Hi mate. Thanks for your tutorial. Is there also a way to let containers have access to WireGuards active Peers in its container with connecting them through n external docker network? Am looking to get access from my WireGuard container, where I can ping my Nextcloud instance from the peer just fine, forwarded to nginx docker - both on the same machine connecting and pingable inside the external network - so that I can basically reach my home Nextcloud through my VPS with a domain from outside. Frankly I’m not able to setup port forwarding, that’s why Intranet this setup. Even though I ping in between containers I cannot seem to reach Nextcloud within nginx. Curling I’m WireGuard gives correct output. Do you have any experience regarding this?

Thanks in advance.

Thanks for writing this up. It saved me from having to use network: host. This way I can keep it firewalled within its own wireguard IP. Nice solution.

Thanks Keith, glad it worked for you!

Help please, I can’t start the client, it gives an error, the configuration file on the client in Windows works fine
[migrations] started
[migrations] no migrations found
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/d...
To support LSIO projects visit:
https://www.linuxserver.io/...
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 0
User GID: 0
───────────────────────────────────────
Uname info: Linux 87cefc4e3880 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Performing migration to new folder structure for confs. Please see the image changelog 2023-10-03 entry for more details. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
Warning: `/config/wg_confs/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.9/32 dev wg0
[#] ip -6 address add fd42:42:42::9/128 dev wg0
RTNETLINK answers: Permission denied
[#] ip link delete dev wg0
**** Tunnel /config/wg_confs/wg0.conf failed, will stop all others! ****
**** All tunnels are now down. Please fix the tunnel config /config/wg_confs/wg0.conf and restart the container ****
[ls.io-init] done.

Hey Pedro, I know this article is getting old but i'm having issues with the 'Sharing the connection with other containers' section. When I add the script under the service node and try to run it, I get an error saying "the compose file is invalid because: unsupported config option for services.ubuntu: 'cmd'

Is there a different way to write out "cmd: >- sleep 10 && curl -w "\n" ifconfig.me" ?

Thank you,

Amazingly, I think you just found an error in this (almost) 3 years old article: that should be "command" and not "cmd" as I currently have it... For context: https://docs.docker.com/com...

Thank you, I will now fix the article example!

Someone knew how to run this container on Windows?

service:<service-name> doesn't work for me. But container:<container-name> does ! Thanks for the tip.

FYI: I was getting errors running "docker-compose up -d". Everything worked fine by adding sudo prefix -- "sudo docker-compose up -d"

Note: when I created the config file on TorGuard generator, it didn't ask for a password.

Error - my wireguard IP address matches the real public ID. Any thoughts on what might be causing this? I changed the PUID and PGID to match my server but got the same error.

Thank you for your work on this tutorial, it's straightforward and easy to follow.

`sudo` is for elevation, that depends on your system configuration hence why I didn't mention it (mine doesn't require elevation). As for the error you are getting, might be good to do a `docker logs <container-name>` to check if anything is getting logged that might help!

Getting the following error in the log

"Kernel headers don't seem to be available in Ubuntu, Debian and Raspbian repos, or shared from the host; therefore can't compile the module. Sleeping now. .."

I searched online for forums / possible solutions but no luck. Any thoughts on what else I can try? Thanks in advance.

Sounds like an issue with the Docker image you are using... FWIW, I'm using this image: https://hub.docker.com/r/li...

I have been looking for a way to upgrade my docker-compose currently i run with network_mode: container:wireguard but that forces me to pretty much create -> start -> create -> start

Create all containers
start them
create qbittorrent (This is due to it cannot get container ID before the container is running) so have to recreate it
then start qbittorrent
when i then test the ip it returns with wireguard public ip

if i change network_mode: service:wireguard
and stop them all, create them all, start them all
Then now my qbittorent will start up without having to be recreated but when i then test the ip it returns with my ip and not the wireguard public ip.

Could this be because i'm running with docker-compose version 3.2 and not 3.7?

Not sure I understand the problem, but I'm going to explain my personal flow: from time to time, I do a docker-compose pull to get the latest image versions; if I see that wireguard image was updated, then I do a docker-compose down to ensure all containers are stopped and removed at that moment, and then run docker-compose up -d to get them up and running again with the new versions; if there is no new image for wireguard, I just do the 2nd command directly so that it will create new containers for the updated images only!

Thank you for great article! 🚀🚀🚀

So many years I thought how easily wrap vpn in containers and everything turned out to be so simple! And it happened thanks to you. I almost all services in my homelab run in containers. So every time I wanted to have a way expose services direct to vpn from container.

Little tip (learned to myself). If you have dependencies between services by hostname, it can be easy achieved via simple aliases trick:

networks:
  backbone:
    aliases:
      - db 
      - web
      - some-hostname

In this case i.e. `ping some-hostname` will work from all containers.

I have a small question, how can you solve the firewall problem?

In containers, all ports are hidden until they are explicitly forwarded. But with WireGuard it turns out that all ports are open by default (at least in the `linuxserver/wireguard` image). I tested just start http server in sibling container. And port will open by default (in wg network). I suppose block all expect allowed. Just for security amplification.

How is this issue usually solved in this configuration? Should the firewall work on the wg client or as a central wg server?

Thanks for the great write-up. I'm a bit confused regarding wether the config file should be named wg0.conf or wg0.yaml that is saved in the WireGuard docker directory.

Lastly,. Could the newly created network be added as a network via Portainer or synology docker gui? The latter being useful to just link containers to this particular network.

Hey Geoffrey, you are correct, the file is supposed to be .conf and not .yaml... That was a mistake of mine, I will update the post later today (though feel free to click "edit" on it and submit a PR with that change).
As for the network change, AFAIK portainer doesn't support this type point to a container/service network, but I could be wrong here!

I seem to be getting the following error in my docker log. Any idea what can fix this?

[#] ip6tables-restore -n
ip6tables-restore v1.6.1: ip6tables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

Can't say much about that, sorry... My whole docker-compose.yaml file is here in case that helps: https://github.com/pedrolam...

Hi! How you access to sonarr web's if you didn't used port? I mean you don't have -p port:port
See you and thanks for post!

Hi Pepe, you should be able to do so by exposing the port on the Wireguard container (as that is the main network one!)

I have done so but it does not work either. I think it must be because of the "wg" interface of the wireguard, because when I stop the service it works (I cant access web from lan with host IP and port). If I do a TCPDUMP in the wireguard container if I see the requests, but no response. Maybe it's getting the traffic response through the tunnel? How do you access sonarr and radarr? Can you share your configuration from the wg0.conf file? Without the keys logically. Thanks for answering!

Did you ever manage to get this working?
I'm in the same boat...

I don't think there's nothing special on my wg0.conf file that would explain this (the content was generated by TorGuard website), but I do use nginx in front of all the other containers to make it easy to have HTTPS with LetsEncrypt. You can see my full docker-compose file here: https://github.com/pedrolam...

Very helpful. Thank you Pedro.

HI, I stumble upon on your blog site, googling on "Synology wireguard docker". As I'm a newbie on Linux and CLI and I cannot find an reliable resource for such a task, have you had any experience on this combination? I've see you got a Synology NAS, so I wondering maybe you've just checked ti SYNOLOGY + WIREGUARD + DOCKER works.
Thanks

Hi Oronzo, the above is to create a WireGuard Docker container in Synology in client mode (so it will connect to a WireGuard VPN server somewhere else), but you can use that images as a WireGuard container, all you need is change the settings to use it in server mode, but I have not tried that myself yet, sorry!