3mo ago

Ripping my hair out over this, how do I make Wireguard in Docker work?

I'm a noob to self-hosting, I have set up some containers but only through watching tutorials on youtube, in reality I barely understand what I'm doing.

I have a wireguard docker container set up, but when I connect to it with my phone, there's no internet.

Can somebody tell me what I'm doing wrong? I just want to access my server outside my home network.

Here is the docker-compose.

version: "2.1" services: wireguard: image: linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=Asia/Singapore - SERVERURL=auto #optional - SERVERPORT=51820 #optional - PEERS=1 #optional - PEERDNS=auto #optional - INTERNAL_SUBNET=10.13.13.0 #optional volumes: - ./config:/config - /lib/modules:/lib/modules ports: - 51820:51820/udp sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped

Please tell me if there is anymore information I need to provide.

EDIT: fellas i figured it out, i just had to port foward 51820 on my router :sob: thank you for your help in the comments

11 comments

My advice is to use WireGuard Easy.
- Yeah, that thing is honestly impressive. If I didn't already have a full network manager wg setup I'd just use that.
- +1 for wireguard easy. I run it and it's fantastically easy to use.

Reformatting that compose for people:

 yaml

    
version: "2.1"                                                services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Singapore
      - SERVERURL=auto #optional
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Sounds like you didn't read the extended manual: https://github.com/linuxserver/docker-wireguard

There are a lot of other configs for that container that must be provided before startup. It's just a generic runner. If you want it to run as a server you need to follow this section: https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#server-mode

Unless you have a real need to use a container, you shouldn't be running networking anything in a container. It will always perform better closer to the OS without abstractions.
That being said, it sounds like you have an exit-node problem. You can connect, but unless you set split-tunneling on your phone, you have no exit node to provide connectivity. Wireguard is not a traditional VPN in that just connecting to it gives you egress access.

Tailscale is an excellent answer here. They use wireguard as the vpn protocol, but add layers of extra control.
You can use it in sidecar config for each container, or setup a subnet router, which lets you route any IP over the VPN. Just target that IP with a /32 cidr, i.e tailscale up --advertise-routes:192.168.1.100/32.

Speaking of wireguard, can anyone recommend a wireguard GUI client for desktop? I'm on PopOS and using the command line at the moment and the network manager doesnt allow adding wireguard.
- NetworkManager's Gnome GUI works with wireguard config files. If you are using Plasma you would need to install some alpha software to do that in the gui but you can always fall back to nmcli which also supports wireguard configs via the import command.

EDIT: My suggestion probably doesn't work for your use-case, but I'll leave it for anyone else....
I use this to only tunnel the ports I actually need: https://github.com/DigitallyRefined/docker-wireguard-tunnel
My CGNAT'ed home PC is the client, and my public-facing Oracle Cloud instance is the server.
I've tried and failed miserably to use the "official" Wireguard container. Once I start reading suggestions to modify iptables outside of Docker, I know I'm in trouble.

Beyond the other comments is your public IP on ipinfo.io etc something like 100.64.X.X or 10.X.X.X?
If so, you're behind a CG-NAT and raw wireguard will not work. I say this so you don't waste time configuring something that will never work. Ignore the below if you have a real public IP.
Some ISPs will allow you to get a real dynamic ipv4 address for free, or you can configure ipv6 but any clients that you connect will also need public ipv6 support.
Otherwise, consider tailscale/headscale/netbird (SaaS or on a VPS) which have NAT traversal support.

You didn't explicitly ask for other suggestions but here's mine anyway; I'm running tailscale on my pfsense router and sharing my home network cidr over tailscale like someone else suggested. So all my dockers and vms are available over tailscale from anywhere. It's been highly convenient as my home internet connection is behind CGNAT.

11 comments