[nntwozz]

This looks very useful for torrenting through a VPN, I currently have WireGuard outside of Docker and run my torrent client container with network_mode: host for improved network performance.

In order to have the client use the VPN but keep the rest of the system accessible outside the VPN I bind the client IP (VPN IP4 & IP6) in the client config and have WireGuard setup like this:

  [Interface]
  PrivateKey =

  Address = IP4, IP6
  DNS =

  Table = 12345
  PostUp = ip -4 rule add from IP4 table 12345
  PostUp = ip -6 rule add from IP6 table 12345
  PostUp = iptables -I OUTPUT -s IP4 ! -o %i -j DROP
  PostUp = ip6tables -I OUTPUT -s IP6 ! -o %i -j DROP
  PostDown = ip -4 rule del from IP4 table 12345
  PostDown = ip -6 rule del from IP6 table 12345
  PostDown = iptables -D OUTPUT -s IP4 ! -o %i -j DROP
  PostDown = ip6tables -D OUTPUT -s IP6 ! -o %i -j DROP

  [Peer]
  PublicKey =
  Endpoint =
  AllowedIPs = 0.0.0.0/0, ::/0

[Spivak]

If you don't want to suffer the performance penalty why not bridge wg0 with a veth pair where the other end is in your container?

[nntwozz]

Performance is already capped with network_mode: host. I'm not a network expert but veth seems a bit much for this? My setup is less convoluted.

I can WireGuard to my server and access my home network, meanwhile the torrent client data is all routed through a third party VPN.

If the third party VPN disconnects there is no data leak from the torrent client (basically a kill switch).

[Spivak]

True, but I assumed you might actually want to have the container network isolated. For most people I think they consider --privileged and host networking a last resort for misbehaving software.