Use Wireguard & Docker Compose to spoof IP

[raverydavis]

This will need to be more fleshed out but I had some time to write up a compose file that will spoof our IP when using a docker container. There are some services with free WireGuard credentials, ProtonVPN is a good one

Here's an example of docker-compose.yml You will need to mount the config volume (alternatively you can pass the config through env variables or use wg-quick to build the config)

---
version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
    volumes:
      - /path/to/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 8080:8080
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
  script:
    image: bot-image
    container_name: bot
    network_mode: service:wireguard
    environment:
      - DISPLAY=host.docker.internal:0

Create a folder called /config/ in script-template, then create your wg0.conf that contains your WireGuard credentials
Here's an example of that file

[Interface]
# VPN Accelerator = off
PrivateKey = myprivatekey
Address = 10.2.0.2/32
DNS = 10.2.0.1
PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

[Peer]
# US-FREE#16 - this is ProtonVPN's Free US WireGuard server
PublicKey = mypublickey
AllowedIPs = 0.0.0.0/0
Endpoint = 37.19.200.17:51820

That should be all you need to have your IP spoofed in the bot docker container.

[ErikDahlinghaus]

Does this work with XForwarding for you? Because I made a similar docker-compose setup with a different container and the bot container was not able to connect to my X server. I did not have a custom up/down though.

[raverydavis]

Yeah it works for me on Mac with XQuartz. You can start it up with command line using

xhost +$(hostname).local
export DISPLAY=:0

xhost should automatically open XQuartz if it's not open already