From c56e0f507df1558647a13116023e1591e31501ff Mon Sep 17 00:00:00 2001 From: Lukas Date: Sun, 17 May 2026 18:31:38 +0200 Subject: [PATCH] fix(vpn): fix DNS iptables rules and add NET_RAW cap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DNS OUTPUT was restricted to -o wg0, but routing decision happens after iptables OUTPUT — so DNS to VPN-internal addresses (198.18.0.x) was blocked before the kernel selected the outgoing interface. Allow DNS unconditionally; routing still sends it through wg0. Add NET_RAW capability so ping works inside the container. --- Docker/entrypoint.sh | 8 +++++--- Docker/podman-compose.yml | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh index f8f12ae..a5dc304 100644 --- a/Docker/entrypoint.sh +++ b/Docker/entrypoint.sh @@ -72,9 +72,11 @@ setup_killswitch() { iptables -A INPUT -i "$INTERFACE" -j ACCEPT iptables -A OUTPUT -o "$INTERFACE" -j ACCEPT - # Allow DNS to the VPN DNS server (through wg0) - iptables -A OUTPUT -o "$INTERFACE" -p udp --dport 53 -j ACCEPT - iptables -A OUTPUT -o "$INTERFACE" -p tcp --dport 53 -j ACCEPT + # Allow DNS (VPN DNS servers are routed through wg0; allow before routing decision) + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT + iptables -A INPUT -p udp --sport 53 -j ACCEPT + iptables -A INPUT -p tcp --sport 53 -j ACCEPT # Allow DHCP (for container networking) iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT diff --git a/Docker/podman-compose.yml b/Docker/podman-compose.yml index 8ee5520..a19703b 100644 --- a/Docker/podman-compose.yml +++ b/Docker/podman-compose.yml @@ -7,6 +7,7 @@ services: cap_add: - NET_ADMIN - SYS_MODULE + - NET_RAW sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1