WireGuard client in the Docker
container.
- Docker Registry @monstrenyatko/wireguard-client
- GitHub @monstrenyatko/docker-wireguard-client
Container configures firewall to block all traffic while VPN network is disconnected.
-
Prepare
Docker
host kernel- The
WireGuard
kernel module must be available inDocker
host kernel - See official installation instructions, usually, it is as trivial as:
sudo apt install wireguard
- The
-
Configure environment:
-
WIREGUARD_PORT
: theWireGuard
server port number to configure firewall rulesexport WIREGUARD_PORT=51820
-
WIREGUARD_CLIENT_CONFIG
: path toconfig
file:export WIREGUARD_CLIENT_CONFIG="<path-to-wireguard-config-file>"
-
NET_LOCAL
: [OPTIONAL] local network to setup back route rule, this is required to allow connections from your local network to the service working over VPN client network:export NET_LOCAL="192.168.0.0/16"
-
DOCKER_REGISTRY
: [OPTIONAL] registry prefix to pull image from a customDocker
registry:export DOCKER_REGISTRY="my_registry_hostname:5000/"
-
-
Pull prebuilt
Docker
image:docker-compose pull
-
Start prebuilt image:
docker-compose up -d
-
Stop/Restart:
docker-compose stop docker-compose start
-
Configuration:
-
[OPTIONAL] Allow incoming connections to some port from local network:
-
Set
NET_LOCAL
environment variable, see Configure environment section -
Add to
docker-compose.yml
theports
section:wireguard-client: ports: - 8080:8080
-
-
-
Start service working over VPN. The simplest way to do this is to utilize the network stack of the VPN client container:
-
Add
--network=container:wireguard-client
option todocker run
command -
Start service container:
docker run --rm -it --network=container:wireguard-client alpine:3 /bin/sh
NOTE: The service container needs to be restarted/recreated when VPN container is restarted/recreated, otherwise network connection will not be recovered.
-
./build.sh <tag name>