### Start wg-easy Container Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Reload the systemd daemon and start the wg-easy container. ```bash sudo systemctl daemon-reload sudo systemctl start wg-easy ``` -------------------------------- ### Start Watchtower Service Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/auto-updates After configuring Watchtower, navigate to its directory and start the service using Docker Compose. ```bash cd /etc/docker/containers/watchtower sudo docker compose up -d ``` -------------------------------- ### Start wg-easy with Docker Compose Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/basic-installation Navigates to the wg-easy directory and starts the services defined in the docker-compose.yml file in detached mode. ```bash cd /etc/docker/containers/wg-easy sudo docker compose up -d ``` -------------------------------- ### Start AdGuard Home Docker Compose Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Use these commands to start the AdGuard Home service via Docker Compose. ```bash cd /etc/docker/containers/adguard sudo docker compose up -d ``` -------------------------------- ### Start Caddy Docker Compose Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/caddy Command to start the Caddy service in detached mode using Docker Compose. ```bash sudo docker compose up -d ``` -------------------------------- ### Start Traefik Service Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Starts the Traefik service in detached mode using Docker Compose. ```bash sudo docker compose up -d ``` -------------------------------- ### Prometheus Scrape Configuration for wg-easy Source: https://wg-easy.github.io/wg-easy/latest/advanced/metrics/prometheus Add this configuration to your Prometheus setup to scrape metrics from the wg-easy container. Ensure the targets and authorization credentials match your deployment. ```yaml scrape_configs: - job_name: 'wg-easy' scrape_interval: 30s metrics_path: /metrics/prometheus static_configs: - targets: - 'localhost:51821' authorization: type: Bearer credentials: 'SuperSecurePassword' ``` -------------------------------- ### Docker Compose for Routed Setup Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Configure Docker Compose to use host networking for wg-easy, allowing direct access to the host's network interfaces. Ensure necessary capabilities and devices are mounted. ```yaml services: wg-easy: image: ghcr.io/wg-easy/wg-easy:15 container_name: wg-easy network_mode: 'host' volumes: - ./config:/etc/wireguard - /lib/modules:/lib/modules:ro cap_add: - NET_ADMIN - SYS_MODULE devices: - /dev/net/tun:/dev/net/tun restart: unless-stopped ``` -------------------------------- ### Run wg-easy Docker Container Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/docker-run Installs and runs the wg-easy container in detached mode. It configures the container to use the 'wg' network, sets environment variables, assigns static IPv4 and IPv6 addresses, mounts volumes for configuration and modules, maps ports, and grants necessary capabilities and sysctl settings for WireGuard functionality. ```bash docker run -d \ --net wg \ -e INSECURE=true \ --name wg-easy \ --ip6 fdcc:ad94:bacf:61a3::2a \ --ip 10.42.42.42 \ -v ~/.wg-easy:/etc/wireguard \ -v /lib/modules:/lib/modules:ro \ -p 51820:51820/udp \ -p 51821:51821/tcp \ --cap-add NET_ADMIN \ --cap-add SYS_MODULE \ --sysctl net.ipv4.ip_forward=1 \ --sysctl net.ipv4.conf.all.src_valid_mark=1 \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --sysctl net.ipv6.conf.all.forwarding=1 \ --sysctl net.ipv6.conf.default.forwarding=1 \ --restart unless-stopped \ ghcr.io/wg-easy/wg-easy:15 ``` -------------------------------- ### Authenticate and Request API Data Source: https://wg-easy.github.io/wg-easy/latest/advanced/api Use Basic Authentication with your login credentials to access the API. Ensure 2FA is disabled for API access. This example demonstrates fetching data from the /api/client endpoint. ```python import requests from requests.auth import HTTPBasicAuth url = "https://example.com:51821/api/client" response = requests.get(url, auth=HTTPBasicAuth('username', 'password')) if response.status_code == 200: data = response.json() print(data) else: print(f"Error: {response.status_code}") ``` -------------------------------- ### Caddy Docker Compose Configuration Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/caddy Defines the Caddy service within a Docker Compose setup, including image, ports, network, and volume mappings for configuration and data persistence. ```yaml # compose.yml services: caddy: container_name: caddy image: caddy:2.10.0-alpine # publish everything you deem necessary ports: - '80:80/tcp' - '443:443/tcp' - '443:443/udp' networks: - caddy restart: unless-stopped volumes: - './Caddyfile:/etc/caddy/Caddyfile:ro' - config:/config - data:/data networks: caddy: name: caddy volumes: config: data: ``` -------------------------------- ### Serve Documentation Locally Source: https://wg-easy.github.io/wg-easy/latest/contributing/general Run this command to serve the documentation on your local machine. Changes will be hot-reloaded. ```bash pnpm docs:serve ``` -------------------------------- ### Create Podman Configuration Directories Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Create directories for Podman systemd service and volume configurations for wg-easy. ```bash sudo mkdir -p /etc/containers/systemd/wg-easy sudo mkdir -p /etc/containers/volumes/wg-easy ``` -------------------------------- ### Create wg-easy Configuration Directory Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/basic-installation Creates the necessary directory for wg-easy configuration files. Ensure you have sudo privileges. ```bash sudo mkdir -p /etc/docker/containers/wg-easy ``` -------------------------------- ### List All Clients Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Display a list of all configured clients, including their ID, Name, Public Key, and enabled status. ```bash cli clients:list ``` -------------------------------- ### Apply and Verify Kernel Parameters Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Apply the configured kernel parameters using `sysctl` and verify that IP forwarding is enabled. This confirms the host is ready to route traffic. ```bash sysctl -p /etc/sysctl.d/90-wireguard.conf sysctl -n net.ipv4.ip_forward # should print 1 ``` -------------------------------- ### wg-easy PostUp Hooks with nftables Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Configure the PostUp hook in wg-easy for nftables, setting up chains to accept traffic on the WireGuard interface and jump from the DOCKER-USER chain. This is an alternative to iptables. ```bash nft add chain ip filter WG_EASY; nft add rule ip filter DOCKER-USER jump WG_EASY; nft add rule ip filter WG_EASY iifname {{device}} accept; nft add rule ip filter WG_EASY oifname {{device}} accept; nft add chain ip6 filter WG_EASY; nft add rule ip6 filter DOCKER-USER jump WG_EASY; nft add rule ip6 filter WG_EASY iifname {{device}} accept; nft add rule ip6 filter WG_EASY oifname {{device}} accept; ``` -------------------------------- ### Download Docker Compose File for wg-easy Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/basic-installation Downloads the official docker-compose.yml file for wg-easy. This file defines the services and configurations for running wg-easy with Docker. ```bash sudo curl -o /etc/docker/containers/wg-easy/docker-compose.yml https://raw.githubusercontent.com/wg-easy/wg-easy/master/docker-compose.yml ``` -------------------------------- ### Load Kernel Modules Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft List the kernel modules required for wg-easy and nftables. ```text wireguard nft_masq ``` -------------------------------- ### Create Traefik Directory Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Creates the directory structure for Traefik configuration and navigates into it. ```bash sudo mkdir -p /etc/docker/containers/traefik cd /etc/docker/containers/traefik ``` -------------------------------- ### wg-easy PostUp Hooks with iptables Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Configure the PostUp hook in wg-easy to accept UDP traffic on the WireGuard port and allow forwarding for traffic to and from the WireGuard interface using iptables. ```bash iptables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT ``` -------------------------------- ### wg-easy PostDown Hooks with nftables Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Configure the PostDown hook in wg-easy for nftables to clean up the rules and chains created during the PostUp phase. This ensures proper removal of nftables configurations. ```bash nft delete rule ip filter DOCKER-USER handle $(nft -a list chain ip filter DOCKER-USER | awk '/jump WG_EASY/ {print $NF}'); nft flush chain ip filter WG_EASY; nft delete chain ip filter WG_EASY; nft delete rule ip6 filter DOCKER-USER handle $(nft -a list chain ip6 filter DOCKER-USER | awk '/jump WG_EASY/ {print $NF}'); nft flush chain ip6 filter WG_EASY; nft delete chain ip6 filter WG_EASY ``` -------------------------------- ### Optimize UDP Buffer Sizes with sysctl Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Configure system UDP buffer sizes for AdGuard Home to handle a large volume of UDP packets efficiently. Apply these settings using sysctl. ```bash net.core.rmem_max = 7500000 net.core.wmem_max = 7500000 ``` -------------------------------- ### Traefik Main Configuration (traefik.yml) Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Configures Traefik's logging, entry points (HTTP and HTTPS with redirection), API dashboard, Let's Encrypt certificate resolver, and Docker/file providers. ```yaml log: level: INFO entryPoints: web: address: ':80/tcp' http: redirections: entryPoint: to: websecure scheme: https websecure: address: ':443/tcp' http: middlewares: - compress@file - hsts@file tls: certResolver: letsencrypt http3: {} api: dashboard: true certificatesResolvers: letsencrypt: acme: email: $mail@example.com$ storage: acme.json httpChallenge: entryPoint: web providers: docker: watch: true network: traefik exposedByDefault: false file: filename: traefik_dynamic.yml serversTransport: insecureSkipVerify: true ``` -------------------------------- ### Create AdGuard Configuration Directory Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard This command creates the necessary directory structure for AdGuard Home's configuration files. ```bash sudo mkdir -p /etc/docker/containers/adguard ``` -------------------------------- ### Create and Secure acme.json Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Creates the acme.json file and sets its permissions to 600, which is required for Let's Encrypt certificate storage. ```bash sudo touch /etc/docker/volumes/traefik/acme.json sudo chmod 600 /etc/docker/volumes/traefik/acme.json ``` -------------------------------- ### Caddyfile Configuration for wg-easy Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/caddy Configures Caddy to serve wg-easy on a custom domain with TLS enabled. It sets up a reverse proxy to the wg-easy container and specifies internal TLS. ```caddyfile # Caddyfile { # setup your email address email mail@example.com } wg-easy.example.com { # since the container will share the network with wg-easy # we can use the proper container name reverse_proxy wg-easy:80 tls internal } ``` -------------------------------- ### Execute CLI via Docker Run Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Run the wg-easy CLI using a Docker container. This command mounts the local WireGuard configuration directory. ```bash docker run --rm -it \ -v ~/.wg-easy:/etc/wireguard \ ghcr.io/wg-easy/wg-easy:15 \ cli ``` -------------------------------- ### Configure nftables PostUp Hook Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Add nftables rules for NAT, masquerading, and filtering to allow traffic for WireGuard and the UI. This hook is executed after the WireGuard interface is brought up. ```bash nft add table inet wg_table; nft add chain inet wg_table prerouting { type nat hook prerouting priority 100 \; }; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy accept \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add rule inet wg_table input tcp dport {{uiPort}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy accept \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept; ``` -------------------------------- ### Load WireGuard Kernel Module Source: https://wg-easy.github.io/wg-easy/latest/faq Manually load the WireGuard kernel module if it's not already loaded. Ensure it loads on boot by adding it to /etc/modules. ```bash sudo modprobe wireguard ``` ```bash echo "wireguard" | sudo tee -a /etc/modules ``` -------------------------------- ### Create Docker Network for wg-easy Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/docker-run Creates a Docker bridge network with IPv6 enabled, specifying subnets for both IPv4 and IPv6. This network is required before running the wg-easy container. ```bash docker network create \ -d bridge --ipv6 \ --subnet 10.42.42.0/24 \ --subnet fdcc:ad94:bacf:61a3::/64 \ wg ``` -------------------------------- ### Restart wg-easy Container Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Restart the wg-easy container to apply the newly configured hooks. ```bash sudo systemctl restart wg-easy ``` -------------------------------- ### Execute CLI via Docker Compose Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Run the wg-easy CLI interactively within a Docker Compose environment. Ensure you are in the correct directory. ```bash cd /etc/docker/containers/wg-easy docker compose exec -it wg-easy cli ``` -------------------------------- ### Show Client QR Code Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Display the QR code for a specific client, identified by its client ID. This QR code can be used to import the client configuration into compatible applications. ```bash cli clients:qr ``` -------------------------------- ### Load ip6tables Filter Kernel Module Source: https://wg-easy.github.io/wg-easy/latest/faq Manually load the ip6tables filter kernel module if permission is denied for the 'filter' table for IPv6. Ensure it loads on boot by adding it to /etc/modules. ```bash sudo modprobe ip6table_filter ``` ```bash echo "ip6table_filter" | sudo tee -a /etc/modules ``` -------------------------------- ### Configure nftables PostDown Hook Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Remove the nftables table associated with wg-easy when the WireGuard interface is brought down. ```bash nft delete table inet wg_table ``` -------------------------------- ### Configure wg-easy Network Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Define the network settings for the wg-easy container, enabling IPv6. ```ini [Network] NetworkName=wg-easy IPv6=true ``` -------------------------------- ### Load ip6tables NAT Kernel Module Source: https://wg-easy.github.io/wg-easy/latest/faq Manually load the ip6tables NAT kernel module if the 'nat' table is not found for IPv6. Ensure it loads on boot by adding it to /etc/modules. ```bash sudo modprobe ip6table_nat ``` ```bash echo "ip6table_nat" | sudo tee -a /etc/modules ``` -------------------------------- ### Show Client QR Code without IPv6 Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Display the QR code for a specific client while disabling IPv6 support. This is useful if your network does not support or require IPv6. ```bash cli clients:qr --no-ipv6 ``` -------------------------------- ### Update wg-easy to Latest Version Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/basic-installation Pulls the latest Docker image for wg-easy and restarts the services to apply the update. Ensure you are in the wg-easy directory. ```bash cd /etc/docker/containers/wg-easy sudo docker compose pull sudo docker compose up -d ``` -------------------------------- ### Load iptables Filter Kernel Module Source: https://wg-easy.github.io/wg-easy/latest/faq Manually load the iptables filter kernel module if permission is denied for the 'filter' table. Ensure it loads on boot by adding it to /etc/modules. ```bash sudo modprobe iptable_filter ``` ```bash echo "iptable_filter" | sudo tee -a /etc/modules ``` -------------------------------- ### Configure wg-easy Container Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft Define the wg-easy container's settings, including image, volumes, network, port mappings, environment variables, and capabilities. ```ini [Container] ContainerName=wg-easy Image=ghcr.io/wg-easy/wg-easy:15 AutoUpdate=registry Volume=/etc/containers/volumes/wg-easy:/etc/wireguard:Z Network=wg-easy.network PublishPort=51820:51820/udp PublishPort=51821:51821/tcp # this is used to allow access over HTTP # remove this when using a reverse proxy Environment=INSECURE=true AddCapability=NET_ADMIN AddCapability=SYS_MODULE AddCapability=NET_RAW Sysctl=net.ipv4.ip_forward=1 Sysctl=net.ipv4.conf.all.src_valid_mark=1 Sysctl=net.ipv6.conf.all.disable_ipv6=0 Sysctl=net.ipv6.conf.all.forwarding=1 Sysctl=net.ipv6.conf.default.forwarding=1 [Install] # this is used to start the container on boot WantedBy=default.target ``` -------------------------------- ### Update wg-easy with Docker Compose Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/auto-updates Navigate to the wg-easy Docker Compose directory and execute this command to pull the latest image and restart the container. ```bash cd /etc/docker/containers/wg-easy sudo docker compose up -d --pull always ``` -------------------------------- ### WireGuard PostUp Hook Configuration Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Configure the PostUp hook in WireGuard to accept UDP traffic on the specified port and set up NAT rules for DNS traffic. This also includes forwarding and masquerading rules for IPv4 and IPv6. ```bash iptables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT; iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination 10.42.42.43; iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 53 -j DNAT --to-destination 10.42.42.43; ip6tables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination fdcc:ad94:bacf:61a3::2b; iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 53 -j DNAT --to-destination fdcc:ad94:bacf:61a3::2b; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -s {{ipv4Cidr}} -o {{device}} -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s {{ipv6Cidr}} -o {{device}} -j MASQUERADE; ``` -------------------------------- ### Create AdGuard Persistent Data Volumes Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard These commands create directories for AdGuard Home's persistent work and configuration data, ensuring data is saved across container restarts. Permissions are set to restrict access. ```bash sudo mkdir -p /etc/docker/volumes/adguard/adguard_work sudo mkdir -p /etc/docker/volumes/adguard/adguard_conf sudo chmod -R 700 /etc/docker/volumes/adguard ``` -------------------------------- ### Adapt wg-easy Docker Compose for Caddy Network Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/caddy Modifies the wg-easy service in Docker Compose to sync container name and port with Caddyfile, and adds it to the 'caddy' network. The HTTP server no longer needs to be published. ```yaml services: wg-easy: # sync container name and port according to Caddyfile container_name: wg-easy environment: - PORT=80 # no need to publish the HTTP server anymore ports: - "51820:51820/udp" # add to caddy network networks: caddy: ... networks: caddy: external: true ... ``` -------------------------------- ### Restart wg-easy Docker Compose Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Use these commands to stop and restart the wg-easy service via Docker Compose. ```bash cd /etc/docker/containers/wg-easy sudo docker compose down -v sudo docker compose up -d ``` -------------------------------- ### Update wg-easy with Podman Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/auto-updates If you are using Podman, you can update wg-easy and other containers with auto-updates enabled by running this command. ```bash sudo podman auto-update ``` -------------------------------- ### Enable Insecure Web UI Access Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/reverse-proxyless Uncomment the environment section and set INSECURE to true in your docker-compose.yml to allow non-HTTPS access to the wg-easy Web UI. This is not recommended for production environments. ```yaml environment: - INSECURE=true ``` -------------------------------- ### Load iptables NAT Kernel Module Source: https://wg-easy.github.io/wg-easy/latest/faq Manually load the iptables NAT kernel module if the 'nat' table is not found. Ensure it loads on boot by adding it to /etc/modules. ```bash sudo modprobe iptable_nat ``` ```bash echo "iptable_nat" | sudo tee -a /etc/modules ``` -------------------------------- ### Create Traefik Docker Network Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Creates a Docker network named 'traefik' that Traefik will use to communicate with other containers. ```bash sudo docker network create traefik ``` -------------------------------- ### Configure Watchtower for Automatic Updates Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/auto-updates Set up Watchtower to automatically check for and apply updates to your wg-easy container daily. This requires a docker-compose.yml and a watchtower.env file. ```yaml services: watchtower: image: nickfedor/watchtower:latest volumes: - /var/run/docker.sock:/var/run/docker.sock env_file: - watchtower.env restart: unless-stopped ``` ```env WATCHTOWER_CLEANUP=true WATCHTOWER_SCHEDULE=0 0 4 * * * TZ=Europe/Berlin # Email # WATCHTOWER_NOTIFICATIONS_LEVEL=info # WATCHTOWER_NOTIFICATIONS=email # WATCHTOWER_NOTIFICATION_EMAIL_FROM=mail@example.com # WATCHTOWER_NOTIFICATION_EMAIL_TO=mail@example.com # WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.example.com # WATCHTOWER_NOTIFICATION_EMAIL_USER=mail@example.com # WATCHTOWER_NOTIFICATION_EMAIL_PASSWORD="SuperSecurePassword" # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=587 ``` -------------------------------- ### Restart wg-easy Docker Container Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Restart the wg-easy Docker container to apply any configuration changes. ```bash sudo docker restart wg-easy ``` -------------------------------- ### Configure Docker Compose for Stable Network Interfaces Source: https://wg-easy.github.io/wg-easy/latest/faq Specify `interface_name` and `gw_priority` in your `docker-compose.yml` to ensure the WireGuard network consistently binds to `eth0` and acts as the default gateway, preventing connectivity loss after restarts. ```yaml services: wg-easy: # ... other configuration ... networks: wg: interface_name: eth0 gw_priority: 1 ipv4_address: 10.42.42.42 nginx: interface_name: eth1 gw_priority: 0 networks: wg: # ... wg network config ... nginx: external: true ``` -------------------------------- ### AdGuard Home Docker Compose Configuration Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Defines the AdGuard Home service using a specific Docker image, sets up persistent volumes for data, and configures network interfaces for both the WireGuard (wg) and Traefik networks. Traefik labels are included for routing. ```yaml services: adguard: image: adguard/adguardhome:v0.107.64 container_name: adguard restart: unless-stopped volumes: - /etc/docker/volumes/adguard/adguard_work:/opt/adguardhome/work - /etc/docker/volumes/adguard/adguard_conf:/opt/adguardhome/conf networks: wg: interface_name: eth0 ipv4_address: 10.42.42.43 ipv6_address: fdcc:ad94:bacf:61a3::2b traefik: interface_name: eth1 labels: - 'traefik.enable=true' - 'traefik.http.routers.adguard.rule=Host(`adguard.$example.com$`)' - 'traefik.http.routers.adguard.entrypoints=websecure' - 'traefik.http.routers.adguard.service=adguard' - 'traefik.http.services.adguard.loadbalancer.server.port=3000' - 'traefik.docker.network=traefik' networks: wg: external: true traefik: external: true ``` -------------------------------- ### Host Kernel Parameters for Routing Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Set essential kernel parameters on the host system to enable IP forwarding and manage source validation for IPv4 and IPv6. These are required when using host networking. ```ini net.ipv4.ip_forward=1 net.ipv4.conf.all.src_valid_mark=1 net.ipv6.conf.all.disable_ipv6=0 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1 ``` -------------------------------- ### Update wg-easy Docker Compose Configuration Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Modifies the wg-easy Docker Compose file to integrate with AdGuard Home. Key changes include setting AdGuard's IP addresses as DNS servers and configuring Traefik for AdGuard access. Note that this update will reset existing WireGuard clients. ```yaml services: wg-easy: ports: - "51820:51820/udp" ... networks: wg: interface_name: eth0 ... traefik: interface_name: eth1 ... ... environment: # Unattended Setup - INIT_ENABLED=true # Replace $username$ with your username - INIT_USERNAME=$username$ # Replace $password$ with your unhashed password - INIT_PASSWORD=$password$ # Replace $example.com$ with your domain - INIT_HOST=wg-easy.$example.com$ - INIT_PORT=51820 - INIT_DNS=10.42.42.43,fdcc:ad94:bacf:61a3::2b - INIT_IPV4_CIDR=10.8.0.0/24 - INIT_IPV6_CIDR=fd42:42:42::/64 ... networks: wg: # Prevents Docker Compose from prefixing the network name. name: wg ... ... ``` -------------------------------- ### wg-easy PostDown Hooks with iptables Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/routed Configure the PostDown hook in wg-easy to remove the iptables rules added during PostUp, ensuring traffic forwarding is correctly stopped when the WireGuard interface is brought down. ```bash iptables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; ip6tables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT ``` -------------------------------- ### Stop wg-easy Container (Docker Run) Source: https://wg-easy.github.io/wg-easy/latest/advanced/migrate/from-14-to-15 Use this command to stop the wg-easy container if you are managing it with `docker run`. ```bash docker stop wg-easy ``` -------------------------------- ### Traefik Dynamic Configuration (traefik_dynamic.yml) Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Defines dynamic configurations for Traefik, including HTTP middlewares (basic auth, compression, HSTS), routers (API), and TLS options. ```yaml http: middlewares: services: basicAuth: users: - '$username$:$password$' compress: compress: {} hsts: headers: stsSeconds: 2592000 routers: api: rule: Host(`traefik.$example.com$`) entrypoints: - websecure middlewares: - services service: api@internal tls: options: default: cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 sniStrict: true ``` -------------------------------- ### Stop wg-easy Container (Docker Compose) Source: https://wg-easy.github.io/wg-easy/latest/advanced/migrate/from-14-to-15 Use this command to stop the wg-easy services if you are managing them with `docker compose`. ```bash docker compose down ``` -------------------------------- ### Add Traefik Labels to wg-easy Service Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Adds Traefik labels to the wg-easy service in its docker-compose.yml file to enable routing and access via Traefik. ```yaml services: wg-easy: ... container_name: wg-easy networks: ... traefik: {} labels: - "traefik.enable=true" - "traefik.http.routers.wg-easy.rule=Host(`wg-easy.$example.com$`)" - "traefik.http.routers.wg-easy.entrypoints=websecure" - "traefik.http.routers.wg-easy.service=wg-easy" - "traefik.http.services.wg-easy.loadbalancer.server.port=51821" - "traefik.docker.network=traefik" ... networks: ... traefik: external: true ``` -------------------------------- ### Update wg-easy with Docker Run Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/auto-updates To update wg-easy when using `docker run`, stop and remove the existing container, then pull the latest image. You will need to re-apply your original `docker run` command. ```bash sudo docker stop wg-easy sudo docker rm wg-easy sudo docker pull ghcr.io/wg-easy/wg-easy ``` -------------------------------- ### Reset Admin Password via Prompt Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Reset the admin user's password interactively using Docker Compose. You will be prompted to enter the new password. ```bash cd /etc/docker/containers/wg-easy docker compose exec -it wg-easy cli db:admin:reset ``` -------------------------------- ### Reset Admin Password via Argument Source: https://wg-easy.github.io/wg-easy/latest/guides/cli Reset the admin user's password by providing it as an argument to the CLI command. Ensure special characters in the password are escaped. ```bash cd /etc/docker/containers/wg-easy docker compose exec -it wg-easy cli db:admin:reset --password ``` -------------------------------- ### Traefik Docker Compose Configuration Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik Defines the Traefik service for Docker Compose, including image, ports, volumes, and network. ```yaml services: traefik: image: traefik:3.3 container_name: traefik restart: unless-stopped ports: - '80:80' - '443:443/tcp' - '443:443/udp' volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/docker/volumes/traefik/traefik.yml:/traefik.yml:ro - /etc/docker/volumes/traefik/traefik_dynamic.yml:/traefik_dynamic.yml:ro - /etc/docker/volumes/traefik/acme.json:/acme.json networks: - traefik networks: traefik: external: true ``` -------------------------------- ### WireGuard PostDown Hook Configuration Source: https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard Configure the PostDown hook in WireGuard to remove the iptables rules added by the PostUp hook. The '|| true' ensures that the command continues even if a rule is not found. ```bash iptables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT || true; ip6tables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT || true; iptables -t nat -D PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination 10.42.42.43 || true; iptables -t nat -D PREROUTING -i wg0 -p tcp --dport 53 -j DNAT --to-destination 10.42.42.43 || true; ip6tables -t nat -D PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination fdcc:ad94:bacf:61a3::2b || true; ip6tables -t nat -D PREROUTING -i wg0 -p tcp --dport 53 -j DNAT --to-destination fdcc:ad94:bacf:61a3::2b || true; iptables -D FORWARD -i wg0 -j ACCEPT || true; iptables -D FORWARD -o wg0 -j ACCEPT || true; ip6tables -D FORWARD -i wg0 -j ACCEPT || true; ip6tables -D FORWARD -o wg0 -j ACCEPT || true; iptables -t nat -D POSTROUTING -s {{ipv4Cidr}} -o {{device}} -j MASQUERADE || true; ip6tables -t nat -D POSTROUTING -s {{ipv6Cidr}} -o {{device}} -j MASQUERADE || true; ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.