this post was submitted on 17 Dec 2024
37 points (100.0% liked)

Selfhosted

40696 readers
412 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I'm a noob to self-hosting, I have set up some containers but only through watching tutorials on youtube, in reality I barely understand what I'm doing.

I have a wireguard docker container set up, but when I connect to it with my phone, there's no internet.

Can somebody tell me what I'm doing wrong? I just want to access my server outside my home network.

Here is the docker-compose.

version: "2.1" services: wireguard: image: linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=Asia/Singapore - SERVERURL=auto #optional - SERVERPORT=51820 #optional - PEERS=1 #optional - PEERDNS=auto #optional - INTERNAL_SUBNET=10.13.13.0 #optional volumes: - ./config:/config - /lib/modules:/lib/modules ports: - 51820:51820/udp sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped

Please tell me if there is anymore information I need to provide.

EDIT: fellas i figured it out, i just had to port foward 51820 on my router :sob: thank you for your help in the comments

top 11 comments
sorted by: hot top controversial new old
[–] JohnWick@lemmy.world 26 points 5 days ago (2 children)
[–] Static_Rocket@lemmy.world 7 points 5 days ago

Yeah, that thing is honestly impressive. If I didn't already have a full network manager wg setup I'd just use that.

[–] harsh3466@lemmy.ml 1 points 5 days ago

+1 for wireguard easy. I run it and it's fantastically easy to use.

[–] Static_Rocket@lemmy.world 22 points 5 days ago* (last edited 5 days ago)

Reformatting that compose for people:

version: "2.1"                                                services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Singapore
      - SERVERURL=auto #optional
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Sounds like you didn't read the extended manual: https://github.com/linuxserver/docker-wireguard

There are a lot of other configs for that container that must be provided before startup. It's just a generic runner. If you want it to run as a server you need to follow this section: https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#server-mode

Are you at getting the handshake in the app? If so, you're probably just missing the dispatch commands for traffic masquerading.

[–] just_another_person@lemmy.world 4 points 5 days ago* (last edited 5 days ago)

Unless you have a real need to use a container, you shouldn't be running networking anything in a container. It will always perform better closer to the OS without abstractions.

That being said, it sounds like you have an exit-node problem. You can connect, but unless you set split-tunneling on your phone, you have no exit node to provide connectivity. Wireguard is not a traditional VPN in that just connecting to it gives you egress access.

[–] mosiacmango@lemm.ee 4 points 5 days ago* (last edited 5 days ago)

Tailscale is an excellent answer here. They use wireguard as the vpn protocol, but add layers of extra control.

You can use it in sidecar config for each container, or setup a subnet router, which lets you route any IP over the VPN. Just target that IP with a /32 cidr, i.e tailscale up --advertise-routes:192.168.1.100/32.

[–] superglue@lemmy.dbzer0.com 2 points 5 days ago (1 children)

Speaking of wireguard, can anyone recommend a wireguard GUI client for desktop? I'm on PopOS and using the command line at the moment and the network manager doesnt allow adding wireguard.

[–] user134450@feddit.org 1 points 5 days ago

NetworkManager's Gnome GUI works with wireguard config files. If you are using Plasma you would need to install some alpha software to do that in the gui but you can always fall back to nmcli which also supports wireguard configs via the import command.

[–] RxBrad@infosec.pub 2 points 5 days ago* (last edited 5 days ago)

EDIT: My suggestion probably doesn't work for your use-case, but I'll leave it for anyone else....

I use this to only tunnel the ports I actually need: https://github.com/DigitallyRefined/docker-wireguard-tunnel

My CGNAT'ed home PC is the client, and my public-facing Oracle Cloud instance is the server.

I've tried and failed miserably to use the "official" Wireguard container. Once I start reading suggestions to modify iptables outside of Docker, I know I'm in trouble.

[–] couch1potato@lemmy.dbzer0.com 1 points 5 days ago

You didn't explicitly ask for other suggestions but here's mine anyway; I'm running tailscale on my pfsense router and sharing my home network cidr over tailscale like someone else suggested. So all my dockers and vms are available over tailscale from anywhere. It's been highly convenient as my home internet connection is behind CGNAT.

[–] vividspecter@lemm.ee 1 points 5 days ago

Beyond the other comments is your public IP on ipinfo.io etc something like 100.64.X.X or 10.X.X.X?

If so, you're behind a CG-NAT and raw wireguard will not work. I say this so you don't waste time configuring something that will never work. Ignore the below if you have a real public IP.

Some ISPs will allow you to get a real dynamic ipv4 address for free, or you can configure ipv6 but any clients that you connect will also need public ipv6 support.

Otherwise, consider tailscale/headscale/netbird (SaaS or on a VPS) which have NAT traversal support.