Connect to wireguard from container

Numerlor · February 6, 2025, 11:34pm

I’m trying to connect to ProtonVPN from a container but Wireguard can’t initiate a connection. No hanshake is done and wg show shows 0B received. The config file works fine from my personal computer with a Windows WG client.

Do I need to forward the port for WG, or something like that on the container itself?
The container is behind a default bridge interface on 10.1.1.0/24 and that’s behind a router with NAT at a 192.168.0.0/24 LAN

This is the output from uping the interface if it’s of any use

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.2.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 192.168.1.0/24 dev wg0
... more routes

stgraber · February 6, 2025, 11:42pm

Most common issue would be one of the routes for wg0 masking the subnet that your container is on, effectively preventing it from reaching the wireguard server once the wireguard interface is up, causing what you’re seeing.

Numerlor · February 7, 2025, 1:39am

I should have both of the LANs excluded from AllowedIPs as I connect to them from my PC while on the VPN. The container’s IP is 10.1.1.11 This is the AllowedIPs

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 10.0.0.0/16, 10.1.0.0/24, 10.1.2.0/23, 10.1.4.0/22, 10.1.8.0/21, 10.1.16.0/20, 10.1.32.0/19, 10.1.64.0/18, 10.1.128.0/17, 10.2.0.0/15, 10.4.0.0/14, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.1.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3

IIRC 0.0.0.0/0 also couldn’t do anything before I changed it

stgraber · February 7, 2025, 8:53pm

You can run ip route get WIREGUARD-ENDPOINT to see what interface the kernel would take to reach the wireguard server. You probably also want to make sure that you can ping the wireguard server prior to bringing up wireguard, then check that you still can after the tunnel is up.