straybits/docker-samples
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

many new containers. work in progress

Browse source
This commit is contained in:
Jeff Clement 2024-11-02 14:09:56 -06:00
parent f0f9f608cc
commit aed48ffdf8
Signed by: jeff
GPG key ID: 3BCB43A3F0E1D7DA
31 changed files with 1042 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
diy-tunnel/public/docker-on-host/README.md Normal file
View file

@ -0,0 +1,3 @@
Copy `wg0.conf` to `/etc/wireguard/wg0.config`
This example is for wireguard running on the private server and forwarding traffic to local services AND docker services.

46
diy-tunnel/public/docker-on-host/wg0.conf Normal file
View file

@ -0,0 +1,46 @@
[Interface]
Address = 10.0.0.2/24 # Private IP for the home server in the VPN network
PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER #####
Table = 123
# Enable IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# loose reverse path forwarding validation
PostUp = sysctl -w net.ipv4.conf.wg0.rp_filter=2
# Mark new connections coming in through wg0
PreUp = iptables -t mangle -A PREROUTING -i wg0 -m state --state NEW -j CONNMARK --set-mark 1
PostDown = iptables -t mangle -D PREROUTING -i wg0 -m state --state NEW -j CONNMARK --set-mark 1
# Mark return packets to go out through WireGuard via policy routing
PreUp = iptables -t mangle -A PREROUTING ! -i wg0 -m connmark --mark 1 -j MARK --set-mark 1
PostDown = iptables -t mangle -D PREROUTING ! -i wg0 -m connmark --mark 1 -j MARK --set-mark 1
# Push marked connections back through wg0
PreUp = ip rule add fwmark 1 table 123 priority 456
PostDown = ip rule del fwmark 1 table 123 priority 456
# Route traffic to public IP to self to avoid it hitting the network
PreUp = iptables -t nat -A OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
PostDown = iptables -t nat -D OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
# ==== Firewall ===============================
# Allow our expected traffic
PreUp = iptables -A INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
PostDown = iptables -D INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
# And pings
PreUp = iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
PostDown = iptables -D INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
# Block the rest
PreUp = iptables -A INPUT -i wg0 -j DROP
PostDown = iptables -D INPUT -i wg0 -j DROP
[Peer]
PublicKey = #### PUBLIC KEY OF PUBLIC SERVER #####
AllowedIPs = 0.0.0.0/0
Endpoint = 999.999.999.999:51820
PersistentKeepalive = 25