I've been using Traefik as my internal network proxy for almost half a year. My setup has been using the Wirehole stack, basically Unbound, Pi-Hole, and Wireguard in one docker-compose file. Accessing the server via Wireguard, internal DNS with Pi-Hole, and reverse proxy with Traefik. This has run fine without a hitch.
Then i experimented in moving the Wireguard to my host directly. With Wireguard moved, i could still access the Docker stack, accessing my internal network over the IP. However, Traefik refused all connection made from Wireguard client. It's not even pingable.
I thought there might be routing problem, but the fact that i could ping the Wireguard client from Traefik, and that i could access another container on the same Docker network, ruled it off.
I have been scratching my head, where in the Traefik config i made a mistake. Maybe someone could point it out.
As noted, this problem doesn't persist if i access my server through Wireguard on Docker stack, which is on the same network as Traefik.
Here's my Docker Compose:
version: '3.7'
services:
traefik:
container_name: traefik-internal
image: traefik:2.8
depends_on:
- socket-proxy
environment:
PGID: "1000"
PUID: "1000"
## Cloudflare Auth for Cert DNS Challenge
CLOUDFLARE_EMAIL: "em@iladdre.ss"
CLOUDFLARE_DNS_API_TOKEN: "very_secret_token"
restart: unless-stopped
volumes:
- "./traefik.yml:/traefik.yml:ro"
- "./traefik_rules:/rules"
- "./traefik_certs:/certs"
- "./traefik_logs:/logs"
networks:
wirehole_internal:
ipv4_address: 10.10.0.240
proxy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`dash.internal.domain`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.api.insecure=true"
My traefik.yml file:
entryPoints:
http:
address: ":80"
http:
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
http:
tls:
certResolver: letsencrypt
domains:
- main: "internal.domain"
sans:
- "*.internal.domain"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32" # localhost
- "10.0.0.0/8" # swarm mode ip range
- "192.168.0.0/16" # stand-alone after 172.16.0.0/12 is exhausted
- "172.16.0.0/12" # stand-alone
- "10.13.0.0/24" # WireGuard ip-range
providers:
docker:
endpoint: "tcp://socket-proxy:2375"
exposedByDefault: false
network: wirehole_internal
file:
directory: /rules
watch: true
api:
dashboard: true
certificatesResolvers:
letsencrypt:
acme:
dnsChallenge:
provider: cloudflare
email: "em@iladdre.ss"
storage: "/certs/acme.json"
log:
level: INFO
accessLog:
filePath: "/logs/access.log"
filters:
# statusCodes:
# - "400-510"
# - "300-302"
retryAttempts: true
# minDuration: "10ms"
My whitelist.yml
http:
middlewares:
internal-network-whitelist:
ipWhiteList:
sourceRange:
## Wireguard and DockerNetwork Subnet
- "10.10.0.0/24"
- "10.20.0.0/16"
- "10.13.0.0/24"