Gluetun + Wg-easy container

[maodelg]

Hi! I would love some help from the community to get this working...

• I use a VPN Unlimited subscription with Gluetun, and it is working flawlessly, Gluetun container configuration is ok and tested.
• I also have a WG-Easy (Wireguard server container) configured, tested, and working.
• I want to have the wg-easy container to access the internet using the Gluetun network, so all my devices connected over my own VPN can benefit from the VPN Unlimited connection... this is to circumvent the hard limit of clients (5 total) that VPN Unlimited provides. In theory, I could connect any amount of devices using this method...
• After moving the open ports from the wg-easy container to the glutun one, and properly launching both, I just can't connect to the internet... No error, just can't browse the web or ping google from the GW-Easy clients...

Has anyone successfully recreated this use case? The idea is to have an unlimited amount of VPN clients using 1 slot of the paid VPN service by routing all of them over Gluetun using another custom VPN server container.

The WG-Easy server detects the client connection (see screenshot), but the client can't browse the internet... So the VPN connection between the CLIENT and WG-Easy server is being established trough the GLUETUN container, it's just like is not resolving DNS or something like that...

Thoughts?
Thanks!

[bnhf]

@maodelg

I think this is going to be difficult to do using a container like Wg-easy, as it has both cap_add and sysctls in the docker-compose. This means that the container has special capabilities to access the host that normal containers don't, and in this case means that Wg-easy would be going directly to the host at times when you want it to do everything through Gluetun.

What you are trying to do can likely be done, but I think you'll find that most VPN containers need at least a cap_add of NET_ADMIN to function, which will make it very tricky (probably impossible) to do using two containers.

I'd recommend doing this at the router level, using an x86 platform (industrial PCs with multiple ethernet ports work well), and running OpenWRT or pfSense as the RouterOS. I'm most familiar with OpenWRT, and with that you'd be able setup a WireGuard server, and VPN client (running OpenVPN or WireGuard), and have the Wireguard server use the VPN client for its outbound connection. The advantage of this approach, using a relatively powerful router device, is that it keeps the traffic off of your LAN if you have a large number of incoming Wireguard clients.

[nedix]

I gave this a shot using a shadowsocks proxy.

compose.yml

services:
  client:
    image: qmcgaw/gluetun:v3.39.0
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.disable_ipv6=0
    environment:
      VPN_SERVICE_PROVIDER: ${WIREGUARD_CLIENT_SERVICE_PROVIDER}
      VPN_TYPE: wireguard
      WIREGUARD_MTU: 1296
      WIREGUARD_PRIVATE_KEY: ${WIREGUARD_CLIENT_PRIVATE_KEY}
      WIREGUARD_ADDRESSES: ${WIREGUARD_CLIENT_ADDRESSES}
      SERVER_COUNTRIES: ${WIREGUARD_CLIENT_COUNTRIES}
      SHADOWSOCKS: on
      SHADOWSOCKS_PASSWORD: "${SHADOWSOCKS_PASSWORD:-secret}"
      SHADOWSOCKS_CIPHER: aes-128-gcm
    restart: unless-stopped

  proxy:
    image: ghcr.io/shadowsocks/sslocal-rust:v1.20.4
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    entrypoint:
      - /bin/sh
      - -ec
      - >
        wget -qO- "https://gist.githubusercontent.com/nedix/27f291577b03ced31076b3e093b604d2/raw/e2ea27707ede65c7df044d7596c09609523cf741/local.conf" > /etc/sysctl.d/local.conf;
        setsid sslocal \
          -U \
          --protocol tun \
          --server-addr "client:8388" \
          --encrypt-method "aes-128-gcm" \
          --password "${SHADOWSOCKS_PASSWORD:-secret}" \
          --tun-interface-address "${NETWORK_PREFIX:-10.8.0}.0/32"
    ports:
      - 51821:51821/tcp
      - 51820:51820/udp
    depends_on:
      client:
        condition: service_healthy
    restart: unless-stopped

  server:
    image: ghcr.io/wg-easy/wg-easy:14
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.disable_ipv6=0
    environment:
      WG_HOST: "${HOSTNAME:-host.docker.internal}"
      WG_DEFAULT_ADDRESS: "${NETWORK_PREFIX:-10.8.0}.x"
      WG_MTU: 1296
      WG_POST_UP: >
        ip route add default dev tun0 table 123;
        ip rule add from "${NETWORK_PREFIX:-10.8.0}.0/24" table 123;
    network_mode: service:proxy
    volumes:
      - /config
    restart: unless-stopped

/etc/sysctl.d/local.conf

# Source: https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
# net.ipv4.tcp_congestion_control = hybla

# for low-latency network, use cubic instead
net.ipv4.tcp_congestion_control = cubic

Unfortunately the connection is VERY spotty and not useful.