Wireguard not working with enpoint included in AllowedIps

Solution 1:

You can't use the same address in the client's Endpoint and AllowedIPs settings*. Endpoint should be the server's address outside the tunnel, and AllowedIPs should include all the addresses you want to have access inside the tunnel.

To fix it, get rid of the src setting on the route you added to the server, so that the route will just use the address of the server's docker0 interface:

ip route add 10.254.99.0/24 via 172.17.0.2 dev docker0

Then change the WireGuard client's AllowedIPs setting to include the address of the server's docker0 interface (172.17.0.1):

AllowedIps = 10.254.99.1/32, 172.17.0.1/32

Your server will now use its docker0 interface address (172.17.0.1) as the source of the packets it sends through your WireGuard network.

However, instead of adding that extra layer of routing on your server, the simplest thing to do would be to run the WireGuard container in "host" network mode (using the --network=host flag with docker run, or the network_mode: host setting with docker-compose). That would expose the WireGuard container's wg0 interface directly to the host, so you wouldn't need additional routing rules on the server, and you wouldn't need to add additional AllowedIPs to the client.

In that case, the server would just use the WireGuard interface's own 10.254.99.1 address as the source of the packets it sends through your WireGuard network.

* unless you set up some fancy packet routing/filtering rules on your client instead of using the defaults the WireGuard client sets up for you