I am trying to route traffic coming from a docker network ... I have Wireguard up and running, and unlike the examples that route ALL the traffic through the VPN based on destination. I am trying to route only SOME of the traffic based on the source.
Essentially I want all the traffic coming from 10.30.0.0 (docker bridge network) going through he wg0 interface, except for traffic that is going back to the same network or my lan. So essentially just outbound internet traffic.
I have it working ... sort of ... using static routes.
post-up ip rule add from 10.30.0.0/16 table 200 post-up ip route add default via a.b.c.d metric 2 table 200 post-up ip route add blackhole default metric 3 table 200 post-up ip route add 192.168.0.0/16 via 192.168.0.1 table 200 post-up ip route add 10.30.0.0/16 via 10.30.0.1 table 200 Using table 200 for all traffic coming from 10.30.0.0 default route is through wg0. The fallback route is a blackhole, kill switch in case wg0 goes down.
Next two routes take care of routing anything internal around wg0, otherwise the containers can't talk to each other on the networks or any webgui's can't be accessed. This works perfectly.
EXCEPT I call this routes in /etc/network/interfaces.d/wg0 so that the interfaces gets created and brought up in boot. Everything is fine except for this route:
post-up ip route add 10.30.0.0/16 via 10.30.0.1 table 200 It fails because the docker bridge isn't up yet so it can't create the route because the gateway is missing. For the time being I hacked it together and used "@reboot" in cron to bring up the route after the docker network is up.
Is there a more elegant solution? I thought of marking all the packets coming from 10.30.0.0 that are not destined for 10.30.0.0 or 192.168.0.0 and (iptables -s 10.30.0.0/16 ! -d 192.168.0.0/16 etc etc) to avoid having to use that route, but I cannot figure it out for the life of me.
Appreciate any help
No comments:
Post a Comment