Can’t access network forward from outside the LAN

Hello all,

I can access docker containers running in lxc container from the LAN but I can’t access them using Wireguard VPN on the new LXC containers that I create.

I’m using a Raspberry Pi 5 with Raspberry Pi OS Lite (64-bit).
There I installed Incus using the Zabbly package repository (stable) starting with version 6.2.

Using that version I created two containers with images:debian/12 (they are called first and pihole)

My main use is hosting a few docker containers (pihole, linkding, mealie, swag and others) inside the lxc containers.

I’m using the default bridge to add the lxc containers:

config:
  ipv4.address: 10.51.53.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:95d6:5a11:20a1::1/64
  ipv6.nat: "true"
description: ""
name: incusbr0
type: bridge
used_by:
- /1.0/instances/first
- /1.0/instances/pihole
- /1.0/instances/test
- /1.0/profiles/default
managed: true
status: Created
locations:
- none
project: default

I’m able to access the services running in the containers using network forward:

$ incus network forward list incusbr0
+----------------+---------------------+------------------------+-------+
| LISTEN ADDRESS |     DESCRIPTION     | DEFAULT TARGET ADDRESS | PORTS |
+----------------+---------------------+------------------------+-------+
| 192.168.60.101 | docker applications |                        | 17    |
+----------------+---------------------+------------------------+-------+

for example I can access linkding with

http://192.168.60.101:9090 from the incus host, from a laptop on the same LAN and from another laptop using wireguard VPN in another town.

Then I did the upgrade to incus 6.5 to try the docker integration on the LXC host.

After that I wanted to create a new lxc container to host some docker containers. I followed the same steps to create the lxc containers as I did for first and pihole.

I was able to run another instance of linkding on port 9901.

I added that port on the same incus network forward with port 9901.

Here comes the problem:

I’m able to access the new linkding service with

http://192.168.60.101:9901 from the incus host, from a laptop on the same LAN but I can’t access it using wireguard VPN.

The services on the first two containers are not affected. They work as usual. The problem occurs only on new lxc containers.

I also tried the following: I did a copy of first container to first-copy and gave it a different IP. I changed the network forward to use the new lxc container (with the new IP) and I have the same problem even with that container. I can access the services from Incus host, from the LAN but not using wireguard VPN.

Is there a new configuration that I have to set to access the LXC containers from outside the LAN?

Thank you in advance!

Edit:
I get timeout when I try to access the service on the new lxc container using wireguard.

Welcome!

You are using Incus instead of LXC. I do not know whether you are mixing up with LXC commands. You tagged this thread as LXC.
If you use the lxc command to manage any container, then you have added something else altogether.

Can you verify that you have created containers with Incus, and then in the containers, you have installed Docker, and from Docker you installed those docker images?

Hello SImos,

My bad. I use Incus to create lxc containers. I haven’t use the lxc command at all.
I installed docker inside the container and then used docker to run those docker images.

Also I tried to create a new lxc container without installing docker. I installed the nginx package using apt. I still have the same problem. I can access the default nginx page from LAN but not using wireguard.

I am trying to figure out how you can simplify the setup so that it is easier to figure out what’s going on. For example, you mention mealie which is a food app, but I have no idea what’s linkding. But in both cases it does not matter what’s running in the container, but rather, if you were running just a Web server, you want that Web server to be accessible from outside the LAN.

If there is no Wireguard VPN, things are quite straightforward on how to expose containers outside of the LAN. There are in fact several ways. However, when you add the Wireguard VPN in the setup (same server), then you would want to undo your way of exposing the containers outside of the LAN so that Wireguard can do its work. But you mention that at some point the containers were accessible from outside the LAN and at the same time while Wireguard VPN was active. This looks like those containers were exposed in two ways outside of the LAN (directly and through Wireguard). Is that the case?

Ok, I know what happened. I have wireguard running inside first lxc container. When I connect to that wireguard server I can access the services in first lxc container.

I was expecting that I can also access the services of the other lxc containers using network forward but that’s not possible I guess with my current setup of the wireguard server.

But now I realized that I can access the other services using the IP of the lxc containers.

As it turns out the issue that I had is not related to incus.

We can close this thread.

Thank you!