It depends how wireguard is implemented.
The container may be running wireguard in userspace, instead of the OS’s kernel implementation.
It depends how wireguard is implemented.
The container may be running wireguard in userspace, instead of the OS’s kernel implementation.
kinda fixed it, I think...
Checked what image I'm using, its linuxserver, and they're using the OS's kernel implementation. Also saw that in my logs.
I used this https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard and added these lines into my wg0.conf:
PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
Then I regenerated my mullvad config with a different server.
Now I'm downloading the Arch Linux iso with 11Mbit/s
Honestly I've no idea what exactly solved the problem, iptables, networks and routing still feels likes witchcraft to me most of the time.
Can you please share your compose file?
I personally use a separate container instead of another service, not sure what difference it makes
network_mode: "container:wireguard"
Using the
lscr.io/linuxserver/wireguard:latest
image btw
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
#- SYS_MODULE #needed if wireguard kernel module gets not loaded
environment:
- PUID=995
- PGID=995
- TZ=Europe/Vienna
volumes:
- wireguard_config:/config
#- /lib/modules:/lib/modules stack #needed if wireguard kernel module gets not loaded
ports:
- 51820:51820
- 51820:51820/udp
- 8113:8113 #qbt WebUI - This is not necessary with trafik, I still have it for debug reasons and it's only reachable in my local network so I think its fine
networks:
- net
labels:
- traefik.enable=true
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
restart: unless-stopped
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
network_mode: service:wireguard
depends_on:
- wireguard
environment:
- PUID=1004
- PGID=1004
- UMASK=002
- TZ=Europe/Berlin
- WEBUI_PORT=8113
volumes:
- qbt_config:/config
- torrents:/data/torrents
- media:/data/media
labels:
- traefik.enable=true
- traefik.http.services.qbt.loadbalancer.server.port=8113
- traefik.http.routers.qbt.rule=Host(`torrent.example.com`)
- traefik.http.routers.qbt.middlewares=https-redirect@file
- traefik.http.routers.qbt-secure.rule=Host(`torrent.example.com`)
- traefik.http.routers.qbt-secure.entrypoints=websecure
- traefik.http.routers.qbt-secure.tls=true
- traefik.http.routers.qbt-secure.service=qbt
restart: unless-stopped
I would try it with the SYS_MODULE
and /lib/modules
lines uncommented. That's how I have my container and it seems to perform just fine.
It works without that. I commented it because the logs told me its already loaded and I should comment these lines.
Any reason you need the traefik label on the wireguard container? Seems unnecessary.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!