose up -d
- List Connected Client
docker exec wireguard wg show