! gateway Published ports are discarded when using host network mode

[francois-pasquier]

Are we supposed to use network_mode: host or not?

There are two issues in this configuration error ->

There is both network_mode: host and port binding in the template docker-compose.yaml file. It's simply not possible to assign ports in the case of network_node: host

I tried removing the network_mode: host as I don't think it should be mandatory. That said, I am getting this error when setting up a wireguard configuration for a user:

[2024-01-12T09:30:49Z ERROR defguard_gateway::gateway] Couldn't retrieve gateway configuration, retrying: status: Unavailable, message: "error trying to connect: tcp connect error: Cannot assign requested address (os error 99)", details: [], metadata: MetadataMap { headers: {} }

[teon]

The way you configure your docker is up to you - if you use network mode host, that just means all the ports that the container is using will be used on the host machine, and: a) they need to be "free" b) will allocate and expose all ports. When using a typical docker configuration, you explicitly state which ports to expose and bind them to which port on the host machine.

The error above indicates that the address of your defguard instance is wrong - could you share your configuration (without any tokens/private keys) - so that we could know more about your setup and help you?

[francois-pasquier]

Well, I am raising the issue as the behavior is present just after following the documentation to setup the project.

Here is my configuration:

version: "3"

services:
  db:
    container_name: defguard-db
    image: postgres:15-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: defguard
      POSTGRES_USER: defguard
      POSTGRES_PASSWORD: ${DEFGUARD_DB_PASSWORD}
    volumes:
      - ./.volumes/db:/var/lib/postgresql/data
    # ports:
    #   - "5432:5432"

        #   caddy:
        #     image: caddy:2.7-alpine
        #     restart: unless-stopped
        #     volumes:
        #       - ./.volumes/caddy/data:/data
        #       - ./.volumes/caddy/config:/config
        #       - ./.volumes/caddy/Caddyfile:/etc/caddy/Caddyfile
        #     ports:
        #       # http
        #       - "80:80"
        #       # https
        #       - "443:443"

  core:
    container_name: defguard
    image: ghcr.io/defguard/defguard:${CORE_IMAGE_TAG:-latest}
    restart: unless-stopped
    environment:
      DEFGUARD_AUTH_SECRET: ${DEFGUARD_AUTH_SECRET}
      DEFGUARD_GATEWAY_SECRET: ${DEFGUARD_GATEWAY_SECRET}
      DEFGUARD_YUBIBRIDGE_SECRET: ${DEFGUARD_YUBIBRIDGE_SECRET}
      DEFGUARD_SECRET_KEY: ${DEFGUARD_SECRET_KEY}
      DEFGUARD_DEFAULT_ADMIN_PASSWORD: ${DEFGUARD_DEFAULT_ADMIN_PASSWORD}
      DEFGUARD_DB_HOST: db
      DEFGUARD_DB_PORT: 5432
      DEFGUARD_DB_USER: defguard
      DEFGUARD_DB_PASSWORD: ${DEFGUARD_DB_PASSWORD}
      DEFGUARD_DB_NAME: defguard
      DEFGUARD_URL: ${DEFGUARD_URL}
      DEFGUARD_LOG_LEVEL: info
      DEFGUARD_WEBAUTHN_RP_ID: ${DEFGUARD_WEBAUTHN_RP_ID}
      DEFGUARD_ENROLLMENT_URL: ${DEFGUARD_ENROLLMENT_URL}
      DEFGUARD_GRPC_CERT: /ssl/defguard.crt
      DEFGUARD_GRPC_KEY: /ssl/defguard.key
      ## RSA setup guide: https://defguard.gitbook.io/defguard/community-features/setting-up-your-instance/docker-compose#openid-rsa-setup
      DEFGUARD_OPENID_KEY: /keys/rsakey.pem
      ## LDAP setup guide: https://defguard.gitbook.io/defguard/features/ldap-synchronization-setup
      # DEFGUARD_LDAP_URL: ldap://localhost:389 # [LDAP]
      # DEFGUARD_LDAP_BIND_USERNAME: cn=admin,dc=example,dc=org # [LDAP]
      # DEFGUARD_LDAP_BIND_PASSWORD: password # [LDAP]
    ports:
      # web
      # - "8000:8000"
      # grpc
      - "50055:50055"
    depends_on:
      - db
    volumes:
      # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ./.volumes/ssl:/ssl
      ## RSA setup guide: https://defguard.gitbook.io/defguard/community-features/setting-up-your-instance/docker-compose#openid-rsa-setup
      - ./.volumes/core/rsakey.pem:/keys/rsakey.pem

  proxy:
    container_name: defguard-proxy
    image: ghcr.io/defguard/defguard-proxy:${PROXY_IMAGE_TAG:-latest}
    restart: unless-stopped
    environment:
      DEFGUARD_PROXY_UPSTREAM_GRPC_URL: http://core:50055/
      DEFGUARD_PROXY_GRPC_CA: /ssl/defguard-ca.pem
    volumes:
        # SSL setup guide: https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose#ssl-setup
      - ./.volumes/ssl:/ssl
    # ports:
      # web
        # - "8080:8080"
    depends_on:
      - core

  gateway:
    container_name: defguard-gateway
    image: ghcr.io/defguard/gateway:${GATEWAY_IMAGE_TAG:-latest}
    restart: unless-stopped
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    environment:
      DEFGUARD_GRPC_URL: http://defguard:50055
      DEFGUARD_STATS_PERIOD: 30
      DEFGUARD_TOKEN: ${DEFGUARD_TOKEN}
    ports:
      # wireguard endpoint
      - "51820:51820/udp"
    cap_add:
      - NET_ADMIN

networks:
  default:
    name: secure_proxy
    external: true

The second error I was talking about, was just a misconfiguration from my end. Nevermind!

That said, I can't ping anything when connected through the wireguard link which follows:

VPN IP and mask: 10.0.30.1/24
Gateway address: My external ip
Gateway port: 51820
Allowed ips: 0.0.0.0/0
DNS: 1.1.1.1
Allowed groups: All groups

Also, the matrix server is not working