Running without network mode host

[lorenzopicoli]

First of all thank you for the awesome project. I wanted to share my setup running wg-portal without network_mode: host. As answered here and here this project needs to have access to the wg0 interface to properly run.

I run wireguard with the linuxserver/wireguard container and I'm installing wg-portal in the same container using their custom scripts. Here's how it looks like:

 - docker-compose.yml (with linuxserver/wireguard)
 - custom-cont.init.d
   - wireguard-portal-install.sh
 - custom-service-init.d
   - wireguard-portal.sh

Then in docker-compose.yml

- ./custom-cont-init.d/:/custom-cont-init.d/
- ./custom-services.d/:/custom-services.d/

To install wg-portal in wireguard-porta-install.sh

#!/usr/bin/with-contenv bash

echo "****** Installing wg-portal ******"
apt update
apt install golang-go -y
export PATH=$PATH:/usr/local/go/bin

git clone https://github.com/h44z/wg-portal.git /app/wg-portal-project
cd /app/wg-portal-project
# CGO_ENABLED=0 GOOS=linux /usr/lib/go-1.18/bin/go build -o wg-portal main.go
make build
cp ./dist/wg-portal /app/
rm -rf /app/wg-portal-project

And then in wireguard-portal.sh to run

#!/usr/bin/with-contenv bash
echo "SYSTEM SERVICE"
exec \
    /app/wg-portal

In the container logs there should be some errors which is wireguard-portal trying to init before wg0 is created, but right after it the server should be up and running.

As far as I'm aware the only drawback is that not running wg-portal in a container makes it harder to keep updated with something like Watchtower, but it was a requirement for me to run wg-portal behind traefik which is not in network_mode: host.

Created an issue since I'm not sure this is README-worthy, but let me know if there's any other way to do this or any other cons I'm missing.

Thanks!

[guillaume-cerf]

Hi there, I'm a newbie and i would like to reproduce your method: be able to run both wirguard and wg-portal in the same container.

I tried to run them in their respective container with both of them linked by network_mode="host" but it does not seem to work entirely since i can't add new peers : error 500 "failed to prepare new peer: failed to get available IP addresses: no more available address from cidr".

So i'd like to give your method a try.

I'm using portainer to "manage" my container and more precisely the "stacks" option to copy paste docker compose file. I can't quite get around the protocol you post to do so, and would like to do it from the portainer interfaces if possible to be easier for futur maintenance ;)

Thanks for the hardwork everyone have put into making this app and thanks for your futur help :)

[guillaume-cerf]

Actually, after correctly reading the custom scripts from linuxserver your protocol was straight forward. But i still have the same error 500 when i want to add a peer

I can't find anything about it :(

any idea ?

Edit: Solved it by changing the cidr range of the ip address server from x.x.x.1/32 to x.x.x.1/24

[karstennilsen]

I just linked networks of both containers:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
  wg-portal:
    image: h44z/wg-portal:latest
    container_name: wg-portal
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "service:wireguard"

[joestump]

@karstennilsen are you exposing a shared volume for /etc/wireguard or something? Wondering how wg-portal is writing files to the wireguard container in your example.

[Friday13th87]

@joestump did you find an answer to that? the network mode from @karstennilsen is not connecting the storage of both containers and it shouldnt work like that - i mean how should wg-portal install any new peers to the linuxserver container if its only sharing the same network...