Docker client and server on host

[dmcgrath19]

I've been trying to setup wiretap and have been having some difficulty. I am trying to make the main client a docker image and the server a separate docker image that both run on the host. However, I seem to be receiving this error

./wiretap status 2024/07/31 14:19:23 failed to fetch node's configuration as peer: Get "http://::2:80/serverinfo?": dial tcp [::2]:80: i/o timeout

Should I be binding something to run within my docker server on this port in order to make it work?

Currently, I have binded ports 51820 & 51821 for the docker client & binded port 8080 for the server. I download the binaries for the shells and run them in the build.

For background here are some of the outputs I am getting when backtracing my steps:

Client:
./wiretap configure --endpoint *.17.0.0:51820 --routes *.17.0.0/16,fd:2::/64

output:

config: wiretap_relay.conf
────────────────────────────────
[Interface]
PrivateKey = *
Address = *.16.0.1/32
Address = fd:16::1/128
ListenPort = 51820

[Peer]
PublicKey = *
AllowedIPs = *.17.0.0/24,fd:17::/48
────────────────────────────────

config: wiretap.conf
────────────────────────────────
[Interface]
PrivateKey = *
Address = *.19.0.1/32
Address = fd:19::1/128
ListenPort = 51821
MTU = 1340

[Peer]
PublicKey = *
AllowedIPs = *.17.0.0/16,::2/128
Endpoint = *.17.0.2:51821
────────────────────────────────

and then after the serve on the server side, the wg show is

interface: wiretap_relay
  public key: *
  private key: (hidden)
  listening port: 51820

peer: *
  endpoint: *.17.0.1:36312
  allowed ips: *.17.0.0/24, fd:17::/48
  transfer: 1.16 KiB received, 736 B sent

interface: wiretap
  public key: *
  private key: (hidden)
  listening port: 51821

peer: *
  endpoint: *.17.0.2:51821
  allowed ips: *.17.0.0/16, ::2/128
  transfer: 0 B received, 3.18 KiB sent

If you have any advice on this I would super appreciate it.

[Aptimex]

The provided output doesn't seem to match what you put in your configure command. Please retry with the latest release (we just pushed a new one today) and share a matching command and output. Please also include the contents of the wiretap_server.conf file. Also, since you're doing this in local Docker containers, you only need to redact the PrivateKey values in the output, nothing else should be sensitive. In fact, most of the info you redacted is really important for diagnosing this error.

That error means there's a networking issue between the wiretap client and host, which can be caused by just about anything. I would start by testing that the server container can properly communicate with the client container on 51820, such as by running nc -lvnp 51820 in the client and curl -v <client_container_IP>:51820 from the server container (before any wiretap commands are run in either container). If the client container doesn't see any connection made and/or the curl command fails, then your issue is with your docker networking setup, not wiretap.

The only thing you should need to worry about exposing/binding in this setup is the 51820 port on the client container in such a way that the server container can talk to it.

[dmcgrath19]

Thanks for getting back to me. I super appreciate it!

I updated the files to the new releases (v 0.4.4) and I removed the extra ports (so the client is only running on the 51820). Additionally when I setup the docker image for the client I allow udp connections on the port. Good point, once it is running I can re-up them which will change the keys, so will include all of the info here to help with debugging

When I ran the command this was the output of the conf files

root@c6037e2b02b9:/app# ./wiretap configure --endpoint 172.17.0.1:51820 --routes 172.17.0.0/16

Configurations successfully generated.
Import the config(s) into WireGuard locally and pass the arguments below to Wiretap on the remote machine.

config: wiretap_relay.conf
────────────────────────────────
[Interface]
PrivateKey = GLTjjl5lMRbFUNT96/WyKDweE20W+IU+a3YvYhkGXEY=
Address = 172.16.0.1/32
Address = fd:16::1/128
ListenPort = 51820

[Peer]
PublicKey = WRZ4rHe2pCxqyZjzwDVIrWpcBky9Qf/jJmggtIIIt0Y=
AllowedIPs = 172.17.0.0/24,fd:17::/48
────────────────────────────────

config: wiretap.conf
────────────────────────────────
[Interface]
PrivateKey = MNaA1TiC+VQuE363zUc1zCNZWaVBtFv0maSPIZG5QWY=
Address = 172.19.0.1/32
Address = fd:19::1/128
ListenPort = 51821
MTU = 1340

[Peer]
PublicKey = UEeZYhPSCdq+pARGjPJMKNSPFbBFAJCcm8rPW/v3NWA=
AllowedIPs = 172.17.0.0/16,::2/128
Endpoint = 172.17.0.2:51821
────────────────────────────────

server config: wiretap_server.conf

server command:
POSIX Shell:  WIRETAP_RELAY_INTERFACE_PRIVATEKEY=GPuUez07qSQyyhMQWHFX5hIPVAVfjDYeWzT1tL0vz2I= WIRETAP_RELAY_INTERFACE_PORT=51820 WIRETAP_RELAY_PEER_PUBLICKEY=cOr4enMEVZquqFm1BiemvSH/QfWp+xVK+EUjA+yZIBA= WIRETAP_RELAY_PEER_ENDPOINT=172.17.0.1:51820 WIRETAP_E2EE_INTERFACE_PRIVATEKEY=WJkr8PqLR/oD6gDvL3ctKnRWgx+9jBKCdKBJzUFLDVc= WIRETAP_E2EE_PEER_PUBLICKEY=38qtURoaKefUw/DjnjlXt++zcj03WjV061wN1ikbCxI= WIRETAP_E2EE_PEER_ENDPOINT=172.16.0.1:51821 ./wiretap serve
 PowerShell:  $env:WIRETAP_RELAY_INTERFACE_PRIVATEKEY="GPuUez07qSQyyhMQWHFX5hIPVAVfjDYeWzT1tL0vz2I="; $env:WIRETAP_RELAY_INTERFACE_PORT="51820"; $env:WIRETAP_RELAY_PEER_PUBLICKEY="cOr4enMEVZquqFm1BiemvSH/QfWp+xVK+EUjA+yZIBA="; $env:WIRETAP_RELAY_PEER_ENDPOINT="172.17.0.1:51820"; $env:WIRETAP_E2EE_INTERFACE_PRIVATEKEY="WJkr8PqLR/oD6gDvL3ctKnRWgx+9jBKCdKBJzUFLDVc="; $env:WIRETAP_E2EE_PEER_PUBLICKEY="38qtURoaKefUw/DjnjlXt++zcj03WjV061wN1ikbCxI="; $env:WIRETAP_E2EE_PEER_ENDPOINT="172.16.0.1:51821"; .\wiretap.exe serve
Config File:  ./wiretap serve -f wiretap_server.conf

After running the ./wiretap serve on the server I got this

Relay configuration:
────────────────────────────────
[Peer]
PublicKey = WRZ4rHe2pCxqyZjzwDVIrWpcBky9Qf/jJmggtIIIt0Y=
AllowedIPs = 0.0.0.0/32
────────────────────────────────

E2EE configuration:
────────────────────────────────
[Peer]
PublicKey = UEeZYhPSCdq+pARGjPJMKNSPFbBFAJCcm8rPW/v3NWA=
AllowedIPs = 0.0.0.0/32
────────────────────────────────

private_key=18fb947b3d3ba92432ca1310587157e6120f54055f8c361e5b34f5b4bd2fcf62
listen_port=51820
public_key=70eaf87a7304559aaea859b50627a6bd21ff41f5a9fb154af8452303ec992010
endpoint=172.17.0.1:51820
allowed_ip=172.16.0.1/32
allowed_ip=fd:16::1/128
persistent_keepalive_interval=25

private_key=58992bf0fa8b47fa03ea00ef2f772d2a7456831fbd8c128274a049cd414b0d57
listen_port=51821
public_key=dfcaad511a1a29e7d4c3f0e39e3957b7efb3723d375a3574eb5c0dd6291b0b12
endpoint=172.16.0.1:51821
allowed_ip=172.19.0.1/32
allowed_ip=fd:19::1/128
persistent_keepalive_interval=25

WIRETAP: 2024/08/07 10:25:18 API: API listener up

Now when I went back to the client for the wg show command

interface: wiretap
  public key: 38qtURoaKefUw/DjnjlXt++zcj03WjV061wN1ikbCxI=
  private key: (hidden)
  listening port: 51821

peer: UEeZYhPSCdq+pARGjPJMKNSPFbBFAJCcm8rPW/v3NWA=
  endpoint: 172.17.0.2:51821
  allowed ips: 172.17.0.0/16, ::2/128
  transfer: 0 B received, 2.89 KiB sent

interface: wiretap_relay
  public key: cOr4enMEVZquqFm1BiemvSH/QfWp+xVK+EUjA+yZIBA=
  private key: (hidden)
  listening port: 51820

peer: WRZ4rHe2pCxqyZjzwDVIrWpcBky9Qf/jJmggtIIIt0Y=
  endpoint: 172.17.0.1:47235
  allowed ips: 172.17.0.0/24, fd:17::/48
  transfer: 6.65 KiB received, 4.13 KiB sent

and the ./wiretap status produced this

root@c6037e2b02b9:/app# ./wiretap status
2024/08/07 10:29:23 failed to fetch node's configuration as peer: Get "http://::2:80/serverinfo?": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

╭────────────────────────╮ 
│ Wiretap Network Status │ 
╰────────────┬───────────╯ 
             │             
  ╭──────────┴──────────╮  
  │client               │  
  │                     │  
  │  relay: cOr4enME... │  
  │   e2ee: 38qtURoa... │  
  │                     │  
  ╰─────────────────────╯  

Hopefully this helps. Again, super appreciate your insight here.

[Aptimex]

Wiretap uses the 172.16/16, 172.17/16, 172.18/16, and 172.19/16 subnets internally. Trying to use any IPs from those ranges within your --routes probably won't work. Try re-configuring your docker environment to use a different subnet so your routes won't overlap with any of those.

[dmcgrath19]

Thanks, I have tried re-routing the docker to run instead on \24

"Subnet": "172.33.100.0/24",
 "Gateway": "172.33.100.1"

The server now runs on "IPv4Address": "172.33.100.3/24", and the client on "IPv4Address": "172.33.100.2/24"

I ran this configure command ./wiretap configure --endpoint 172.33.100.3:51820 --routes 172.20.0.0/16 to try to use what was not on any of the given ports or subnets.

Configurations successfully generated.
Import the config(s) into WireGuard locally and pass the arguments below to Wiretap on the remote machine.

config: wiretap_relay.conf
────────────────────────────────
[Interface]
PrivateKey = oLiX5gOkrxxs0OllMFtX9Hpa4mH3YsNFJbR2OZwHQ0g=
Address = 172.16.0.1/32
Address = fd:16::1/128
ListenPort = 51820

[Peer]
PublicKey = mzE65Oy+8+u6LXynGEoQre7jpi6L1l2Whj5Z4MNdMTw=
AllowedIPs = 172.17.0.0/24,fd:17::/48
────────────────────────────────

config: wiretap.conf
────────────────────────────────
[Interface]
PrivateKey = eAPuF/zlBT9uARCuYycM5Y8ihXv4tq2u7Q6uWWNCPl0=
Address = 172.19.0.1/32
Address = fd:19::1/128
ListenPort = 51821
MTU = 1340

[Peer]
PublicKey = YbhkN3LG8f80OIFdSshzB7JX4eVacP6EB21s5RGQUV8=
AllowedIPs = 172.20.0.0/16,::2/128
Endpoint = 172.17.0.2:51821
────────────────────────────────

server config: wiretap_server.conf

server command:
POSIX Shell:  WIRETAP_RELAY_INTERFACE_PRIVATEKEY=8O7tdc0rvmtg6hZuGoAMqxnxuHWfjvWVYwNhKMr+dkY= WIRETAP_RELAY_INTERFACE_PORT=51820 WIRETAP_RELAY_PEER_PUBLICKEY=x7Yctkan4PU2x9wks/Ko058/113Uw/9i1VQX4alDll4= WIRETAP_RELAY_PEER_ENDPOINT=172.33.100.3:51820 WIRETAP_E2EE_INTERFACE_PRIVATEKEY=UAHcyJaYinS/Ow3b+rPFB+X6luqzzA1sqzEnhqMEEk0= WIRETAP_E2EE_PEER_PUBLICKEY=mOvlrJPLqriAVk1HJUNK9wFUt1nw5t4VHePP9k6/5g4= WIRETAP_E2EE_PEER_ENDPOINT=172.16.0.1:51821 ./wiretap serve
 PowerShell:  $env:WIRETAP_RELAY_INTERFACE_PRIVATEKEY="8O7tdc0rvmtg6hZuGoAMqxnxuHWfjvWVYwNhKMr+dkY="; $env:WIRETAP_RELAY_INTERFACE_PORT="51820"; $env:WIRETAP_RELAY_PEER_PUBLICKEY="x7Yctkan4PU2x9wks/Ko058/113Uw/9i1VQX4alDll4="; $env:WIRETAP_RELAY_PEER_ENDPOINT="172.33.100.3:51820"; $env:WIRETAP_E2EE_INTERFACE_PRIVATEKEY="UAHcyJaYinS/Ow3b+rPFB+X6luqzzA1sqzEnhqMEEk0="; $env:WIRETAP_E2EE_PEER_PUBLICKEY="mOvlrJPLqriAVk1HJUNK9wFUt1nw5t4VHePP9k6/5g4="; $env:WIRETAP_E2EE_PEER_ENDPOINT="172.16.0.1:51821"; .\wiretap.exe serve
Config File:  ./wiretap serve -f wiretap_server.conf

and these were the outputs of the wg show and the ./wiretap status

root@ec6e2ded190d:/app# wg show
interface: wiretap
  public key: mOvlrJPLqriAVk1HJUNK9wFUt1nw5t4VHePP9k6/5g4=
  private key: (hidden)
  listening port: 51821

peer: YbhkN3LG8f80OIFdSshzB7JX4eVacP6EB21s5RGQUV8=
  endpoint: 172.17.0.2:51821
  allowed ips: 172.20.0.0/16, ::2/128

interface: wiretap_relay
  public key: x7Yctkan4PU2x9wks/Ko058/113Uw/9i1VQX4alDll4=
  private key: (hidden)
  listening port: 51820

peer: mzE65Oy+8+u6LXynGEoQre7jpi6L1l2Whj5Z4MNdMTw=
  allowed ips: 172.17.0.0/24, fd:17::/48

root@ec6e2ded190d:/app# ./wiretap status
2024/08/08 21:36:17 failed to fetch node's configuration as peer: Get "http://::2:80/serverinfo?": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

╭────────────────────────╮ 
│ Wiretap Network Status │ 
╰────────────┬───────────╯ 
             │             
  ╭──────────┴──────────╮  
  │client               │  
  │                     │  
  │  relay: x7Yctkan... │  
  │   e2ee: mOvlrJPL... │  
  │                     │  
  ╰─────────────────────╯  

Should I have configured it a different way? Or do you think that this is a problem with docker somehow?

From the server side I have also tried ping 172.33.100.3 (the client port) and it was successful, so I think I am still having a problem somewhere with the routes.

[Aptimex]

Looks like the initial wireguard handshake still isn't completing. When that handshake succeeds you should see a line like "Last Handshake: X seconds ago" under the interface: wiretap_relay heading in the output of wg show.

--endpoint should specify the IP of the client. By default the server will try to initiate the connection back to the client, and this argument tells the server where the client is listening. It looks like you specified the IP of the server in your command here. You should use --endpoint 172.33.100.2:51820 instead.

[dmcgrath19]

Oh good catch on the endpoint! I totally missed that. This solved the issue and it is handshaking and the ./wiretap status shows that it is working as expected now. Thanks so much for your help with this!