Wireguard - Docker Setup

This is a Docker Compose file written in version "3" format. It defines two services: wireguard and wireguard-ui. These services are used to set up and manage a WireGuard VPN server along with a web-based user interface for configuration.

Services

wireguard

image: linuxserver/wireguard:latest: This service uses the linuxserver/wireguard Docker image, which provides a pre-configured WireGuard VPN server.
container_name: wireguard: Sets the name of the container running the WireGuard service to "wireguard".
cap_add: - NET_ADMIN: Adds the NET_ADMIN capability to the container, allowing it to configure network interfaces.
volumes: - ./config:/config: Mounts the local ./config directory as a volume inside the container. This directory is used to store the WireGuard server configuration files.
ports: - "5000:5000" - "51820:51820/udp": Maps the container's ports 5000 and 51820 to the corresponding ports on the host machine. This allows external clients to connect to the WireGuard server.

wireguard-ui

image: ngoduykhanh/wireguard-ui:latest: This service uses the ngoduykhanh/wireguard-ui Docker image, which provides a web-based user interface for managing WireGuard configurations.
container_name: wireguard-ui: Sets the name of the container running the WireGuard UI to "wireguard-ui".
depends_on: - wireguard: Specifies that the wireguard service should be started before the wireguard-ui service.
cap_add: - NET_ADMIN: Adds the NET_ADMIN capability to the container, allowing it to configure network interfaces.
network_mode: service:wireguard: Shares the network namespace of the wireguard service. This allows the wireguard-ui container to access the WireGuard server.
environment: - SENDGRID_API_KEY - EMAIL_FROM_ADDRESS - EMAIL_FROM_NAME - SESSION_SECRET - WGUI_USERNAME=admin - WGUI_PASSWORD=password - WG_CONF_TEMPLATE - WGUI_MANAGE_START=true - WGUI_MANAGE_RESTART=true: Sets various environment variables required by the ngoduykhanh/wireguard-ui image. These variables configure settings such as email notifications, session secret, admin username, and password.
logging: driver: json-file options: max-size: 50m: Configures the logging driver for the wireguard-ui container to output logs in JSON format with a maximum file size of 50 megabytes.
volumes: - ./db:/app/db - ./config:/etc/wireguard: Mounts the local ./db directory as a volume inside the container, used to store the WireGuard UI's database. Also mounts the local ./config directory as a volume, allowing the wireguard-ui container to access the WireGuard server's configuration files.

Note: Make sure to replace the placeholder values for environment variables (e.g., SENDGRID_API_KEY, EMAIL_FROM_ADDRESS, etc.) with actual values suitable for your deployment.

This Docker Compose file provides a convenient way to set up and manage both the WireGuard VPN server and the WireGuard UI using containers. By running docker-compose up, the services will be started and can be accessed from the specified ports and configurations.

version: "3"

services:

  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/config
    ports:
      - "5000:5000"
      - "51820:51820/udp"

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=password
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard

Post Up

iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Post Down

iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

The "Post Up" command and the "Post Down" command are used in the configuration of WireGuard to set up and tear down network routing rules for the WireGuard interface.

The "Post Up" command performs the following actions:

It adds a rule to the FORWARD chain of the iptables firewall to accept incoming traffic on the WireGuard interface (wg0). This allows packets to be forwarded between the WireGuard network and other networks.
It adds a rule to the POSTROUTING chain of the iptables NAT (Network Address Translation) table to perform MASQUERADE on outgoing packets from the WireGuard interface (wg0) before they are sent out through the eth0 interface. MASQUERADE modifies the source IP address of the packets to match the IP address of the eth0 interface, allowing the response packets to be correctly routed back to the WireGuard network.

The "Post Down" command reverses the actions performed by the "Post Up" command:

It deletes the rule from the FORWARD chain of the iptables firewall that accepts incoming traffic on the WireGuard interface (wg0).
It deletes the rule from the POSTROUTING chain of the iptables NAT table that performs MASQUERADE on outgoing packets from the WireGuard interface (wg0).

These commands are typically used when configuring a WireGuard VPN server in scenarios where Network Address Translation (NAT) is involved, such as when the server is behind a router performing NAT.

AdGuard - Docker Setup

Nextcloud - Docker Setup

JellyFin - Page is work in progress

Watchtower - Image updater

Backup Docker Volumes (Nextcloud Example)

FreshRSS - Page is a work in progress

Logitech Media Server - Page is a work in progress

Grocy - Page is a work in process

Pair Drop - Page is a work in process

Syncthing - Page is a work in process

Wireguard - Docker Setup

FocalBoard - Docker Setup

Podgrab - Docker setup

gPodder - Work in progress

Uptime Kuma

Memos

Portainer - Deploying MicroK8s

GlusterFS Setup

Wireguard - Docker Setup

Services

wireguard

wireguard-ui

No Comments