A Docker image containing Wireguard that enables containerized VPNs. Containers that use this image can provide VPN services to other Docker containers by sharing the same Docker network.
Unfortunately, due to Wireguard's kernel module, this image only run on kernels where Ubuntu 16.04, the OS for the base image, can pull down kernel headers. This has been verified to work on kernels 4.13 and newer.
An up-to date Docker image can be found on Dockerhub at
activeeos/wireguard-docker. To pull:
$ docker pull activeeos/wireguard-dockerA volume has to be mounted at /etc/wireguard containing a single
configuration file with a .conf extension corresponding to the VPN
interface.
More information about the structure of this file can be found in the Wireguard man page and on its website.
Note: if Wireguard is running as a server, the UDP port that it listens on has to be exposed from the container.
A custom kernel module is installed when the container boots up. In
order for this process to work, the underlying system either already
needs to have Wireguard installed or the host modules directory needs
to be shared with the container. Specifically, the /lib/modules
directory needs to be mapped to /lib/modules in the container. This
can be done with the -v /lib/modules:/lib/modules flag in docker run.
When running a container based upon this image, the following system capabilities are necessary:
docker run commanddocker run -it --rm --cap-add net_admin --cap-add sys_module \
-v /etc/wireguard:/etc/wireguard -v /lib/modules:/lib/modules \
-p 5555:5555/udp activeeos/wireguard-dockerThanks to Nick Babcock for his blog post explaining the mechanics behind running Wireguard inside of a container.