The docker-compose example for linuxserver/wireguard is not suitable for latest linuxserver/wireguard image

[qianhd]

The confs folder has been changed from /config/ to /config/wg_confs/

Here is the latest linuxserver/wireguard image changelog .

03.10.23: - Potentially Breaking Change: Support for multiple interfaces added. Wireguard confs moved to /config/wg_confs/. Any file with a .conf extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to wg0.conf.

ChangeLog

I am wondering the wireguard container is necessary? what is wireguard container did ? if i change some configs via wireguard-ui, wireguard won't feel it until it restart.

@ByteDream

[qianhd]

I found just using wireguard-ui alonely is working pretty if the wireguard kernel module is available on system.

I am wondering the wireguard container is necessary? what is wireguard container did ?

Here is my dockerfile.

version: "3.8"
services:

  wireguard-ui:
    container_name: wireguard-ui
    image: ngoduykhanh/wireguard-ui:0.5.2
    restart: unless-stopped

    environment:
      WGUI_SERVER_LISTEN_PORT: 51820
      WGUI_FIREWALL_MARK: 0xca6c
      WGUI_SERVER_INTERFACE_ADDRESSES: 10.20.30.0/24
      WGUI_DEFAULT_CLIENT_ALLOWED_IPS: 10.20.30.0/24
      WGUI_MANAGE_START: true
      WGUI_MANAGE_RESTART: true

    ports:
      # Port for WireGuard-UI
      - 5000:5000
      # Port of the WireGuard VPN server
      - 51820:51820/udp

    cap_add:
      - NET_ADMIN

    volumes:
      - ./conf/server:/etc/wireguard                    # conf
      - ./conf/db:/app/db                               # ui db

[killmasta93]

use this

image: linuxserver/wireguard:v1.0.20210914-ls6

[denisjoshua]

I use thwe image: linuxserver/wireguard:v1.0.20210914-ls6 and recreate all... Now the webui it's work... but the clients is not work I think that is not find the wg0.conf cause in my webui under global settings in the Wireguard Config File Path fiels it's "/etc/wireguard/wg0.conf" ...but in my docker path that file is empty.

Anyone can explain step by step please how to make it work again please ? Thanks in advance Denis

[finalcreator]

Do we have template for config?

No client conf found. Provide your own client conf as "/config/wg0.conf" and restart the container

[MSL-DA]

This works for me

version: '3'
services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=(####)
      - SERVERUR=(####)
      - PEERDNS=(####)
      - INTERNAL_SUBNET=10.252.1.0/24
      - PERSISTENTKEEPALIVE_PEERS=25
      - PEERS=1
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
      - 5000:5000
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    restart: unless-stopped
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    network_mode: service:wireguard
    environment:
      - PUID=1000
      - PGID=1000
      - WGUI_USERNAME=(####)
      - WGUI_PASSWORD_HASH=(####)
      - TZ=(####)
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
      - WGUI_LOG_LEVEL=INFO
      - WGUI_PERSISTENT_KEEPALIVE=25
      - WGUI_DNS=(####)
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config/wg_confs:/etc/wireguard

[denisjoshua]

Thanks a lot for posting... but I used yours setting and the webserver is not work :-(

[MSL-DA]

You need to restart wireguard-ui

[MSL-DA]

... and pay attention to (####) and correct these for your setup

[Fordwrench]

"MSL-DA" I have tried your docker-compose.yaml configuration and the webguard-ui is still broke.

CoreDNS-1.10.1 wireguard | linux/amd64, go1.20.11, wireguard | Found WG conf /config/wg_confs/wg0.conf, adding to list wireguard | Activating tunnel /config/wg_confs/wg0.conf wireguard | Warning: /config/wg_confs/wg0.conf' is world accessible wireguard | wg-quick:wg0' already exists wireguard | Tunnel /config/wg_confs/wg0.conf failed, will stop all others! wireguard | All tunnels are now down. Please fix the tunnel config /config/wg_confs/wg0.conf and restart the container wireguard | [ls.io-init] done.

[skuskuM]

/You can use this config. There is one more service that deletes this file : /config/wg_confs/wg0.conf before wireguard starts . For some reason, the file is generated empty , therefore wireguard sees it as broken config.

version: "3"

services: remove-file: image: alpine:latest container_name: remove-config-BUG command: /bin/sh -c "rm -f config/wg0.conf" volumes:

• ${PWD}/wireguard:/config restart: always environment:

• MAX_RETRY=1

  wireguard: image: linuxserver/wireguard:latest container_name: wireguard cap_add:

• NET_ADMIN
• SYS_MODULE #optional volumes:
• ${PWD}/wireguard:/config environment:
• PUID=1000
• PGID=1000
• SERVERURL= http://10.1.1.1:5000
• SERVERPORT=51820 #optional
• PEERDNS= 8.8.8.8,1.1.1.1
• INTERNAL_SUBNET=10.8.8.0 #optional
• ALLOWEDIPS=10.1.0.0/16 #optional
• PERSISTENTKEEPALIVE_PEERS=30 #optional
• LOG_CONFS=true #optional
• PEERS=1 #NEED THIS TO ENABLE SERVER MODE ports:

  port for wireguard-ui. this must be set here as the wireguard-ui container joins the network of this container and hasn't its own network over which it could publish the ports

• "5000:5000"

  port of the wireguard server

• "51820:51820/udp" sysctls:
• net.ipv4.ip_forward=1
• net.ipv4.conf.all.src_valid_mark=1 depends_on:

• remove-file restart: always

  wireguard-ui: image: ngoduykhanh/wireguard-ui:latest container_name: wireguard-ui depends_on:

• wireguard cap_add:
• NET_ADMIN

  use the network of the 'wireguard' service. this enables to show active clients in the status page

  network_mode: service:wireguard environment:

• BIND_ADDRESS=0.0.0.0:5000
• SESSION_SECRET=SESSION_SECRET_RANDOM
• WGUI_DNS=10.1.5.1,1.1.1.1
• WGUI_USERNAME=admin
• WGUI_PASSWORD=admin
• WGUI_MANAGE_START=true
• WGUI_MANAGE_RESTART=true
• WGUI_PERSISTENT_KEEPALIVE=15
• EMAIL_FROM_ADDRESS=xxx
• EMAIL_FROM_NAME=WireGuard Password Reset
• SMTP_HOSTNAME=xxx
• SMTP_PORT=465
• SMTP_AUTH_TYPE=PLAIN
• SMTP_USERNAME=xxxx
• SMTP_PASSWORD=xxx
• SMTP_ENCRYPTION=STARTTLS
• WGUI_DEFAULT_CLIENT_ALLOWED_IPS=10.1.0.0/16

  NEED THIS TO ACCESS LOCAL IP

• WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
• WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE command:
• '/bin/sh'
• '-c'
• '/bin/sleep 5"' logging: driver: json-file options: max-size: 51m restart: always volumes:
• ${PWD}/wireguard/ui/db:/app/db
• ${PWD}/wireguard:/etc/wireguard``

[jearton]

The wireguard container is totally unnecessary!

[kagstrom2100]

@skuskuM Thanks, this worked for me!

Herer is the correctly yml formatted version:

version: "3"

services:
  remove-file:
    image: alpine:latest
    container_name: remove-config-BUG
    command: /bin/sh -c "rm -f config/wg0.conf"
    volumes:
      - ${PWD}/wireguard:/config
    restart: always
    environment:
      - MAX_RETRY=1

  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    volumes:
      - ${PWD}/wireguard:/config
    environment:
      - PUID=1000
      - PGID=1000
      - SERVERURL=http://10.1.1.1:5000
      - SERVERPORT=51820 #optional
      - PEERDNS=8.8.8.8,1.1.1.1
      - INTERNAL_SUBNET=10.8.8.0 #optional
      - ALLOWEDIPS=10.1.0.0/16 #optional
      - PERSISTENTKEEPALIVE_PEERS=30 #optional
      - LOG_CONFS=true #optional
      - PEERS=1 #NEED THIS TO ENABLE SERVER MODE
    ports:
      # port for wireguard-ui. this must be set here as the wireguard-ui container joins the network of this container and hasn't its own network over which it could publish the ports
      - "5000:5000"
      # port of the wireguard server
      - "51820:51820/udp"
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    depends_on:
      - remove-file
    restart: always

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # use the network of the 'wireguard' service. this enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - BIND_ADDRESS=0.0.0.0:5000
      - SESSION_SECRET=SESSION_SECRET_RANDOM
      - WGUI_DNS=10.1.5.1,1.1.1.1
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
      - WGUI_PERSISTENT_KEEPALIVE=15
      - EMAIL_FROM_ADDRESS=xxx
      - EMAIL_FROM_NAME=WireGuard Password Reset
      - SMTP_HOSTNAME=xxx
      - SMTP_PORT=465
      - SMTP_AUTH_TYPE=PLAIN
      - SMTP_USERNAME=xxxx
      - SMTP_PASSWORD=xxx
      - SMTP_ENCRYPTION=STARTTLS
      - WGUI_DEFAULT_CLIENT_ALLOWED_IPS=10.1.0.0/16
      #NEED THIS TO ACCESS LOCAL IP
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
    command:
      - '/bin/sh'
      - '-c'
      - '/bin/sleep 5"'
    logging:
      driver: json-file
      options:
        max-size: 51m
    restart: always
    volumes:
      - ${PWD}/wireguard/ui/db:/app/db
      - ${PWD}/wireguard:/etc/wireguard