Login

Routing

Maintaining local access to attached services

** Note: This is not a supported configuration by Linuxserver.io - use at your own risk.

When routing via Wireguard from another container using the service option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your wg0.conf like so (modifying the subnets as you require):

[Interface]
PrivateKey = <private key>
Address = 9.8.7.6/32
DNS = 8.8.8.8
PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

Site-to-site VPN

** Note: This is not a supported configuration by Linuxserver.io - use at your own risk.

Site-to-site VPN in server mode requires customizing the AllowedIPs statement for a specific peer in wg0.conf. Since wg0.conf is autogenerated when server vars are changed, it is not recommended to edit it manually.

In order to customize the AllowedIPs statement for a specific peer in wg0.conf, you can set an env var SERVER_ALLOWEDIPS_PEER_ to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. "192.168.1.0/24,192.168.2.0/24"). Replace with either the name or number of a peer (whichever is used in the PEERS var).

PEERS можно указать количество клиентов числом или список клиентов через запятую, например PEERS=server,alpha,anotherpeername

For instance SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24" will result in the wg0.conf entry AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24 for the peer named laptop.

Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary.

Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access.

Usage

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -e SERVERURL=wireguard.domain.com `#optional` \
  -e SERVERPORT=51820 `#optional` \
  -e PEERS=1 `#optional` \
  -e PEERDNS=auto `#optional` \
  -e INTERNAL_SUBNET=10.13.13.0 `#optional` \
  -e ALLOWEDIPS=0.0.0.0/0 `#optional` \
  -e PERSISTENTKEEPALIVE_PEERS= `#optional` \
  -e LOG_CONFS=true `#optional` \
  -p 51820:51820/udp \
  -v /path/to/appdata/config:/config \
  -v /lib/modules:/lib/modules `#optional` \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
  linuxserver/wireguard
Last updated on 4th Feb 2023