I’m using a wireguard docker container to provide vpn connection to a qbittorrent container. When I compare it to wireguard on linux and the qbittorrent application, the same torrent is way slower. My server gets 2Mbit/s and my computer 15Mbit/s The 15Mbit/s is where my internet connection caps, while downloading that fast I can’t watch YT videos. They both are in the same network using the same vpn provider and same endpoint.
for qbittorrent docker-compose I use network_mode: service:wireguard
It depends how wireguard is implemented.
The container may be running wireguard in userspace, instead of the OS’s kernel implementation.
kinda fixed it, I think…
Checked what image I’m using, its linuxserver, and they’re using the OS’s kernel implementation. Also saw that in my logs.
I used this https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard and added these lines into my wg0.conf:
PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
Then I regenerated my mullvad config with a different server.
Now I’m downloading the Arch Linux iso with 11Mbit/s
Honestly I’ve no idea what exactly solved the problem, iptables, networks and routing still feels likes witchcraft to me most of the time.
Can you please share your compose file?
I personally use a separate container instead of another service, not sure what difference it makes
network_mode: "container:wireguard"
Using the
lscr.io/linuxserver/wireguard:latest
image btwservices: wireguard: image: lscr.io/linuxserver/wireguard:latest container_name: wireguard cap_add: - NET_ADMIN #- SYS_MODULE #needed if wireguard kernel module gets not loaded environment: - PUID=995 - PGID=995 - TZ=Europe/Vienna volumes: - wireguard_config:/config #- /lib/modules:/lib/modules stack #needed if wireguard kernel module gets not loaded ports: - 51820:51820 - 51820:51820/udp - 8113:8113 #qbt WebUI - This is not necessary with trafik, I still have it for debug reasons and it's only reachable in my local network so I think its fine networks: - net labels: - traefik.enable=true sysctls: - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 restart: unless-stopped qbittorrent: image: lscr.io/linuxserver/qbittorrent:latest container_name: qbittorrent network_mode: service:wireguard depends_on: - wireguard environment: - PUID=1004 - PGID=1004 - UMASK=002 - TZ=Europe/Berlin - WEBUI_PORT=8113 volumes: - qbt_config:/config - torrents:/data/torrents - media:/data/media labels: - traefik.enable=true - traefik.http.services.qbt.loadbalancer.server.port=8113 - traefik.http.routers.qbt.rule=Host(`torrent.example.com`) - traefik.http.routers.qbt.middlewares=https-redirect@file - traefik.http.routers.qbt-secure.rule=Host(`torrent.example.com`) - traefik.http.routers.qbt-secure.entrypoints=websecure - traefik.http.routers.qbt-secure.tls=true - traefik.http.routers.qbt-secure.service=qbt restart: unless-stopped
I would try it with the
SYS_MODULE
and/lib/modules
lines uncommented. That’s how I have my container and it seems to perform just fine.It works without that. I commented it because the logs told me its already loaded and I should comment these lines.
Any reason you need the traefik label on the wireguard container? Seems unnecessary.