je suis actuellement en train d'essayer de dockeriser mon vpn wireguard ( en tant que client ) dans un conteneur wireguard avec docker-compose afin que ma machine hote n'ai plus tout son trafic qui passe par le vpn mais uniquement certains conteneurs
pour se faire jai setup mon docker-compose.yaml de la sorte:
Code : Tout sélectionner
vpn:
privileged: true
build:
context: ./apps/vpn
dockerfile: Dockerfile.thorin
restart: 'unless-stopped'
deploy:
replicas: 1
sysctls:
- "net.ipv4.conf.all.rp_filter=2"
- "net.ipv6.conf.all.disable_ipv6=0"
cap_add:
- net_admin
- sys_module
network_mode: bridge
Code : Tout sélectionner
FROM archlinux
RUN pacman-key --init && pacman-key --populate archlinux
RUN pacman -Sy && pacman -S --noconfirm archlinux-keyring && pacman -Su --noconfirm
RUN pacman -S --noconfirm wireguard-tools openresolv traceroute
WORKDIR /root
COPY scripts/ /root/
COPY thorin.conf /etc/wireguard/wg0.conf
ENTRYPOINT ["/root/startup.sh"]
Code : Tout sélectionner
#!/bin/bash
set -euo pipefail
wg-quick up wg0
VPN_IP=$(grep -Po 'Endpoint\s=\s\K[^:]*' /etc/wireguard/wg0.conf)
function finish {
echo "$(date): Shutting down vpn"
wg-quick down wg0
}
function setup_lan_routing {
CONTAINER_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1)
GATEWAY_IP="192.168.0.1"
LAN_MASK="192.168.0.0/16"
echo "Using container ip: ${CONTAINER_IP} to route ${LAN_MASK} over ${GATEWAY_IP}"
ip rule add from ${CONTAINER_IP} table 128
ip route add table 128 to ${LAN_MASK} dev eth0
ip route add table 128 default via ${GATEWAY_IP}
echo "routing rules applied"
}
# Our IP address should be the VPN endpoint for the duration of the
# container, so this function will give us a true or false if our IP is
# actually the same as the VPN's
function has_vpn_ip {
curl --silent --show-error --retry 10 --fail http://checkip.dyndns.com/ | \
grep $VPN_IP
}
# If our container is terminated or interrupted, we'll be tidy and bring down
# the vpn
trap finish TERM INT
# setup_lan_routing
# Every minute we check to our IP address
while [[ has_vpn_ip ]]; do
sleep 60;
done
echo "$(date): VPN IP address not detected"
si je l'active j'ai bien dans mes logs:
je fais sans doute quelque chose de travers, la question reste a savoir.. quoi?services-vpn-1 | Using container ip: 172.17.0.2 to route 192.168.0.0/16 over 192.168.0.1
services-vpn-1 | routing rules applied