Hi there,

I came across this while troubleshooting some Wireguard issues, and wanted to run it on my raspberry pi.

However there's no linux/arm/v7 image available.

Hello, this docker container seems to be working well for me, thank for taking the time to create (and continually maintain) the repo!

I had a little trouble getting it to work because in Mullvad I needed to make sure that I only used IPv4 for the tunnel traffic option. Perhaps this was an issue with my environment, or obvious to most people, but the container would not start and had cryptic Permission Denied errors so it may be worth noting in the README.

Thanks again!

I am encountering the issue that ip6tables is legacy. It is the same issue as here: qdm12/gluetun#430

Hello, I have strange ipv6 error in podman and container fails to start properly.

[#] ip link add wg-luxembourg type wireguard
[#] wg setconf wg-luxembourg /dev/fd/63
[#] ip -4 address add 172.16.0.2/32 dev wg-luxembourg
[#] ip -6 address add fdf5:6028:947d:29a4::2/128 dev wg-luxembourg
[#] ip link set mtu 1420 up dev wg-luxembourg
[#] resolvconf -a wg-luxembourg -m 0 -x
[#] wg set wg-luxembourg fwmark 51820
[#] ip -6 route add ::/0 dev wg-luxembourg table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg-luxembourg table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] echo Skipping setting net.ipv4.conf.all.src_valid_mark
Skipping setting net.ipv4.conf.all.src_valid_mark
[#] iptables-restore -n
Bad argument `fe80::68ec:a8ff:fe2a:cb22/64'
Try `ip6tables -h' or 'ip6tables --help' for more information.

Hi, when adding the local_subnet environment, the container can't be created because:

Skipping IPv6 kill switch setup since IPv6 interface was not found
Allowing traffic to local subnet 192.168.X.0/8
**RTNETLINK answers: Invalid argument**

I understand that more information is needed, but i am not sure what i could do to debug.

im using:

version: "3"
services:
  wireguard:
    container_name: wireguard
    image: jordanpotter/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      net.ipv4.conf.all.src_valid_mark: 1
    volumes:
      - /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf
    restart: unless-stopped
    environment:
      - LOCAL_SUBNET=192.168.X.0/8
  curl:
    image: appropriate/curl
    command: http://httpbin.org/ip
    network_mode: service:wireguard
    depends_on:
      - wireguard

i am trying to setup wireguard client in docker and trying your image, no mater what version i select i end up in following error
docker run --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl "net.ipv4.conf.all.src_valid_mark=1" -v /usr/src/wg/config/wg0.conf:/etc/wireguard/wg0.conf jordanpotter/wireguard:2.1.1
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.252.1.17/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.252.1.0/24 dev wg0
iptables v1.8.4 (legacy): mark: bad integer value for option "--mark", or out of range.

Try `iptables -h' or 'iptables --help' for more information

can you guide what is wrong, mm purpose is to access spilit tunnels accessable from docker container to host machine.i can run linuxserver docker instructions and wireguard runs perfectly just cannot access the tunnel networks from host.

Please take a look. I just use it as a client,
Armbian 23.05.0-trunk Bullseye with Linux 6.1.21-flippy-82+
The error log is as follows:

wireguard | [#] ip -6 rule add table main suppress_prefixlength 0
wireguard | [#] ip6tables-restore -n
wireguard | modprobe: can't change directory to '/lib/modules': No such file or directory
wireguard | ip6tables-restore v1.8.7 (legacy): ip6tables-restore: unable to initialize table 'raw'
wireguard |
wireguard | Error occurred at line: 1
wireguard | Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
wireguard | [#] resolvconf -d mullvad -f
wireguard | [#] ip -6 rule delete table 51820
wireguard | [#] ip -6 rule delete table main suppress_prefixlength 0
wireguard | [#] ip link delete dev mullvad
wireguard exited with code 2

Is there a way to use this as a local network gateway for all my devices on the network?

I'd like to use this as a bas image for a socks proxy.
However the entrypoint does:

sleep infinity &
wait $!

which makes it difficult to start the proxy after wg is enabled.

Would you consider something like:

if [ -n "${EXEC_COMMAND}" ]; then
  ${EXEC_COMMAND} &
else
  sleep infinity &
fi

or alternatively allowing the call of the setup as a function?

For now, I've added a 2nd entrypoint script that uses sed to replace the 'sleep infinity', and that works fine, but it is kinda cludgey.

This is a great image. Thanks for setting it up, and solving the 'read only filesystem' that all other images seem to face.

I would want to configure the wireguard container to be able to communicate to lan, to dns and a few local services.

Can I exempt certain ips or local subnet to be blocked somehow?

When i run it i have this error in the log file:

iptables v1.6.1: mark: bad mark value for option "--mark", or out of range.

Try `iptables -h' or 'iptables --help' for more information.

Thanks to @bobbypage's help, we were able to remove the need to run the container in privileged mode! The README and jordanpotter/wireguard Docker Hub description have been updated with the new instructions.

Removing the requirement to run in privileged mode is a huge improvement for security (privileged mode is dangerous), however getting this to work introduced a backwards incompatible change. So...

From now on, the jordanpotter/wireguard Docker image is versioned. It is highly recommended to specify a version when using this image. The available image versions can be found here.

(Note: if for some reason you want to use the previous image that required --privileged to run, you can use jordanpotter/wireguard:0.1.0).

Now for an apology:

I originally built this Docker image for my own personal needs. I shared it with the community because I felt others could benefit from it, but was honestly surprised this image grew in popularity on Docker Hub so quickly! It's been exciting to see!

However in hindsight, this image should have had versioning from the very beginning. Only having latest means consumers will be surprised by backwards incompatible changes, even when they're made for the better.

I apologize to anyone that has been negatively impacted by the lack of versioning on this Docker image. Versioning has now been added so you'll have a stable image that you can rely on.

When I route a container via --net=container: through docker-wireguard and open according ports on docker-wireguard I still cannot access them. I'm guessing this is due to the kill-switch. Is there a way to open the ports to LAN, or am I doing something wrong?

On my RPI4 docker build . ran without any issues, but it would be cool, if we could pull ARM64 images from the Docker Hub.

Hi there! Thanks for creating docker-wireguard, it looks great!

I have a question about exposing ports.

Additionally, you can expose ports to allow your local network to access services linked to the Wireguard container:

docker run --name wireguard                                          \
    --cap-add NET_ADMIN                                              \
    --cap-add SYS_MODULE                                             \
    --sysctl net.ipv4.conf.all.src_valid_mark=1                      \
    -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf        \
    -p 8080:80                                                       \
    jordanpotter/wireguard

docker run -it --rm                                                  \
    --net=container:wireguard                                        \
    nginx

The documentation is very clear, and it works locally, so after running this example, I can do

# curl http://localhost:8080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

So this works great! However, I'm wondering about exposing this port to the outside world. If I run this on a remote server, even though I can see that the server is listening on 0.0.0.0, I cannot remotely connect ...

On the server where I run docker-wireguard and nginx:

# netstat -tulpn |grep 8080
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      19255/docker-proxy
tcp6       0      0 :::8080                 :::*                    LISTEN      19260/docker-proxy

On a remote client:

curl http://{remote-host}:8080
curl: (7) Failed to connect to {remote-host} port 8080: Operation timed out

Any tips on how to expose ports of services to the outside, and yet let these services communicate to the outside world via the wireguard link?

OS & Kernel:
Linux hostname 5.3.0-51-generic #44-Ubuntu SMP Wed Apr 22 21:09:44 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Behavior:
Newly built docker image yields the following error unless it is run in privileged mode:
sysctl: setting key "net.ipv4.conf.all.src_valid_mark": Read-only file system

This behavior persists even after changing the relevant values in /etc/sysctl.conf as described in the README and rebooting. This behavior only occurs for newly generated images; running the jordanpotter/wireguard docker image obtained from the docker registry works fine with no errors under the same system.

Command used to build image:
docker build -t jordanpotter/wireguard .

Run in the docker-wireguard directory.

Relevant wireguard conf:
I tested this using a simple wireguard config from mullvad:

[Interface]
PrivateKey = xxxxxxxx
Address = xxxxxx
DNS = xxxxxx

[Peer]
PublicKey = xxxxx
AllowedIPs = xxxxxx
Endpoint = xxxxxx

After upgrading Docker to 26.0.0 I get the following log:

[#] ip link add vpn1 type wireguard                                                
[#] wg setconf vpn1 /dev/fd/63                                                     
[#] ip -4 address add redacted_ip/32 dev vpn1                                      
[#] ip link set mtu 1420 up dev vpn1                                               
[#] resolvconf -a vpn1 -m 0 -x                                                     
[#] wg set vpn1 fwmark 43333                                                       
[#] ip -4 route add 0.0.0.0/0 dev vpn1 table 43333                                 
[#] ip -4 rule add not fwmark 43333 table 43333                                    
[#] ip -4 rule add table main suppress_prefixlength 0                              
[#] echo Skipping setting net.ipv4.conf.all.src_valid_mark                         
Skipping setting net.ipv4.conf.all.src_valid_mark                                  
[#] iptables-restore -n                                                            
modprobe: can't change directory to '/lib/modules': No such file or directory      
modprobe: can't change directory to '/lib/modules': No such file or directory      
modprobe: can't change directory to '/lib/modules': No such file or directory      
ip6tables v1.8.7 (legacy): Couldn't load match `addrtype':No such file or directory
                                                                                   
Try `ip6tables -h' or 'ip6tables --help' for more information.                     

And the container exits.

Host system: Ubuntu 22.04.4 LTS

I am thinking somewhere in the direction if iptables being deprecated in favor of iptables-nft.

Hi there

Thanks for sharing your container, I have a vpn connection working fine but I cannot get the sharing the docker with other dockers working.

I wondered if anyone had tried and succeeded in sharing with a docker on the same vlan?

Eg you docker at 192.168.70.10 and the docker needing vpn access at 192.168.70.11.... I cannot get access to the http port of the client service when I add the relevant port to your container?

Searches say it should work but seem to be for earlier versions off docker.

I also wondered if the routes in the docker could stop the access too?

Thanks.

jordan,

I had a working copy of your container I had created last week (I guess with the priveleged mode). I had to re-configure some of my other containers, so I re-pulled with the changes you recently made, and the container no longer stays open, exiting with a 255 code. I'm not sure what you need to troubleshoot ...

I am creating the container with the following command:

sudo docker create --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v /home/me/.config/mullvad_config/wireguard/mullvad.conf:/etc/wireguard/mullvad.conf -p 1234:1234 jordanpotter/wireguard

Hello, the image seems to be missing something or have I missed something that needs to be added on the host?

I have the following error on startup:
/usr/bin/wg-quick: line 32: ip6tables-restore: command not found

Hi,
Is it possible to add several "LOCAL_SUBNET" ?
If not, it would be interesting to have this feature.