Community discussions

MikroTik App
 
arjones85
just joined
Topic Author
Posts: 3
Joined: Mon Mar 07, 2022 3:59 am

Can't reach docker containers from Wireguard

Wed Sep 28, 2022 12:54 am

Hi all,

I am facing a really weird issue after trying to move from a docker-based Wireguard container as my VPN server, to using my Mikrotik as the server.

After configuring the mikrotik, I am able to connect my test client just fine. I can ping all hosts on the lan. I can reach all ports to all hosts on the lan that are *not* in docker containers. Any ports that are hosted by a docker container on a server are inaccessible. I'm pulling my hair out trying to figure out why the docker containers aren't accessible.

Here's my setup:

192.168.1.0/24 - Local LAN
192.168.1.254 - Mikrotik router
192.168.100.0/24 - Defined Wireguard address space
192.168.100.1 - Mikrotik Wireguard server

Here's the route list for the docker container host:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eno1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eno1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-e2ef141a8890
172.28.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-246eb5c87b8b
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1
Firewall export from Wireguard (port 443 is the port I am using for Wireguard. NAT rule to forward it to the docker container is disabled):
# sep/27/2022 16:46:54 by RouterOS 7.5
# software id = F3EA-NSY9
#
# model = RB750Gr3
# serial number = CC220E7CEFE7
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=443 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="DROP INPUT invalid - "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=all-vlan
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="DROP INPUT not from LAN - "
add action=drop chain=forward in-interface=virtual-guestwifi out-interface-list=LAN
add action=drop chain=forward in-interface-list=LAN out-interface=virtual-guestwifi
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="DROP drop invalid - "
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes \
log-prefix="DROP not DSTNATed - "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=32400 protocol=tcp to-addresses=192.168.1.110 to-ports=32400
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28967 protocol=tcp to-addresses=192.168.1.110 to-ports=28967
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28967 protocol=udp to-addresses=192.168.1.110 to-ports=28967
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28968 protocol=udp to-addresses=192.168.1.110 to-ports=28968
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=28968 protocol=tcp to-addresses=192.168.1.110 to-ports=28968
add action=dst-nat chain=dstnat dst-address=<public ip> dst-port=443 protocol=tcp to-addresses=192.168.1.110 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address=<public ip> dst-port=443 protocol=udp to-addresses=192.168.1.110 to-ports=443
add action=masquerade chain=srcnat dst-address=192.168.1.110 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
[admin@MikroTik] /ip/firewall>
Here's my interface export:
# sep/27/2022 16:52:25 by RouterOS 7.5
# software id = F3EA-NSY9
#
# model = RB750Gr3
# serial number = CC220E7CEFE7
/interface bridge
add admin-mac=2C:C8:1B:77:D5:B3 auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=virtual-guestwifi vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.3/32 interface=wireguard1 public-key="6uUMbtqz+E3U528ou9TTEi9hjo1juw+Fo9xysvWz1jw="

Any help would be awesomely appreciated. I'm lost here!
 
mkx
Forum Guru
Forum Guru
Posts: 8467
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can't reach docker containers from Wireguard

Wed Sep 28, 2022 9:13 am

Any ports that are hosted by a docker container on a server are inaccessible.

Which address space are you talking about? If you're talking about 172.16.0.0/20 (or its subnets), then ... you actually didn't show the relevant part of router's setup (IP addressing and routing config), but it's possible that router doesn't know about this address space being used inside docker blob.

If you're talking about 192.168.100.0/24, then the problem may be in the way containers are configured (network mask set to /24 which means that those containers expect to talk to other members of same IP subnet directly ... but they can't do so with wireguard clients as they are behind routing part of ROS - WG are not L2 interfaces so they can't be bridged together which would help with this problem ... but you don't really want to do it as this would also mean all the broadcast traffic hitting all the WG links).
BR,
Metod
 
arjones85
just joined
Topic Author
Posts: 3
Joined: Mon Mar 07, 2022 3:59 am

Re: Can't reach docker containers from Wireguard

Wed Sep 28, 2022 6:11 pm

Thanks for the reply!

So I ended up getting it working by changing the network wireguard is using to 10.150.1.0/24. I am unsure why my Docker containers didn't want to chat with the clients using the other network range, but this worked.

In addition I discovered something strange. The Mikrotik web gui just flat does not work properly for me when I add a public key for a client. If I add that exact same key via CLI, it works fine. Strange incompatibility with Chrome on my machine, or a bug, or something, but it's reproducible 100% of the time for me. An export via CLI after adding a client via the GUI shows the key looks exactly the same as it does when I added it via CLI, so who knows...

Who is online

Users browsing this forum: Baidu [Spider], helipos, kelarlee and 90 guests