is it normal that a wireguard docker container provides "low" networkspeed for connecting containers?

I'm using a wireguard docker container to provide vpn connection to a qbittorrent container. When I compare it to wireguard on linux and the qbittorrent application, the same torrent is way slower. My server gets 2Mbit/s and my computer 15Mbit/s The 15Mbit/s is where my internet connection caps, while downloading that fast I can't watch YT videos. They both are in the same network using the same vpn provider and same endpoint.

for qbittorrent docker-compose I use network_mode: service:wireguard

View original on discuss.tchncs.de

Comments8

Guilvareux

feddit.uk

It depends how wireguard is implemented.

The container may be running wireguard in userspace, instead of the OS’s kernel implementation.

bruchsturm

discuss.tchncs.de

kinda fixed it, I think...

Checked what image I'm using, its linuxserver, and they're using the OS's kernel implementation. Also saw that in my logs.

I used this https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard and added these lines into my wg0.conf:

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE

Then I regenerated my mullvad config with a different server.

Now I'm downloading the Arch Linux iso with 11Mbit/s

Honestly I've no idea what exactly solved the problem, iptables, networks and routing still feels likes witchcraft to me most of the time.

funkajunk

lemm.ee

Can you please share your compose file?

I personally use a separate container instead of another service, not sure what difference it makes

network_mode: "container:wireguard"

Using the lscr.io/linuxserver/wireguard:latest image btw

bruchsturm reply

discuss.tchncs.de

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      #- SYS_MODULE #needed if wireguard kernel module gets not loaded
    environment:
      - PUID=995
      - PGID=995
      - TZ=Europe/Vienna
    volumes:
      - wireguard_config:/config
      #- /lib/modules:/lib/modules stack #needed if wireguard kernel module gets not loaded
    ports:
      - 51820:51820
      - 51820:51820/udp
      - 8113:8113 #qbt WebUI - This is not necessary with trafik, I still have it for debug reasons and it's only reachable in my local network so I think its fine
    networks:
      - net
    labels:
      - traefik.enable=true
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    restart: unless-stopped

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: service:wireguard
    depends_on:
      - wireguard
    environment:
      - PUID=1004
      - PGID=1004
      - UMASK=002
      - TZ=Europe/Berlin
      - WEBUI_PORT=8113
    volumes:
      - qbt_config:/config
      - torrents:/data/torrents
      - media:/data/media
    labels:
      - traefik.enable=true
      - traefik.http.services.qbt.loadbalancer.server.port=8113
      - traefik.http.routers.qbt.rule=Host(`torrent.example.com`)
      - traefik.http.routers.qbt.middlewares=https-redirect@file
      - traefik.http.routers.qbt-secure.rule=Host(`torrent.example.com`)
      - traefik.http.routers.qbt-secure.entrypoints=websecure
      - traefik.http.routers.qbt-secure.tls=true
      - traefik.http.routers.qbt-secure.service=qbt
    restart: unless-stopped

funkajunk reply

lemm.ee

I would try it with the SYS_MODULE and /lib/modules lines uncommented. That's how I have my container and it seems to perform just fine.

bruchsturm reply

discuss.tchncs.de

It works without that. I commented it because the logs told me its already loaded and I should comment these lines.

funkajunk reply

lemm.ee

Any reason you need the traefik label on the wireguard container? Seems unnecessary.