mirror
/
docker-documentation
kopia lustrzana https://github.com/linuxserver/docker-documentation
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Bot Updating Documentation

pull/153/head
LinuxServer-CI 2023-10-10 23:14:08 +00:00
rodzic 5f79254714
commit 660245b05a
1 zmienionych plików z 156 dodań i 21 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

177
docs/images/docker-wireguard.md
Wyświetl plik

@ -1,9 +1,8 @@
---
title: wireguard
---
<!-- DO NOT EDIT THIS FILE MANUALLY -->
<!-- Please read the https://github.com/linuxserver/docker-wireguard/blob/master/.github/CONTRIBUTING.md -->
<!-- DO NOT EDIT THIS FILE MANUALLY -->
<!-- Please read https://github.com/linuxserver/docker-wireguard/blob/master/.github/CONTRIBUTING.md -->
# [linuxserver/wireguard](https://github.com/linuxserver/docker-wireguard)
[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fwireguard?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fwireguard)
@ -18,6 +17,8 @@ title: wireguard
[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
[![wireguard](https://www.wireguard.com/img/wireguard.svg)](https://www.wireguard.com/)
## Supported Architectures
We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).
@ -40,6 +41,7 @@ This image provides various versions that are available via tags. Please read th
| :----: | :----: |--- |
| latest | ✅ | Stable releases based on Alpine *without* support for compiling Wireguard modules. |
| legacy | ✅ | Stable releases with support for compiling Wireguard modules for older kernels. |
## Application Setup
During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
@ -60,11 +62,13 @@ To add more peers/clients later on, you increment the `PEERS` environment variab
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder).
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg_confs/wg0.conf` and restarting the container.
The container managed server conf is hardcoded to `wg0.conf`. However, the users can add additional tunnel config files with `.conf` extensions into `/config/wg_confs/` and the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
Do not set the `PEERS` environment variable. Drop your client conf(s) into the config folder as `/config/wg_confs/<tunnel name>.conf` and start the container. If there are multiple tunnel configs, the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.
If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container.
@ -167,12 +171,11 @@ docker run -d \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--restart unless-stopped \
lscr.io/linuxserver/wireguard:latest
```
## Parameters
Docker images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
### Ports (`-p`)
@ -211,9 +214,9 @@ Docker images are configured using parameters passed at runtime (such as those a
### Portainer notice
{% hint style="warning" %}
This image utilises `cap_add` or `sysctl` to work properly. This is not implemented properly in some versions of Portainer, thus this image may not work if deployed through Portainer.
{% endhint %}
!!! warning
This image utilises `cap_add` or `sysctl` to work properly. This is not implemented properly in some versions of Portainer, thus this image may not work if deployed through Portainer.
## Environment variables from files (Docker secrets)
@ -222,10 +225,10 @@ You can set any environment variable from a file by using a special prepend `FIL
As an example:
```bash
-e FILE__PASSWORD=/run/secrets/mysecretpassword
-e FILE__MYVAR=/run/secrets/mysecretvariable
```
Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
Will set the environment variable `MYVAR` based on the contents of the `/run/secrets/mysecretvariable` file.
## Umask for running applications
@ -238,11 +241,16 @@ When using volumes (`-v` flags), permissions issues can arise between the host O
Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
In this instance `PUID=1000` and `PGID=1000`, to find yours use `id your_user` as below:
```bash
$ id username
uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
id your_user
```
Example output:
```text
uid=1000(your_user) gid=1000(your_user) groups=1000(your_user)
```
## Docker Mods
@ -254,16 +262,143 @@ We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to
## Support Info
* Shell access whilst the container is running:
* `docker exec -it wireguard /bin/bash`
```bash
docker exec -it wireguard /bin/bash
```
* To monitor the logs of the container in realtime:
* `docker logs -f wireguard`
* Container version number
* `docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard`
* Image version number
* `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/wireguard:latest`
```bash
docker logs -f wireguard
```
* Container version number:
```bash
docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard
```
* Image version number:
```bash
docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/wireguard:latest
```
## Updating Info
Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (ie. nextcloud, plex), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image.
Below are the instructions for updating containers:
### Via Docker Compose
* Update images:
* All images:
```bash
docker-compose pull
```
* Single image:
```bash
docker-compose pull wireguard
```
* Update containers:
* All containers:
```bash
docker-compose up -d
```
* Single container:
```bash
docker-compose up -d wireguard
```
* You can also remove the old dangling images:
```bash
docker image prune
```
### Via Docker Run
* Update the image:
```bash
docker pull lscr.io/linuxserver/wireguard:latest
```
* Stop the running container:
```bash
docker stop wireguard
```
* Delete the container:
```bash
docker rm wireguard
```
* Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
* You can also remove the old dangling images:
```bash
docker image prune
```
### Via Watchtower auto-updater (only use if you don't remember the original parameters)
* Pull the latest image at its tag and replace it with the same env variables in one run:
```bash
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower \
--run-once wireguard
```
* You can also remove the old dangling images: `docker image prune`
!!! warning
We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
### Image Update Notifications - Diun (Docker Image Update Notifier)
!!! tip
We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
## Building locally
If you want to make local modifications to these images for development purposes or just to customize the logic:
```bash
git clone https://github.com/linuxserver/docker-wireguard.git
cd docker-wireguard
docker build \
--no-cache \
--pull \
-t lscr.io/linuxserver/wireguard:latest .
```
The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
```bash
docker run --rm --privileged multiarch/qemu-user-static:register --reset
```
Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.
## Versions
* **03.10.23:** - **Potentially Breaking Change:** Support for multiple interfaces added. Wireguard confs moved to `/config/wg_confs/`. Any file with a `.conf` extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to `wg0.conf`.
* **28.06.23:** - Rebase master to Alpine 3.18 again.
* **26.06.23:** - Revert master to Alpine 3.17, due to issue with openresolv.
* **24.06.23:** - Rebase master to Alpine 3.18, deprecate armhf as per [https://www.linuxserver.io/armhf](https://www.linuxserver.io/armhf).