Using a Docker container for a Wireguard VPN server

I've been using Wireguard for a while when away from my house for a couple of reasons:

  1. Access to my home network's servers, services, and resources.

  2. Security, when accessing the internet via insecure wifi.

  3. Ability to use my PiHole (DNS sinkhole).

It's been working great, but as with everything else, I wanted to put it in a Docker container.

The wireguard.yaml file:

version: "2.1"
    container_name: wireguard
      - NET_ADMIN
      - SYS_MODULE
      - PUID=1000
      - PGID=1000
      - TZ=America/Denver
      - /home/tom/.configs/wireguard/:/config
      - /lib/modules:/lib/modules
      - 51820:51820/udp
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    external: true

The macvlan_net is, as the name would suggest, a Docker MACVLAN network, so the Docker container will be able to get an IP on my local network (192.168.1.x).

docker-compose -f wireguard.yaml up -d

This Docker container is configured to use /config/ as the directory to store configuration information in, and not the default /etc/wireguard/.

From within the Docker container, generate the private and public keys:

wg genkey | tee /config/privatekey | wg pubkey | tee /config/publickey

The /config/wg0.conf file is similar to our previous Wireguard config file, with a few exceptions:

  1. There are no ufw commands, as ufw isn't installed in the container.
  2. This container uses eth0 as it's public-facing interface.
  3. I'm using a non-default listen port (default for Wireguard is 51820).
Address =
SaveConfig = true
ListenPort = 51111
PrivateKey = +BfzlVJ6o1n8hRvW4nGhpbhsiyWsCKgIEja6F8alsVg=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

I edited the wg0.conf file from the Docker host, not from the Docker container, as vim (or vi) is installed.

Once the server's wg0.conf file was created, it was a matter of bringing up the tunnel on the server, and adding peers (clients).

wg-quick up wg0
wg set wg0 peer 4uP7u9NxLSJbHnaYBwQXhF6iXIIzeOjr/U6lQ0kCH3A= allowed-ips
wg-quick save wg0

Once the server is set up and running, adding the tunnel on the client side is the same as a non-Docker Wireguard setup.


Docker Hub - linuxserver/wireguard