### WireGuard Server Configuration Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Example of the server's WireGuard configuration file, showing the interface and peer settings. ```ini [Interface] Address = 10.13.13.1 ListenPort = 51820 ... [Peer] # peer_site_b PublicKey = AllowedIPs = 10.13.13.2/32,192.168.100.0/24 ``` -------------------------------- ### Minimal WireGuard Server Setup Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INDEX.md Use this command for a basic WireGuard server setup with one peer. Ensure the config directory is mounted. ```bash docker run -d \ -e PEERS=1 \ -p 51820:51820/udp \ -v /config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Start WireGuard Interface Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Starts a WireGuard interface using a configuration file. This is typically executed during service startup. ```bash wg-quick up /config/wg_confs/wg0.conf ``` -------------------------------- ### Generated Server wg0.conf Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Example of a generated wg0.conf file in server mode. This file is created on the first run and contains actual keys and IP addresses. Manual edits are lost on regeneration. ```ini [Interface] Address = 10.13.13.1 ListenPort = 51820 PrivateKey = cG3s5R... PostUp = iptables -A FORWARD... PostDown = iptables -D FORWARD... [Peer] # peer1 PublicKey = oN2B5v... PresharedKey = aM3B6c... AllowedIPs = 10.13.13.2/32 [Peer] # peer2 PublicKey = ... ``` -------------------------------- ### Site-to-Site VPN Configuration Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md Illustrates how to configure a peer to access additional subnets through the VPN. This involves setting the SERVER_ALLOWEDIPS_PEER environment variable. ```bash -e SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24" ``` -------------------------------- ### Example User ID Output Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Example output from the `id your_user` command, showing the UID and GID. These values are used to configure the container's user and group. ```text uid=1000(your_user) gid=1000(your_user) groups=1000(your_user) ``` -------------------------------- ### Example Peer Configuration with AllowedIPs Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/WIREGUARD_CONFIGURATION.md Illustrates how the AllowedIPs directive is formatted in a peer configuration file, including default and custom IP ranges. ```ini [Peer] # peer_laptop PublicKey = AllowedIPs = 10.13.13.2/32,192.168.1.0/24 ``` -------------------------------- ### Client Configuration File Format Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md Example of a WireGuard client configuration file. This format is used for user-provided configurations in the '/config/wg_confs/' directory. ```ini [Interface] Address = 10.13.13.2/32 PrivateKey = DNS = 8.8.8.8 [Peer] PublicKey = PresharedKey = Endpoint = vpn.example.com:51820 AllowedIPs = 0.0.0.0/0, ::/0 ``` -------------------------------- ### Add Default Route via wg-quick Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Example of how wg-quick might automatically add a default route for a peer. ```bash ip route add 0.0.0.0/0 via dev ``` -------------------------------- ### Example WireGuard File Permissions Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Illustrates typical file permissions for WireGuard private, public, and pre-shared keys. Ensure these match the requirements for secure operation. ```shell -rw------- 1 abc abc 44 Jun 24 12:00 privatekey-peer1 -rw-r--r-- 1 abc abc 44 Jun 24 12:00 publickey-peer1 -rw------- 1 abc abc 44 Jun 24 12:00 presharedkey-peer1 ``` -------------------------------- ### WireGuard Site B (Client) Configuration Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Configuration for the client site (Site B) to connect to the WireGuard VPN. Includes interface, peer, and routing settings. ```ini [Interface] Address = 10.13.13.2/32 PrivateKey = PostUp = ip route add 10.13.13.0/24 via %i PostDown = ip route del 10.13.13.0/24 via %i [Peer] PublicKey = Endpoint = vpn.siteA.com:51820 AllowedIPs = 10.13.13.0/24,10.0.0.0/8 ``` -------------------------------- ### Initial WireGuard Container Run for Key Generation Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Runs the WireGuard container interactively to generate initial configuration files and keys. This is a prerequisite for read-only mode setup. ```bash docker run -it \ -e PEERS=3 \ -v /path/to/config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Docker Compose Configuration for WireGuard Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Example docker-compose.yml for setting up a WireGuard server. Ensure to map your configuration volume and set necessary environment variables. ```yaml --- services: wireguard: image: lscr.io/linuxserver/wireguard:latest container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE #optional environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - SERVERURL=wireguard.domain.com #optional - SERVERPORT=51820 #optional - PEERS=1 #optional - PEERDNS=auto #optional - INTERNAL_SUBNET=10.13.13.0 #optional - ALLOWEDIPS=0.0.0.0/0 #optional - PERSISTENTKEEPALIVE_PEERS= #optional - LOG_CONFS=true #optional volumes: - /path/to/wireguard/config:/config - /lib/modules:/lib/modules #optional ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped ``` -------------------------------- ### Docker CLI Configuration for WireGuard Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Example docker run command for setting up a WireGuard server. This command includes necessary capabilities, environment variables, port mappings, and volume mounts. ```bash docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE `#optional` \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e SERVERURL=wireguard.domain.com `#optional` \ -e SERVERPORT=51820 `#optional` \ -e PEERS=1 `#optional` \ -e PEERDNS=auto `#optional` \ -e INTERNAL_SUBNET=10.13.13.0 `#optional` \ -e ALLOWEDIPS=0.0.0.0/0 `#optional` \ -e PERSISTENTKEEPALIVE_PEERS= `#optional` \ -e LOG_CONFS=true `#optional` \ -p 51820:51820/udp \ -v /path/to/wireguard/config:/config \ -v /lib/modules:/lib/modules `#optional` \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --restart unless-stopped \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Multi-Tunnel Client Configuration Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Configure multiple WireGuard tunnels to connect to different VPN servers simultaneously. Tunnels activate alphabetically, and if any fail, all are stopped. ```yaml # main.conf - Primary ISP [Interface] Address = 10.13.13.2/32 PrivateKey = DNS = 8.8.8.8 [Peer] PublicKey = Endpoint = server1.example.com:51820 AllowedIPs = 0.0.0.0/0, ::/0 # backup.conf - Backup ISP [Interface] Address = 10.13.13.3/32 PrivateKey = DNS = 8.8.8.8 [Peer] PublicKey = Endpoint = server2.example.com:51820 AllowedIPs = 10.0.0.0/8 ``` -------------------------------- ### Start WireGuard Server for Site-to-Site VPN Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Launches a WireGuard server container to connect two networks. Configure peers, internal subnet, allowed IPs for peers, and the server URL. ```bash docker run -d \ -e PEERS=site_b \ -e INTERNAL_SUBNET=10.13.13.0 \ -e SERVER_ALLOWEDIPS_PEER_site_b="192.168.100.0/24" \ -e SERVERURL=vpn.siteA.com \ -p 51820:51820/udp \ -v /path/to/config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Limit Peer Bandwidth with tc Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Example command to limit the bandwidth for a specific peer interface (wg0) using the 'tc' (traffic control) utility on the host. This is an example of host-level bandwidth management. ```bash docker exec wireguard tc qdisc add dev wg0 root tbf rate 10mbit burst 32kbit latency 400ms ``` -------------------------------- ### WireGuard Multi-Tunnel Failover Setup Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Illustrates a file structure for setting up multiple WireGuard configurations for failover. Use routing policies to manage primary and backup tunnels. ```text /config/wg_confs/ ├── primary.conf → Server A (main route) └── backup.conf → Server B (if primary fails) ``` -------------------------------- ### WireGuard Client Mode Setup Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INDEX.md Run WireGuard in client mode by omitting the PEERS environment variable. This command sets up the necessary ports and volume mounts for client configuration. ```bash docker run -d \ -p 51820:51820/udp \ -v /config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Minimal Server Setup with Docker Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/README.md Launches a WireGuard VPN server in detached mode. Requires NET_ADMIN capability, exposes UDP port 51820, and mounts a volume for configuration. The PEERS environment variable defines the number of clients the server will support. ```bash docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ -e PEERS=3 \ -p 51820:51820/udp \ -v wireguard-config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Peer ID Normalization Examples Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md Demonstrates how peer IDs are normalized based on the PEERS environment variable. It handles both numeric and comma-separated string inputs. ```bash # Input: PEERS=3 mapfile -t PEERS_ARRAY < <(seq 1 "${PEERS}") # Result: PEERS_ARRAY[0]=1, PEERS_ARRAY[1]=2, PEERS_ARRAY[2]=3 # Generates: peer1, peer2, peer3 # Input: PEERS=laptop,phone,tablet mapfile -t PEERS_ARRAY < <(echo "${PEERS}" | tr ',' '\n') # Result: PEERS_ARRAY[0]=laptop, PEERS_ARRAY[1]=phone, PEERS_ARRAY[2]=tablet # Generates: peer_laptop, peer_phone, peer_tablet ``` -------------------------------- ### Production WireGuard Server Setup Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INDEX.md This command configures a production-ready WireGuard server with custom settings for peers, network, DNS, and routing. It requires specific environment variables for server URL, peer names, internal subnet, DNS, allowed IPs, and persistent keepalives. ```bash docker run -d \ -e PUID=1000 \ -e PGID=1000 \ -e SERVERURL=vpn.example.com \ -e PEERS=laptop,phone,tablet \ -e INTERNAL_SUBNET=10.13.13.0 \ -e PEERDNS=8.8.8.8 \ -e ALLOWEDIPS=0.0.0.0/0 \ -e PERSISTENTKEEPALIVE_PEERS=all \ -p 51820:51820/udp \ -v /config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### WireGuard Configuration Comments Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/WIREGUARD_CONFIGURATION.md Demonstrates the use of comments in WireGuard configuration files. Comments start with '#' and are used for human-readable notes or peer identification. ```ini [Peer] # peer1 ← Comments start with # PublicKey = ... ``` ```ini [Peer] # peer1 ← Comment marks which peer this section belongs to PublicKey = ``` -------------------------------- ### QR Code Generation Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md Examples of generating QR codes for peer configurations. One command generates an ANSI UTF-8 version for terminal display, and the other creates a PNG image file. ```bash qrencode -t ansiutf8 < /config/peer/peer.conf # Terminal display qrencode -o /config/peer/peer.png < /config/peer/peer.conf # PNG save ``` -------------------------------- ### WireGuard Port Forwarding Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Illustrates how to configure port forwarding on a firewall for WireGuard. Ensure the external port matches the SERVERPORT variable and the internal port matches the container's listening port. ```bash External: :51820/udp → Internal: :51820/udp ``` -------------------------------- ### Start WireGuard Server in Read-Only Mode Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Launches the WireGuard server container with a read-only filesystem for enhanced security. Requires pre-generated keys and tmpfs mounts for temporary and runtime files. ```bash docker run -d \ --read-only \ -e PEERS=3 \ -v /path/to/config:/config \ --tmpfs /tmp --tmpfs /run \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Client Mode Docker Setup Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/README.md Launches a WireGuard client in detached mode. Requires NET_ADMIN capability, exposes UDP port 51820, and mounts a volume for configuration. Omitting the PEERS environment variable signifies client mode. ```bash docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ -p 51820:51820/udp \ -v wireguard-config:/config \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Run WireGuard Docker Container Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/CONFIGURATION.md Use this command to start the WireGuard container, configuring server settings and peer definitions via environment variables. Ensure to map the necessary ports and volumes for configuration persistence. ```bash docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/London \ -e SERVERURL=vpn.example.com \ -e SERVERPORT=51820 \ -e PEERS=myPC,myPhone,myTablet \ -e PEERDNS=8.8.8.8 \ -e INTERNAL_SUBNET=10.13.13.0 \ -e ALLOWEDIPS=0.0.0.0/0 \ -e LOG_CONFS=true \ -p 51820:51820/udp \ -v /path/to/config:/config \ -v /lib/modules:/lib/modules \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --restart unless-stopped \ lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Docker Secrets Configuration Example Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/CONFIGURATION.md Demonstrates how to use Docker secrets to provide environment variable values. The `FILE__` prefix reads the value from the specified file path. ```bash -e FILE__SERVERURL=/run/secrets/server_url ``` -------------------------------- ### Restart All Docker Compose Services Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Recreates and starts all services defined in your docker-compose.yml file, applying any updated images. Ensure you have run 'docker-compose pull' first. ```bash docker-compose up -d ``` -------------------------------- ### Migrate Legacy wg0.conf to wg_confs Directory Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/WIREGUARD_CONFIGURATION.md Migrates a legacy WireGuard configuration file from '/config/wg0.conf' to '/config/wg_confs/wg0.conf' if the '/config/wg_confs' directory is empty. This ensures compatibility with older setups. ```bash if [[ -z "$(ls -A /config/wg_confs)" ]] && [[ -f /config/wg0.conf ]]; then cp /config/wg0.conf /config/wg_confs/wg0.conf fi ``` -------------------------------- ### State File Bash Variables Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Example content of the .donoteditthisfile state file. This file stores environment variables used to track changes and detect the need for configuration regeneration. Do not edit this file manually. ```bash ORIG_SERVERURL="vpn.example.com" ORIG_SERVERPORT="51820" ORIG_PEERDNS="8.8.8.8" ORIG_PEERS="3" ORIG_INTERFACE="10.13.13" ORIG_ALLOWEDIPS="0.0.0.0/0, ::/0" ORIG_PERSISTENTKEEPALIVE_PEERS="" ``` -------------------------------- ### Startup Behavior: Discovering WG Configs Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md This script iterates through configuration files in '/config/wg_confs/', validates them by checking for the '[Interface]' section, and stores valid paths in the WG_CONFS array. ```bash for wgconf in /config/wg_confs/*.conf; do if grep -q "\[Interface\]" "${wgconf}"; then echo "**** Found WG conf ${wgconf}, adding to list ****" WG_CONFS+=("${wgconf}") fi done ``` -------------------------------- ### Restart Single Docker Compose Service Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Recreates and starts a specific service, 'wireguard', defined in your docker-compose.yml. This applies updates to the 'wireguard' service. ```bash docker-compose up -d wireguard ``` -------------------------------- ### Access WireGuard Container Shell Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Use this command to get shell access to a running WireGuard container. Ensure the container is named 'wireguard'. ```bash docker exec -it wireguard /bin/bash ``` -------------------------------- ### WireGuard IPv4-Only Routing Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Example of setting the ALLOWEDIPS environment variable to route only IPv4 traffic through the WireGuard tunnel. This is achieved by omitting the IPv6 subnet. ```bash -e ALLOWEDIPS=0.0.0.0/0 ``` -------------------------------- ### Get WireGuard Image Version Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Inspect the 'latest' tag of the WireGuard Docker image to determine its build version. This is useful for verifying the image you have pulled. ```bash docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Register QEMU Static Binary for ARM Builds Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md This command registers the QEMU static binary, which is necessary for building ARM variants of Docker images on non-ARM hardware (e.g., x86_64). ```bash docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset ``` -------------------------------- ### WireGuard Port Conflict Error Message Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md Example of an error message encountered when WireGuard fails to bind to its configured port due to a conflict with another service. ```bash wg-quick up: Unable to bind port 51820 ``` -------------------------------- ### Get WireGuard Container Version Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Retrieve the build version label from a running WireGuard container. This helps in identifying the specific version of the application inside the container. ```bash docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard ``` -------------------------------- ### Set Environment Variable from File Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Demonstrates how to set an environment variable using a file path with the FILE__ prefix. This is useful for securely managing secrets. ```bash -e FILE__MYVAR=/run/secrets/mysecretvariable ``` -------------------------------- ### List Available CoreDNS Plugins Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/COREDNS_INTEGRATION.md Use this command to list all available CoreDNS plugins within the running container. This helps in understanding which plugins can be utilized for customization. ```bash docker exec wireguard coredns -plugins ``` -------------------------------- ### Show Peer Utility Implementation Details Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/SCRIPTS_AND_UTILITIES.md This snippet shows the core logic for normalizing peer IDs and validating their existence in the WireGuard configuration file before generating a QR code. ```bash # Numeric peer normalization if [[ "${i}" =~ ^[0-9]+$ ]]; then PEER_ID="peer${i}" else PEER_ID="peer_${i//[^[:alnum:]_-]/}" # Removes non-alphanumeric characters fi # Peer existence validation if grep -q "# ${PEER_ID}" /config/wg_confs/wg0.conf; then qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf fi ``` -------------------------------- ### Specify Dockerfile for ARM Build Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md After registering QEMU, you can specify a particular Dockerfile (e.g., for aarch64) using the '-f' flag with the 'docker build' command. ```bash docker build -f Dockerfile.aarch64 ``` -------------------------------- ### Client Mode DNS Flow (USE_COREDNS=true) Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/COREDNS_INTEGRATION.md Illustrates the DNS query path in client mode when CoreDNS is enabled. ```text Client Application ↓ DNS Query to 127.0.0.1:53 (container) ↓ CoreDNS (container) ↓ forward plugin → /etc/resolv.conf ↓ Host's DNS resolver ↓ Response ``` -------------------------------- ### Check Port Availability with netstat Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/NETWORKING.md A bash script snippet to check if a specific port (e.g., 53 for DNS) is already in use before starting a service like CoreDNS. If the port is in use, CoreDNS is disabled. ```bash if netstat -apn | grep -q ":53 "; then # Port in use, disable CoreDNS fi ``` -------------------------------- ### Server Configuration Template Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INITIALIZATION_SYSTEM.md This is the default server configuration template. Variables like `${INTERFACE}` are expanded during generation. Ensure the `PrivateKey` is correctly generated or provided. ```ini [Interface] Address = ${INTERFACE}.1 ListenPort = 51820 PrivateKey = $(cat /config/server/privatekey-server) PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE ``` -------------------------------- ### Generate Private and Public Keys Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/README.md Use wg genkey to generate private keys and wg pubkey to derive public keys from private ones. Private keys should have mode 600 permissions. ```bash wg genkey > private.key chmod 600 private.key wg pubkey < private.key > public.key ``` -------------------------------- ### Generate Peer Configuration (Legacy Mode) Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/WIREGUARD_CONFIGURATION.md Generates a peer configuration, specifically handling legacy configurations that do not include a PresharedKey. It omits the 'PresharedKey' line if LOG_CONFS is true or not set. ```bash if [[ -z "${LOG_CONFS}" ]] || [[ "${LOG_CONFS}" = "true" ]]; then echo "PEER ${i} conf" else # Legacy mode: no PSK sed '/PresharedKey/d' "/config/templates/peer.conf" fi ``` -------------------------------- ### Generate Peer WireGuard Configuration with PSK Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/SCRIPTS_AND_UTILITIES.md Generates a peer's WireGuard configuration file, including the pre-shared key (PSK). This script uses heredoc syntax with `cat` and `eval`. ```bash eval "$(printf %s)" cat < /config/${PEER_ID}/${PEER_ID}.conf $(cat /config/templates/peer.conf) DUDE ``` -------------------------------- ### Generate Server WireGuard Configuration Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/SCRIPTS_AND_UTILITIES.md Generates the server's WireGuard configuration file (wg0.conf) by expanding template variables and writing to the file. This script uses heredoc syntax with `cat` and `eval`. ```bash eval "$(printf %s)" cat < /config/wg_confs/wg0.conf $(cat /config/templates/server.conf) DUDE ``` -------------------------------- ### Check CoreDNS Version in Running Container Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/COREDNS_INTEGRATION.md Execute this command within a running WireGuard container to determine the installed CoreDNS version. The image is built with a specific Alpine version, which dictates the CoreDNS version included. ```bash docker exec wireguard /usr/bin/coredns --version ``` -------------------------------- ### Manual Cleanup Commands Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Use these commands to force regeneration of server configurations, peer configurations with new keys, or to trigger a full variable comparison. ```bash rm /config/wg_confs/wg0.conf # Regenerates server config ``` ```bash rm -rf /config/peer1/ # Regenerates peer1 with new keys ``` ```bash rm /config/.donoteditthisfile # Forces comparison of all variables ``` -------------------------------- ### Custom iptables Rules to Block HTTP and Allow HTTPS Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md This example customizes the iptables rules to block incoming HTTP traffic (port 80) while allowing HTTPS traffic (port 443) to peers. It modifies the default PostUp and PostDown rules. ```bash PostUp = iptables -A FORWARD -i %i -j ACCEPT; \ iptables -A FORWARD -o %i -j ACCEPT; \ iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; \ iptables -A FORWARD -i %i -p tcp --dport 80 -j DROP; \ iptables -A FORWARD -i %i -p tcp --dport 443 -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; \ iptables -D FORWARD -o %i -j ACCEPT; \ iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE; \ iptables -D FORWARD -i %i -p tcp --dport 80 -j DROP; \ iptables -D FORWARD -i %i -p tcp --dport 443 -j ACCEPT ``` -------------------------------- ### Project Structure Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/PROJECT_OVERVIEW.md Illustrates the directory layout of the docker-wireguard project, showing the organization of Dockerfiles, configuration files, and utility scripts. ```tree docker-wireguard/ ├── Dockerfile # x86-64 build definition ├── Dockerfile.aarch64 # ARM64 build definition ├── README.md # User documentation ├── Jenkinsfile # CI/CD pipeline ├── root/ │ ├── app/ │ │ └── show-peer # Peer QR code display utility │ ├── defaults/ │ │ ├── Corefile # Default CoreDNS config │ │ ├── server.conf # Server config template │ │ └── peer.conf # Peer config template │ └── etc/s6-overlay/s6-rc.d/ │ ├── init-wireguard-module/ # WireGuard module initialization │ ├── init-wireguard-confs/ # Configuration generation │ ├── svc-wireguard/ # WireGuard service runner │ └── svc-coredns/ # CoreDNS service runner ``` -------------------------------- ### Check Corefile Syntax Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Displays the CoreDNS configuration file to check for syntax errors or incorrect settings. Ensure the DNS server is configured correctly. ```bash docker exec wireguard cat /config/coredns/Corefile ``` -------------------------------- ### Check CoreDNS Logs for Startup Issues Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/COREDNS_INTEGRATION.md Command to check CoreDNS logs within the WireGuard container. Useful for diagnosing startup failures. ```bash docker logs wireguard | grep -i coredns ``` -------------------------------- ### Optional Volume for Kernel Modules Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Access host's kernel modules for loading WireGuard if not built-in by mounting /lib/modules. ```bash -v /lib/modules:/lib/modules ``` -------------------------------- ### Multi-Tunnel Client Mode Directory Structure Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md Illustrates the directory structure for multi-tunnel client mode. Configuration files are placed in '/config/wg_confs/' and are activated alphabetically. ```text /config/wg_confs/ ├── wg0.conf # First tunnel (activated first) ├── backup.conf # Second tunnel (activated second) └── home.conf # Third tunnel (activated third) ``` -------------------------------- ### Build WireGuard Docker Image Locally Source: https://github.com/linuxserver/docker-wireguard/blob/master/README.md Clones the WireGuard repository and builds the Docker image locally. The `--no-cache` and `--pull` flags ensure a clean build with the latest base images. ```bash git clone https://github.com/linuxserver/docker-wireguard.git cd docker-wireguard docker build \ --no-cache \ --pull \ -t lscr.io/linuxserver/wireguard:latest . ``` -------------------------------- ### Server Configuration Snippet for Site-to-Site VPN Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md Shows how the server configuration file (wg0.conf) is updated to include additional subnets for a specific peer when using the SERVER_ALLOWEDIPS_PEER variable. ```ini [Peer] # peer_laptop PublicKey = AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24 ``` -------------------------------- ### Required Volume for Configuration Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Persist configuration and keys between container restarts by mounting a volume to /config. ```bash -v /path/to/config:/config ``` -------------------------------- ### WireGuard Module Initialization Script Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INITIALIZATION_SYSTEM.md This script checks for and loads the WireGuard kernel module. It logs advisory messages if the module is already active or errors and enters an infinite sleep if it cannot be loaded. ```bash #!/bin/bash # Create directories if they don't exist mkdir -p /config/templates/ mkdir -p /config/coredns/ # Check if WireGuard kernel module is available if ip link add dev test type wireguard >/dev/null 2>&1; then echo "WireGuard module is already active." echo "If you are running this container in a privileged mode, you can optionally remove the SYS_MODULE capability." ip link delete dev test else echo "WireGuard module is not active. Attempting to load..." # Attempt to load the module (requires SYS_MODULE capability) if modprobe wireguard >/dev/null 2>&1; then echo "WireGuard module loaded successfully." else echo "ERROR: Failed to load WireGuard module. The container will now sleep indefinitely." echo "Ensure the container has the SYS_MODULE capability or the module is pre-loaded in the host kernel." # Enter an infinite sleep to halt execution until manual intervention while true; do sleep 1; done fi fi exit 0 ``` -------------------------------- ### View Host DNS Resolver Configuration Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/COREDNS_INTEGRATION.md Command to display the contents of the /etc/resolv.conf file within the WireGuard container, showing the host's DNS resolver configuration. ```bash docker exec wireguard cat /etc/resolv.conf ``` -------------------------------- ### Generate Peer WireGuard Configuration without PSK (Legacy) Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/SCRIPTS_AND_UTILITIES.md Generates a peer's WireGuard configuration file, excluding the PresharedKey line for backward compatibility. This script uses `sed` to filter the template and heredoc syntax with `cat` and `eval`. ```bash eval "$(printf %s)" cat < /config/${PEER_ID}/${PEER_ID}.conf $(sed '/PresharedKey/d' "/config/templates/peer.conf") DUDE ``` -------------------------------- ### WireGuard Service Dependency Tree Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INITIALIZATION_SYSTEM.md Illustrates the dependency order of services managed by s6-overlay, from initial configuration to long-running services like CoreDNS and WireGuard. ```text init-config (built-in) ↓ init-wireguard-module (oneshot) ↓ init-wireguard-confs (oneshot) ↓ init-config-end (built-in) ├─→ svc-coredns (longrun) │ ↓ └─→ svc-wireguard (longrun) ``` -------------------------------- ### Display Multiple Named Peers QR Codes Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/SCRIPTS_AND_UTILITIES.md Use this command to display QR codes for several named peers at once. List each peer name separated by a space. ```bash docker exec -it wireguard /app/show-peer myPC myPhone myTablet ``` -------------------------------- ### tmpfs Mounts for Runtime State Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/FILE_SYSTEM_REFERENCE.md Use tmpfs mounts for /tmp and /run to store runtime state when the root filesystem is read-only. ```bash --tmpfs /tmp --tmpfs /run ``` -------------------------------- ### Zero-Downtime Configuration Update with Docker Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Demonstrates updating WireGuard container configuration by modifying environment variables and restarting the container. The container automatically detects changes and regenerates configurations. ```bash docker stop wireguard docker run -d \ -e PEERS=5 \ -e SERVERURL=vpn.newdomain.com \ # ... other variables same lscr.io/linuxserver/wireguard:latest ``` -------------------------------- ### Peer Configuration Template Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/INITIALIZATION_SYSTEM.md This is the default peer configuration template. Variables like `${CLIENT_IP}`, `${PEER_ID}`, `${PEERDNS}`, `${SERVERURL}`, `${SERVERPORT}`, and `${ALLOWEDIPS}` are expanded during generation. Ensure keys and peer-specific information are correctly provided. ```ini [Interface] Address = ${CLIENT_IP} PrivateKey = $(cat /config/${PEER_ID}/privatekey-${PEER_ID}) ListenPort = 51820 DNS = ${PEERDNS} [Peer] PublicKey = $(cat /config/server/publickey-server) PresharedKey = $(cat /config/${PEER_ID}/presharedkey-${PEER_ID}) Endpoint = ${SERVERURL}:${SERVERPORT} AllowedIPs = ${ALLOWEDIPS} ``` -------------------------------- ### iptables Multi-Interface Masquerading Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md This configuration demonstrates how to set up masquerading for multiple WAN interfaces (e.g., ppp0 and eth0) to route traffic out of preferred interfaces. ```bash PostUp = iptables -A FORWARD -i %i -j ACCEPT; \ iptables -A FORWARD -o %i -j ACCEPT; \ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE; \ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` -------------------------------- ### Check Server AllowedIPs Configuration Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Inspects the WireGuard configuration file to check the AllowedIPs setting for a specific peer. Ensure this matches the expected network ranges for the peer. ```bash docker exec wireguard grep -A 2 "# peerX" /config/wg_confs/wg0.conf ``` -------------------------------- ### Docker Environment Variable for Domain Name Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/ADVANCED_TOPICS.md Use a domain name for SERVERURL to avoid issues with dynamic IP addresses. This requires setting up dynamic DNS or having peers use the domain name. ```bash -e SERVERURL=vpn.mydomain.com ``` -------------------------------- ### Client Mode Activation Condition Source: https://github.com/linuxserver/docker-wireguard/blob/master/_autodocs/OPERATION_MODES.md This script snippet demonstrates a condition that checks for client mode selection. Client mode is activated when the PEERS environment variable is not set. ```bash else echo "**** Client mode selected ****" USE_COREDNS="${USE_COREDNS,,}" printf %s "${USE_COREDNS:-false}" > /run/s6/container_environment/USE_COREDNS fi ```