Site-to-Site Wireguard?

[Dviros]

Hey Chad, thanks a lot for this brilliant project.
I have a very niche issue which I'm currently struggling to set up Site-to-Site VPN using Wireguard to my opnsense.
Opnsense runs local wireguard instance and I've set the cloud server as a peer, but I couldn't make the server connect back to the opnsense instance.

Is it possible to run the wireguard docker with a client instance that would connect back?

Thanks again
D

[chadgeary]

Hey @Dviros - thank you for your azure MR it has a couple suggestions before approval.

RE: wireguard client

You are able to use the wireguard docker container as a wireguard client, but it will need several config changes. The cloudblock wireguard is setup a server.

See this from the image maintainers:

Client Mode
Do not set the PEERS environment variable. Drop your client conf into the config 
folder as /config/wg0.conf and start the container.
If you get IPv6 related errors in the log and connection cannot be established, 
edit the AllowedIPs line in your peer/client wg0.conf to include only 0.0.0.0/0 
and not ::/0; and restart the container.

For a cloudblock project, that would mean changing the ansible playbook section that sets up the wireguard container - ideally adding a second wireguard container (client). It would look something like this:

    - name: wireguard client directory
      file:
        path: /opt/wireguard_client
        state: directory

    - name: wireguard client file
      file:
        path: /opt/wireguard_client/wg0.conf
        block: |
          [Interface]
          Address = ...
          PrivateKey = ...
          ListenPort = 51820

          [Peer]
          PublicKey = ...
          PresharedKey = ...
          Endpoint = ...:51820
          AllowedIPs = ...

    - name: wireguard client container
      docker_container:
        name: wireguard_client
        capabilities:
          - NET_ADMIN
          - SYS_MODULE
        env:
          PUID: "1000"
          PGID: "1000"
          TZ: "Etc/UTC"
          SERVERURL: "auto"
          SERVERPORT: "51820"
          ALLOWEDIPS: "0.0.0.0/0"
          PEERDNS: "{{ docker_pihole }}"
          INTERNAL_SUBNET: "{{ wireguard_network }}"
        image: linuxserver/wireguard:latest
        networks:
          - name: cloudblock
            ipv4_address: "{{ docker_wireguard_client }}"
        ports:
          - "51820:51820/udp"
        sysctls:
          net.ipv4.conf.all.src_valid_mark: 1
        volumes:
          - /opt/wireguard_client/wg0.conf:/config/wg0.conf:r
        pull: yes
        restart_policy: "always"
        purge_networks: yes

[Dviros]

Beautiful! I'll get that sorted and let you know. Is it possible to add some logic with regards to how the machine would connect back (Client\Server mode, applying relevant NSG policies and so on)?

[Dviros]

Hey @chadgeary,
I've had several issues :(

1. I've stated the docker_wireguard_client network in the variables as 172.16.0.7.
2. I've used the following ansible config with what you had from the top, but with some slight changes:

    - name: wireguard client file
      file:
        path: /opt/wireguard_client/wg0.conf

    - name: wireguard client container
      docker_container:
        name: wireguard_client
        capabilities:
          - NET_ADMIN
          - SYS_MODULE
        env:
          PUID: "1000"
          PGID: "1000"
          TZ: "Etc/UTC"
          SERVERURL: "auto"
          SERVERPORT: "51820"
          ALLOWEDIPS: "0.0.0.0/0"
          PEERDNS: "{{ docker_pihole }}"
          INTERNAL_SUBNET: "{{ wireguard_network }}"
        image: linuxserver/wireguard:latest
        networks:
          - name: cloudblock
            ipv4_address: "{{ docker_wireguard_client }}"
        ports:
          - "51821:51820/udp"
        sysctls:
          net.ipv4.conf.all.src_valid_mark: 1
        volumes:
          - /opt/wireguard_client/:/config/:rw
        pull: yes
        restart_policy: "always"
        purge_networks: yes

3. My wg0.conf is as follows:

[Interface]
ListenPort = 51820
PrivateKey = (redacted)

[Peer]
PublicKey = (redacted)
PresharedKey = (redacted)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = (redacted)

4. When checking network flows, I did not see any incoming connection to my GW. I've used netcat from the cloud machine to my GW with the port, worked flawlessly. I've stopped the server wireguard docker, interacted with the client wireguard docker, and attempted curl -> did not communicate to my GW.

5. I don't know which wg commands are being executed when the docker is starting, but it did not had any wg interfaces, in which I suspect the issues relies in both the routing to the host machine, and the startup interface commands in the docker instances, which only occurs in the wireguard client docker :\

It also pains me to say that when using wg-quick on the host machine with my config, it started communicating :(

I would be happy for some help because I'm a bit clueless with Ansible and Docker. Thanks a lot again,
D