Running without network mode host

[lorenzopicoli]

First of all thank you for the awesome project. I wanted to share my setup running wg-portal without network_mode: host. As answered here and here this project needs to have access to the wg0 interface to properly run.

I run wireguard with the linuxserver/wireguard container and I'm installing wg-portal in the same container using their custom scripts. Here's how it looks like:

 - docker-compose.yml (with linuxserver/wireguard)
 - custom-cont.init.d
   - wireguard-portal-install.sh
 - custom-service-init.d
   - wireguard-portal.sh

Then in docker-compose.yml

- ./custom-cont-init.d/:/custom-cont-init.d/
- ./custom-services.d/:/custom-services.d/

To install wg-portal in wireguard-porta-install.sh

#!/usr/bin/with-contenv bash

echo "****** Installing wg-portal ******"
apt update
apt install golang-go -y
export PATH=$PATH:/usr/local/go/bin

git clone https://github.com/h44z/wg-portal.git /app/wg-portal-project
cd /app/wg-portal-project
# CGO_ENABLED=0 GOOS=linux /usr/lib/go-1.18/bin/go build -o wg-portal main.go
make build
cp ./dist/wg-portal /app/
rm -rf /app/wg-portal-project

And then in wireguard-portal.sh to run

#!/usr/bin/with-contenv bash
echo "SYSTEM SERVICE"
exec \
    /app/wg-portal

In the container logs there should be some errors which is wireguard-portal trying to init before wg0 is created, but right after it the server should be up and running.

As far as I'm aware the only drawback is that not running wg-portal in a container makes it harder to keep updated with something like Watchtower, but it was a requirement for me to run wg-portal behind traefik which is not in network_mode: host.

Created an issue since I'm not sure this is README-worthy, but let me know if there's any other way to do this or any other cons I'm missing.

Thanks!

[guillaume-cerf]

Hi there,
I'm a newbie and i would like to reproduce your method: be able to run both wirguard and wg-portal in the same container.

I tried to run them in their respective container with both of them linked by network_mode="host" but it does not seem to work entirely since i can't add new peers : error 500 "failed to prepare new peer: failed to get available IP addresses: no more available address from cidr".

So i'd like to give your method a try.

I'm using portainer to "manage" my container and more precisely the "stacks" option to copy paste docker compose file.
I can't quite get around the protocol you post to do so, and would like to do it from the portainer interfaces if possible to be easier for futur maintenance ;)

Thanks for the hardwork everyone have put into making this app and thanks for your futur help :)

[guillaume-cerf]

Actually, after correctly reading the custom scripts from linuxserver your protocol was straight forward.
But i still have the same error 500 when i want to add a peer

I can't find anything about it :(

any idea ?

Edit: Solved it by changing the cidr range of the ip address server from x.x.x.1/32 to x.x.x.1/24

[karstennilsen]

I just linked networks of both containers:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
  wg-portal:
    image: h44z/wg-portal:latest
    container_name: wg-portal
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "service:wireguard"

[joestump]

@karstennilsen are you exposing a shared volume for /etc/wireguard or something? Wondering how wg-portal is writing files to the wireguard container in your example.

[Friday13th87]

@joestump did you find an answer to that?
the network mode from @karstennilsen is not connecting the storage of both containers and it shouldnt work like that - i mean how should wg-portal install any new peers to the linuxserver container if its only sharing the same network...

[Real-Gecko]

Here're two ansible playbooks I've used to setup Wireguard and WG-Portal to work together, works flawlessly, WG-Portal was even able to import existing Wireguard peers, the only thing needed to update is peers' private key.

---
- name: Wireguard
  hosts: application
  gather_facts: false
  tasks:
    - name: Network
      community.docker.docker_network:
        name: wireguard-network
        driver: overlay
        attachable: true

    - name: Volume
      community.docker.docker_volume:
        name: wireguard-data

    - name: Container
      community.docker.docker_container:
        name: wireguard
        image: lscr.io/linuxserver/wireguard:latest
        capabilities:
          - NET_ADMIN
          - SYS_MODULE
        env:
          PUID=1000
          PGID=1000
          TZ=<desired TZ>
          SERVERURL=<ip or host name>
          PEERS=1
        mounts:
          - source: wireguard-data
            target: /config
            type: volume
          - source: /lib/modules/
            target: /lib/modules/
            type: bind
        ports:
          - 51820:51820/udp
          - 8123:8123
        sysctls:
          net.ipv4.conf.all.src_valid_mark: "1"
        networks:
          - name: wireguard-network
        userns_mode: host
        restart_policy: always

- name: WG Portal
  hosts: application
  gather_facts: false
  tasks:
    - name: Volume
      community.docker.docker_volume:
        name: wg-portal-data

    - name: Container
      community.docker.docker_container:
        image: wgportal/wg-portal:v1
        name: wg-portal
        restart_policy: always
        capabilities:
          - NET_ADMIN
        network_mode: container:wireguard
        volumes:
          - wireguard-data:/etc/wireguard
          - wg-portal-data:/app/data
        env:
          EXTERNAL_URL=http://<ip or host name>:8123
          ADMIN_USER=<admin user name>
          ADMIN_PASS=<admin pass>
          WG_CONFIG_PATH=/etc/wireguard/wg_confs # this bit is important
        userns_mode: host

My swarm setup works in userns-remap mode, thus I had to set userns_mode: host.

[Real-Gecko]

Also, default configs shall be added:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE