lscr.io/linuxserver/wireguard:latest
should retrieve the correct image for your arch, but you can also pull specific arch images via tags./usr/src
) and if not, it will attempt to download the necessary kernel headers from the ubuntu xenial/bionic
, debian/raspbian buster
repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either usr/src
or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.sudo apt install linux-headers-$(uname -r)
(if distro version) and then add a volume mapping for /usr/src:/usr/src
, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv)./usr/src:/usr/src
and it may just work (no guarantees).PEERS
is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under /config/peerX
in case PEERS
is a variable and an integer or /config/peer_X
in case a list of names was provided instead of an integer.SERVERURL
, SERVERPORT
, INTERNAL_SUBNET
and PEERDNS
are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.PEERS
environment variable or add more elements to the list and recreate the container.docker exec -it wireguard /app/show-peer 1 4 5
or docker exec -it wireguard /app/show-peer myPC myPhone myTablet
(Keep in mind that the QR codes are also stored as PNGs in the config folder)./config/templates
. Advanced users can modify these templates and force conf generation by deleting /config/wg0.conf
and restarting the container.PEERS
environment variable. Drop your client conf into the config folder as /config/wg0.conf
and start the container.AllowedIPs
line in your peer/client wg0.conf to include only 0.0.0.0/0
and not ::/0
; and restart the container.service
option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your wg0.conf
like so (modifying the subnets as you require):AllowedIPs
statement for a specific peer in wg0.conf
. Since wg0.conf
is autogenerated when server vars are changed, it is not recommended to edit it manually.AllowedIPs
statement for a specific peer in wg0.conf
, you can set an env var SERVER_ALLOWEDIPS_PEER_<peer name or number>
to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. "192.168.1.0/24,192.168.2.0/24"
). Replace <peer name or number>
with either the name or number of a peer (whichever is used in the PEERS
var).SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"
will result in the wg0.conf entry AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24
for the peer named laptop
.<external>:<internal>
respectively. For example, -p 8080:80
would expose port 80
from inside the container to be accessible from the host's IP on port 8080
outside the container.-p
)51820/udp
-e
)PUID=1000
PGID=1000
TZ=Europe/London
SERVERURL=wireguard.domain.com
auto
, the container will try to determine and set the external IP automaticallySERVERPORT=51820
PEERS=1
myPC,myPhone,myTablet
(alphanumeric only)PEERDNS=auto
8.8.8.8
). Used in server mode. Defaults to auto
, which uses wireguard docker host's DNS via included CoreDNS forward.INTERNAL_SUBNET=10.13.13.0
ALLOWEDIPS=0.0.0.0/0
LOG_CONFS=true
false
to skip log output.-v
)/config
/lib/modules
--sysctl=
cap_add
or sysctl
to work properly. This is not implemented properly in some versions of Portainer, thus this image may not work if deployed through Portainer.FILE__
.PASSWORD
based on the contents of the /run/secrets/mysecretpassword
file.-e UMASK=022
setting. Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up here before asking for support.-v
flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user PUID
and group PGID
.PUID=1000
and PGID=1000
, to find yours use id user
as below:docker exec -it wireguard /bin/bash
docker logs -f wireguard
docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard
docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/wireguard:latest
LOG_CONFS
env var. Remove deprecated add-peer
command./config/templates/peer.conf
and restart/config/coredns/Corefile
and restart)./config/coredns/Corefile
and restart).PEERDNS=auto
setting. Update the add-peer
/show-peer
scripts to utilize the templates and the INTERNAL_SUBNET
var (previously missed, oops).INTERNAL_SUBNET
variable to prevent subnet clashes. Add templates for server and peer confs.show-peer
script and include info on host installed headers.