This container makes it easy to deploy a wireguard-interface, using docker.
- configuration with env-variables
- persistent wireguard-interface across container restart
- minimal connection loss
- loading secret-keys from local storage
git clone https://github.com/thosebeans/wireguard-docker.git
wireguard-docker/build.shwireguard-docker is configured entirely through environment variables.
| ENV-Variable | Example | Default value | Description |
|---|---|---|---|
| I_NAME | wg0 |
I_NAME is the name of the wireguard interface.
It has to match the pattern ^[0-9a-zA-Z_-]+$.
I_NAME has to be set. | |
| I_PRIVATEKEY |
8NkTeTAM5KUwa4vJ4qOQrhJjBBf4bQX3Yl+srl3O0Ek=
/run/secrets/wg0_priv |
I_PRIVATEKEY is the private-key of the interface.
It has to be a base64-encoded private-key, like one generated from wg genkey
or the path to a file, storing such a key.
| |
| I_LISTENPORT | 51820 |
I_LISTENPORT is the port on which the interface should listen for its peers.
Its an integer between 0 and 65535. | |
| I_FWMARK | 644 |
I_FWMARK is a firewall-marking for outgoing packets.
Its an integer between 0 and 4294967295 or off(same as 0). | |
| I_ADDRESS | 10.44.0.1/24,55::66/64 |
I_ADDRESS are the ip addresses of the interface.
I_ADDRESS has to be a comma sperated list of IPv4/IPv6 addresses. | |
| I_MTU | 1420 |
I_MTU is the MTU of the interface.
I_MTU has to be an unsigned integer. If not set, I_MTU is auto calculated. | |
| I_CREATE | 1 | 1 | If set and 0, I_CREATE gives the container the permission to create a new wireguard interface with the name I_NAME. |
| I_REUSE | 1 | 0 | If set and 0, I_REUSE give the container the permission, to reuse an already existing wireguard interface, called I_NAME. |
| I_NODESTROY | 1 | 0 | If set and not 0, I_NODESTROY skips the destruction of the wireguard interface, after the container gets shut down. |
ZZZ is a placeholder for the peer-id. The peer-id is an alphanumeric identifier, matching ^[0-9a-zA-Z-]+$, to match related environment variables.
Example: P_chris_PUBK=pea3swDlkV7Db1OIF9LK2bDSR0HhR+g7TS3Es4c1pWE=
| ENV-Variable | Example | Description |
|---|---|---|
| P_ZZZ_PUB | pea3swDlkV7Db1OIF9LK2bDSR0HhR+g7TS3Es4c1pWE= |
P_ZZZ_PUB is the public-key of the peer.
It has to be a bas64-encoded public-key, like the ones created by wg pubkey.
P_ZZZ_PUB has to be present for a peer to be recognized by the container. |
| P_ZZZ_PSK |
t8QXS7CsF4YPq27GmfEHTURyY6IgCaYzdziRN+WF32g=
/run/secrets/wg0_psk |
P_ZZZ_PSK is the preshared-key of the peer.
It has to be a base64-encoded preshared-key, like one generated from wg genpsk
or the path to a file, storing such a key.
|
| P_ZZZ_IPS | 10.0.0.1/8,fd9e:21a7:a92c:2323::1/64 |
P_ZZZ_IPS are the allowed ips of the peer (the routes to the peer).
P_ZZZ_IPS has to be a comma seperated list of IPv4 or IPv6 addresses. |
| P_ZZZ_END | 192.168.178.22:51820 | P_ZZZ_END is the endpoint of the peer. |
| P_ZZZ_PKA | 5 |
P_ZZZ_PKA is the persistent keep-alive of the peer.
P_ZZZ_PKA has to be an integer value between 0 and 65535. |
The container doesn't have the capabilities to do any network-manipulation.
Add the capability CAP_NET_ADMIN.
The wireguard kernel-module isn't loaded.
Load the wireguard module before starting the container.
Bind /lib/modules to /lib/modules into the container and run the container in priviliged mode.
The container will try to load the module on startup.