Skip to content

Instantly share code, notes, and snippets.

@fluffy-kaiju

fluffy-kaiju/docker-compose.yaml

Last active July 11, 2023 11:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save fluffy-kaiju/90edbf0f17237d82ecdcbd6d12d18322 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save fluffy-kaiju/90edbf0f17237d82ecdcbd6d12d18322 to your computer and use it in GitHub Desktop.
Download ZIP
wireguard-ui docker compose setup
Raw
docker-compose.yaml
version: "3"
services:
wireguard:
restart: always
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
volumes:
- ./config:/config
ports:
# port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
- "5000:5000"
# port of the wireguard server
- "51820:51820/udp"
wireguard-ui:
restart: always
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# use the network of the 'wireguard' service. this enables to show active clients in the status page
network_mode: service:wireguard
# env_file: stack.env
environment:
- WG_CONF_TEMPLATE=
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
- WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
- WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
- EMAIL_FROM_ADDRESS=noreply@dreemcloud.net
- SMTP_HOSTNAME=smtp.purelymail.com
- SMTP_PORT=465
- SMTP_USERNAME=<username>
- SMTP_PASSWORD=<passwd>
- SMTP_AUTH_TYPE=LOGIN
- SMTP_ENCRYPTION=SSLTLS
- WGUI_SERVER_INTERFACE_ADDRESSES=<ip4>/24
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./db:/app/db
- ./config:/etc/wireguard
Raw
info.md

Info

Post Up and Down Script

Ive occure connection failure, to fix we need to add Post Up Script and Post Down Script command.

Explanation of the commands

Generate by gpt-3.5-turbo with prompt Explain what is the purpose of this Post Up Script and Post Down Script for WireGuard configuration.

The Post Up Script and Post Down Script in the WireGuard configuration are used to set up and tear down the necessary IP forwarding and NAT rules for the VPN connection.

The Post Up Script is executed once the VPN link is established, while the Post Down Script is executed when the link is torn down.

In detail, the Post Up Script adds the following rules to the system's iptables:

  • -A FORWARD -i %i -j ACCEPT: Accept incoming packets on the VPN interface %i and forward them to other interfaces.
  • -A FORWARD -o %i -j ACCEPT: Accept outgoing packets on other interfaces and forward them to the VPN interface %i.
  • -t nat -A POSTROUTING -o eth+ -j MASQUERADE: Masquerade the source address of outgoing packets from the VPN interface %i as if they come from the system's eth+ interface, allowing them to traverse the network.

These rules are necessary to enable routing between the local network and the VPN network.

Meanwhile, the Post Down Script removes the same rules that were previously added by the Post Up Script, as they are no longer necessary once the VPN connection is terminated.

  • -D FORWARD -i %i -j ACCEPT: Delete the rule that accepts incoming packets on the VPN interface %i for forwarding
  • -D FORWARD -o %i -j ACCEPT: Delete the rule that accepts outgoing packets from other interfaces for forwarding to the VPN interface %i
  • -t nat -D POSTROUTING -o eth+ -j MASQUERADE: Delete the rule that masquerades the source address of outgoing packets from the VPN interface %i as if they come from the system's eth+ interface

Properly configuring these scripts ensure that the necessary routing rules are in place for the VPN connection to function correctly, and that they are cleaned up properly when the VPN connection is no longer needed.

The docker file

Generate by gpt-3.5-turbo with prompt Make a documentation that explain all this docker-compose configuration.

This docker-compose configuration creates two services- wireguard and wireguard-ui. The wireguard service runs the WireGuard server inside a docker container while the wireguard-ui service runs the web interface for administration.

The wireguard Service:

  • restart: always: Restarts the container automatically in case of failures.
  • image: linuxserver/wireguard:latest: The image that will be used to create the container.
  • container_name: wireguard: Sets a name for the container.
  • cap_add: - NET_ADMIN: Adds the necessary capabilities to interact with the network stack.
  • volumes: - ./config:/config: Maps the local file system ./config to the container's /config directory. It is used to store the configuration files, which includes private and public keys that are necessary for the WireGuard VPN server.
  • ports: configures the ports that are exposed from the container to the host machine:
    • "5000:5000": maps the host port 5000 to the container's port 5000. This is needed because the wireguard-ui container uses this port to provide the web interface to manage the VPN server.
    • "51820:51820/udp" the default port for the WireGuard VPN server. 51820 is the container's port while 51820/udp is the protocol for the port.

The wireguard-ui Service:

  • restart: always: Restarts the container automatically in case of failures.
  • image: ngoduykhanh/wireguard-ui:latest: The image that will be used to create the container.
  • container_name: wireguard-ui: Sets a name for the container.
  • depends_on: - wireguard: The wireguard container runs first as wireguard-ui depends on it.
  • cap_add: - NET_ADMIN: Adds the necessary capabilities to interact with the network stack.
  • network_mode: service:wireguard: Uses the same network as the wireguard service, so that wireguard-ui can communicate with wireguard without any issue.
  • environment: sets environment variables that the container requires:
    • WG_CONF_TEMPLATE: Configures the WireGuard configuration template.
    • WGUI_MANAGE_START: Determines whether the container should start the WireGuard server automatically or not.
    • WGUI_MANAGE_RESTART: Determines whether the container should restart the WireGuard server automatically or not.
    • WGUI_SERVER_POST_UP_SCRIPT and WGUI_SERVER_POST_DOWN_SCRIPT: The scripts which will execute when the WireGuard server starts and stops. They set up and tear down, respectively, the necessary IP forwarding and NAT rules for the VPN connection.
    • EMAIL_FROM_ADDRESS: Specifies the email address to use when sending emails, for example, during password resets.
    • SMTP_HOSTNAME, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_TYPE, SMTP_ENCRYPTION: Configuration for sending emails over STMP server.
    • WGUI_SERVER_INTERFACE_ADDRESSES: Specifies the IP address range to be used by the VPN tunnel
  • logging: configures the logging driver and sets limits to the maximum size of logs.
  • volumes: Mounts two directories from the host machine to the container- ./db:/app/db, which stores the database, and ./config:/etc/wireguard, which stores the WireGuard configuration files.

Links

https://github.com/ngoduykhanh/wireguard-ui https://shareg.pt/69I68M5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment