Can't access SMB shares remotely using WireGuard VPN in docker

Your WG server is on the 10 network and your DNS is on 192? (Where are the SMB shares?)

I suspect you need to add an ip route, as the networks/subnets won't see eachother

You either need to setup a macvlan to get your image on your local network, or run it in host mode and look at the port forwarding options.

ip route (if you use it) would need to be set up two ways on your host box/router to get stuff from/to both networks.

Have a look at the macvlan option on my blog post here - it might let you move your wireguard host to macvlan which would be on your own LAN

https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt

So, for the last week I've been using WG on and off LAN with no routing, via a Docker container (in bridge mode) quite happily with no issues.

Playing audio off my SMB server remotely via JetAudio.

Some apps are a bit quick to assume they can't "see" SMB due to lag.

Hi guys, I'm in the same boat as Thomas.

My server at home (10.0.1.0/24) has wireguard (10.13.13.0/24) running as a server in a docker container

This server also is running a dockerized samba share which is perfectly accessible from any windows machine on lan.

However, it is not accessible from a connected wireguard peer, even though the server lan and wg0 addresses are both pingable from the client.

ptruman you mentioned the docker container you run is in bridge mode. Did you mean the wireguard container? Could you maybe elaborate or send me the relevant docker-compose settings?

Kind regards

I run into the same issues.

Either I could use the internal services of my nas or the internet. Not both.

With the following docker-compose.aml I have access to both at the same time. (pls. adjust the PUID and PGID)

---
version: "2.1"
services:
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    network_mode: bridge
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1001
      - PGID=100
      - TZ=Europe/Berlin
      - SERVERURL=bla.bla.com #optional
      - SERVERPORT=51820 #optional
      - PEERS=2
      - PEERDNS=auto #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
    volumes:
      - /home/dockerperson/wireguard/data/config:/config
      - /home/dockerperson/wireguard/data/modules:/lib/modules
    ports:
      - 51820:51820/udp
    restart: unless-stopped

I hope this helps.

Here is my Wireguard config. As mentioned, it runs in BRIDGE mode (set via Portainer). I access it via Traefik (i.e. my router forwards the WG port to my host, and Traefik handles it from there). I use a common DNS name internally and externally, BOTH resolve (internally and externally) to my public IP, and my router handles the hairpin.

version: "3"
services:
  wireguard:
    cap_add:
      - AUDIT_WRITE
      - CHOWN
      - DAC_OVERRIDE
      - FOWNER
      - FSETID
      - KILL
      - MKNOD
      - NET_ADMIN
      - NET_BIND_SERVICE
      - NET_RAW
      - SETFCAP
      - SETGID
      - SETPCAP
      - SETUID
      - SYS_CHROOT
      - SYS_MODULE
    cap_drop:
      - AUDIT_CONTROL
      - BLOCK_SUSPEND
      - DAC_READ_SEARCH
      - IPC_LOCK
      - IPC_OWNER
      - LEASE
      - LINUX_IMMUTABLE
      - MAC_ADMIN
      - MAC_OVERRIDE
      - NET_BROADCAST
      - SYSLOG
      - SYS_ADMIN
      - SYS_BOOT
      - SYS_NICE
      - SYS_PACCT
      - SYS_PTRACE
      - SYS_RAWIO
      - SYS_RESOURCE
      - SYS_TIME
      - SYS_TTY_CONFIG
      - WAKE_ALARM
    container_name: wireguard
    dns:
      - 8.8.8.8
    domainname: mysubdomain.mydomain.com
    entrypoint:
      - /init
    environment:
      - TZ=Europe/London
      - PEERS=1
      - PEERDNS=8.8.8.8
      - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      - HOME=/root
      - LANGUAGE=en_US.UTF-8
      - LANG=en_US.UTF-8
      - TERM=xterm
      - DEBIAN_FRONTEND=noninteractive
      - SERVERURL=wireguard.mysubdomain.mydomain.com
    expose:
      - 51820/udp
    hostname: wireguard
    image: linuxserver/wireguard:latest
    ipc: private
    labels:
      build_version: 'Linuxserver.io version:- v1.0.20200513-ls26 Build-date:- 2020-08-07T11:42:16-04:00'
      maintainer: aptalca
      traefik.enable: true
      traefik.udp.routers.wireguard.entrypoints: wireguard
      traefik.udp.routers.wireguard.service: wireguard
      traefik.udp.services.wireguard.loadbalancer.server.port: 51820
    logging:
      driver: json-file
      options: {}
    mac_address: xx:xx:xx:xx:xx:xx
    networks:
      bridge:
        aliases:
    restart: unless-stopped
    volumes:
      - /usr/src:/usr/src
      - /srv/dev-disk-by-label-OMVDataVolume/SFDocker/wireguard/config:/config
      - /lib/modules:/lib/modules
networks:
  bridge:
    external: true

My WireGuard config is:

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = REDACTED
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 10.13.13.2/32

I have set my CLIENT (Android) AllowedIPs to be:

192.168.1.0/24, 10.13.13.0/24, 0.0.0.0/0

And my CLIENT (Android) WireGuard DNS is my LAN DNS IP.

That way Wireguard is (AllowedIP) to see my DNS, the LAN (when DNS resolves internally) and "the internet".

If you remove 0.0.0.0/0 you won't get internet over WG, which is fine if you don't set "Block Connections Without VPN" in Android - i.e. you'll split tunnel.

If you're not clear on Traefik, you might want to read my main guide on OMV/Portainer/Traefik which is here : https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt

And then read my WireGuard add-on which is here: https://site.gothtech.co.uk/ar…encrypt/wireguard-traefik

Hey there! Old topic, i know. Similar problem, tho.

The thing is i'm using wireguard on "three" devices: an Android phone and a laptop with different operating systems.

On the Android device i use Solid Explorer, which has a SMB connection option, and works... well... slow. But it doesn't matter as long as it works.

The laptop is what bugs me. I have a Macbook Pro with MacOS and Windows. And on MacOS everything works flawlessly, but when i boot into Windows, althou i have internet access, everything related to local network can't be reached. The negative response is almost inmediate, which means it's not waiting until the timeout. Also i try to use SSH and SFTP and it instantly gives me a network error with "connection denied" or "permission denied" response, again, no waiting for timeouts.

scusa PTruman, ma nella tua guida manca configurazione app windows che è molto difficile, puoi aiutare?