Hello!
For the last week I tried to make my traefik services accessible over a VPN (Wireguard), but couldn't make it work. Hopefully someone here can help me, since I have no experience setting up a reverse proxy like traefik.
Current status on what is working right now:
Access to services via domain name (e.g. pihole.subdomain.domain.duckdns.org) from my local network
Using pihole in my local network
Connection to my home network through Wireguard (successful handshake); access to e.g. 10.0.0.1:9000 is possible (e.g. Portainer running on host)
Connecting to traefik services (e.g. pihole.subdomain.domain.duckdns.org) through Wireguard
Accessing the internet through Wireguard (when using pihole as my DNS)
Setup:
Everything lives in docker. Traefik is exposed as part of the host, allowing access back to the services - based on DNS entries of the pihole container.
docker-compose.yml:
version: '3'
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
environment:
- TZ=Europe/Vienna
- WEBPASSWORD=${PIHOLE_PASSWORD}
- DNS1=${DNS_IP}
- DNS2=${DNS_IP}
volumes:
- ./volumes/pihole/etc-pihole/:/etc/pihole/
- ./volumes/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/
dns:
- ${DNS_IP}
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
iotstack_nw:
hostname: pihole
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.mw_piholeadmin.addprefix.prefix=/admin"
- "traefik.http.routers.pihole.entrypoints=websecure"
- "traefik.http.routers.pihole.middlewares=blockexternal@file,mw_piholeadmin"
- "traefik.http.routers.pihole.rule=Host(`pihole.subdomain.domain.duckdns.org`)"
- "traefik.http.routers.pihole.tls=true"
- "traefik.http.routers.pihole.tls.certresolver=duckdns"
- "traefik.http.routers.pihole.tls.domains[0].main=subdomain.domain.duckdns.org"
- "traefik.http.routers.pihole.tls.domains[0].sans=*.subdomain.domain.duckdns.org"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
# Normal DNS coming in on 53 TCP, no TLS
- "traefik.tcp.routers.dns.rule=HostSNI(`pihole.subdomain.domain..duckdns.org`)"
- "traefik.tcp.routers.dns.entrypoints=dns"
- "traefik.tcp.routers.dns.service=pihole"
# Recieves traffic from both the TLS and non-TLS traefik routers
- "traefik.tcp.services.pihole.loadbalancer.server.port=53"
# Normal DNS coming in on 53 UDP
- "traefik.udp.routers.udpdns.entrypoints=udpdns"
- "traefik.udp.routers.udpdns.service=pihole"
- "traefik.udp.services.pihole.loadbalancer.server.port=53"
wireguard:
container_name: wireguard
image: linuxserver/wireguard
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Vienna
- SERVERURL=wg.subdomain.domain.duckdns.org
- SERVERPORT=51820
- PEERS=1
- PEERDNS=${PIHOLE_IP}
cap_add:
- NET_ADMIN
- SYS_MODULE
volumes:
- ./volumes/wireguard/config:/config
- /lib/modules:/lib/modules
hostname: wireguard
domainname: subdomain.domain.duckdns.org
networks:
- iotstack_nw
dns:
- ${PIHOLE_IP}
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
labels:
- "traefik.enable=true"
- "traefik.udp.routers.wireguard.entrypoints=wireguard"
- "traefik.udp.routers.wireguard.service=wireguard"
- "traefik.udp.services.wireguard.loadbalancer.server.port=51820"
traefik:
container_name: traefik
image: traefik:v2.2.7
restart: unless-stopped
volumes:
- ./volumes/traefik/acme.json:/acme.json
- ./volumes/traefik/dynamic:/dynamic
- ./volumes/traefik/traefik.toml:/traefik.toml
- /var/log/traefik:/var/log/traefik
- /var/run/docker.sock:/var/run/docker.sock
hostname: traefik
networks:
- iotstack_nw
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 53
published: 53
protocol: tcp
mode: host
- target: 53
published: 53
protocol: udp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080 #
published: 8080 #
protocol: tcp #
mode: host #
- target: 51820
published: 51820
protocol: udp
mode: host
environment:
- TZ=Europe/Vienna
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
- DUCKDNS_TTL=120
- DUCKDNS_POLLING_INTERVAL=30
- DUCKDNS_PROPAGATION_TIMEOUT=500
networks:
iotstack_nw:
name: iotstack_nw
driver: bridge
ipam:
driver: default
config:
- subnet: 172.20.0.0/16
gateway: 172.20.0.1
traefik.toml:
[entryPoints]
[entryPoints.wireguard]
address = ":51820/udp"
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.dns]
address = ":53"
[entryPoints.udpdns]
address = ":53/udp"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[certificatesResolvers.duckdns.acme]
email = [REDACTED]
storage = "acme.json"
# Uncomment the next line for using the ACME staging server
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.duckdns.acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 30
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
defaultRule = "Host(`{{ normalize .Name }}`)"
exposedByDefault = false
network = "iotstack_nw"
wg0.conf:
[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# peer1
PublicKey = [REDACTED]
AllowedIPs = 10.0.0.0/24, 10.13.13.2/32
I also applied this settings from the pihole docs.
I am very thankful for every help!