I’m using a wireguard docker container to provide vpn connection to a qbittorrent container. When I compare it to wireguard on linux and the qbittorrent application, the same torrent is way slower. My server gets 2Mbit/s and my computer 15Mbit/s The 15Mbit/s is where my internet connection caps, while downloading that fast I can’t watch YT videos. They both are in the same network using the same vpn provider and same endpoint.

for qbittorrent docker-compose I use network_mode: service:wireguard

  • Guilvareux@feddit.uk
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 years ago

    It depends how wireguard is implemented.

    The container may be running wireguard in userspace, instead of the OS’s kernel implementation.

  • bruchsturmOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    kinda fixed it, I think…

    Checked what image I’m using, its linuxserver, and they’re using the OS’s kernel implementation. Also saw that in my logs.

    I used this https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard and added these lines into my wg0.conf:

    PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
    PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
    

    Then I regenerated my mullvad config with a different server.

    Now I’m downloading the Arch Linux iso with 11Mbit/s

    Honestly I’ve no idea what exactly solved the problem, iptables, networks and routing still feels likes witchcraft to me most of the time.

  • funkajunk@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    Can you please share your compose file?

    I personally use a separate container instead of another service, not sure what difference it makes

    network_mode: "container:wireguard"

    Using the lscr.io/linuxserver/wireguard:latest image btw

    • bruchsturmOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 years ago
      services:
        wireguard:
          image: lscr.io/linuxserver/wireguard:latest
          container_name: wireguard
          cap_add:
            - NET_ADMIN
            #- SYS_MODULE #needed if wireguard kernel module gets not loaded
          environment:
            - PUID=995
            - PGID=995
            - TZ=Europe/Vienna
          volumes:
            - wireguard_config:/config
            #- /lib/modules:/lib/modules stack #needed if wireguard kernel module gets not loaded
          ports:
            - 51820:51820
            - 51820:51820/udp
            - 8113:8113 #qbt WebUI - This is not necessary with trafik, I still have it for debug reasons and it's only reachable in my local network so I think its fine
          networks:
            - net
          labels:
            - traefik.enable=true
          sysctls:
            - net.ipv4.conf.all.src_valid_mark=1
            - net.ipv6.conf.all.disable_ipv6=0
          restart: unless-stopped
      
        qbittorrent:
          image: lscr.io/linuxserver/qbittorrent:latest
          container_name: qbittorrent
          network_mode: service:wireguard
          depends_on:
            - wireguard
          environment:
            - PUID=1004
            - PGID=1004
            - UMASK=002
            - TZ=Europe/Berlin
            - WEBUI_PORT=8113
          volumes:
            - qbt_config:/config
            - torrents:/data/torrents
            - media:/data/media
          labels:
            - traefik.enable=true
            - traefik.http.services.qbt.loadbalancer.server.port=8113
            - traefik.http.routers.qbt.rule=Host(`torrent.example.com`)
            - traefik.http.routers.qbt.middlewares=https-redirect@file
            - traefik.http.routers.qbt-secure.rule=Host(`torrent.example.com`)
            - traefik.http.routers.qbt-secure.entrypoints=websecure
            - traefik.http.routers.qbt-secure.tls=true
            - traefik.http.routers.qbt-secure.service=qbt
          restart: unless-stopped
      
      • funkajunk@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 years ago

        I would try it with the SYS_MODULE and /lib/modules lines uncommented. That’s how I have my container and it seems to perform just fine.

        • bruchsturmOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          It works without that. I commented it because the logs told me its already loaded and I should comment these lines.

          • funkajunk@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 years ago

            Any reason you need the traefik label on the wireguard container? Seems unnecessary.