kopia lustrzana https://github.com/linuxserver/docker-documentation
Bot Updating Documentation
LinuxServer-CI
rodzic
c881951604
commit
7ae4fa3b73
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
title: wireguard
|
||||
---
|
||||
<!-- DO NOT EDIT THIS FILE MANUALLY -->
|
||||
<!-- Please read the https://github.com/linuxserver/docker-wireguard/blob/master/.github/CONTRIBUTING.md -->
|
||||
|
||||
# [linuxserver/wireguard](https://github.com/linuxserver/docker-wireguard)
|
||||
|
||||
[](https://github.com/linuxserver/docker-wireguard)
|
||||
|
|
@ -28,139 +31,6 @@ The architectures supported by this image are:
|
|||
| arm64 | arm64v8-latest |
|
||||
| armhf | arm32v7-latest |
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
Here are some example snippets to help you get started creating a container from this image.
|
||||
|
||||
### docker-compose ([recommended](https://docs.linuxserver.io/general/docker-compose))
|
||||
|
||||
Compatible with docker-compose v2 schemas.
|
||||
|
||||
```yaml
|
||||
---
|
||||
version: "2.1"
|
||||
services:
|
||||
wireguard:
|
||||
image: ghcr.io/linuxserver/wireguard
|
||||
container_name: wireguard
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- SYS_MODULE
|
||||
environment:
|
||||
- PUID=1000
|
||||
- PGID=1000
|
||||
- TZ=Europe/London
|
||||
- SERVERURL=wireguard.domain.com #optional
|
||||
- SERVERPORT=51820 #optional
|
||||
- PEERS=1 #optional
|
||||
- PEERDNS=auto #optional
|
||||
- INTERNAL_SUBNET=10.13.13.0 #optional
|
||||
- ALLOWEDIPS=0.0.0.0/0 #optional
|
||||
volumes:
|
||||
- /path/to/appdata/config:/config
|
||||
- /lib/modules:/lib/modules
|
||||
ports:
|
||||
- 51820:51820/udp
|
||||
sysctls:
|
||||
- net.ipv4.conf.all.src_valid_mark=1
|
||||
restart: unless-stopped
|
||||
```
|
||||
|
||||
### docker cli
|
||||
|
||||
```
|
||||
docker run -d \
|
||||
--name=wireguard \
|
||||
--cap-add=NET_ADMIN \
|
||||
--cap-add=SYS_MODULE \
|
||||
-e PUID=1000 \
|
||||
-e PGID=1000 \
|
||||
-e TZ=Europe/London \
|
||||
-e SERVERURL=wireguard.domain.com `#optional` \
|
||||
-e SERVERPORT=51820 `#optional` \
|
||||
-e PEERS=1 `#optional` \
|
||||
-e PEERDNS=auto `#optional` \
|
||||
-e INTERNAL_SUBNET=10.13.13.0 `#optional` \
|
||||
-e ALLOWEDIPS=0.0.0.0/0 `#optional` \
|
||||
-p 51820:51820/udp \
|
||||
-v /path/to/appdata/config:/config \
|
||||
-v /lib/modules:/lib/modules \
|
||||
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
|
||||
--restart unless-stopped \
|
||||
ghcr.io/linuxserver/wireguard
|
||||
```
|
||||
|
||||
|
||||
## Parameters
|
||||
|
||||
Docker images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
|
||||
|
||||
### Ports (`-p`)
|
||||
|
||||
| Parameter | Function |
|
||||
| :----: | --- |
|
||||
| `51820/udp` | wireguard port |
|
||||
|
||||
|
||||
### Environment Variables (`-e`)
|
||||
|
||||
| Env | Function |
|
||||
| :----: | --- |
|
||||
| `PUID=1000` | for UserID - see below for explanation |
|
||||
| `PGID=1000` | for GroupID - see below for explanation |
|
||||
| `TZ=Europe/London` | Specify a timezone to use EG Europe/London |
|
||||
| `SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically |
|
||||
| `SERVERPORT=51820` | External port for docker host. Used in server mode. |
|
||||
| `PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
|
||||
| `PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. |
|
||||
| `INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
|
||||
| `ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
|
||||
|
||||
### Volume Mappings (`-v`)
|
||||
|
||||
| Volume | Function |
|
||||
| :----: | --- |
|
||||
| `/config` | Contains all relevant configuration files. |
|
||||
| `/lib/modules` | Maps host's modules folder. |
|
||||
|
||||
|
||||
#### Miscellaneous Options
|
||||
| Parameter | Function |
|
||||
| :-----: | --- |
|
||||
| `--sysctl=` | Required for client mode. |
|
||||
|
||||
## Environment variables from files (Docker secrets)
|
||||
|
||||
You can set any environment variable from a file by using a special prepend `FILE__`.
|
||||
|
||||
As an example:
|
||||
|
||||
```
|
||||
-e FILE__PASSWORD=/run/secrets/mysecretpassword
|
||||
```
|
||||
|
||||
Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
|
||||
|
||||
## Umask for running applications
|
||||
|
||||
For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting.
|
||||
Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support.
|
||||
|
||||
|
||||
## User / Group Identifiers
|
||||
|
||||
When using volumes (`-v` flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
|
||||
|
||||
Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
|
||||
|
||||
In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
|
||||
|
||||
```
|
||||
$ id username
|
||||
uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
|
||||
```
|
||||
|
||||
## Application Setup
|
||||
|
||||
This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
|
||||
|
|
@ -209,13 +79,141 @@ When routing via Wireguard from another container using the `service` option in
|
|||
PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
Here are some example snippets to help you get started creating a container from this image.
|
||||
|
||||
### docker-compose ([recommended](https://docs.linuxserver.io/general/docker-compose))
|
||||
|
||||
Compatible with docker-compose v2 schemas.
|
||||
|
||||
```yaml
|
||||
---
|
||||
version: "2.1"
|
||||
services:
|
||||
wireguard:
|
||||
image: ghcr.io/linuxserver/wireguard
|
||||
container_name: wireguard
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- SYS_MODULE
|
||||
environment:
|
||||
- PUID=1000
|
||||
- PGID=1000
|
||||
- TZ=Europe/London
|
||||
- SERVERURL=wireguard.domain.com #optional
|
||||
- SERVERPORT=51820 #optional
|
||||
- PEERS=1 #optional
|
||||
- PEERDNS=auto #optional
|
||||
- INTERNAL_SUBNET=10.13.13.0 #optional
|
||||
- ALLOWEDIPS=0.0.0.0/0 #optional
|
||||
volumes:
|
||||
- /path/to/appdata/config:/config
|
||||
- /lib/modules:/lib/modules
|
||||
ports:
|
||||
- 51820:51820/udp
|
||||
sysctls:
|
||||
- net.ipv4.conf.all.src_valid_mark=1
|
||||
restart: unless-stopped
|
||||
```
|
||||
|
||||
### docker cli
|
||||
|
||||
```bash
|
||||
docker run -d \
|
||||
--name=wireguard \
|
||||
--cap-add=NET_ADMIN \
|
||||
--cap-add=SYS_MODULE \
|
||||
-e PUID=1000 \
|
||||
-e PGID=1000 \
|
||||
-e TZ=Europe/London \
|
||||
-e SERVERURL=wireguard.domain.com `#optional` \
|
||||
-e SERVERPORT=51820 `#optional` \
|
||||
-e PEERS=1 `#optional` \
|
||||
-e PEERDNS=auto `#optional` \
|
||||
-e INTERNAL_SUBNET=10.13.13.0 `#optional` \
|
||||
-e ALLOWEDIPS=0.0.0.0/0 `#optional` \
|
||||
-p 51820:51820/udp \
|
||||
-v /path/to/appdata/config:/config \
|
||||
-v /lib/modules:/lib/modules \
|
||||
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
|
||||
--restart unless-stopped \
|
||||
ghcr.io/linuxserver/wireguard
|
||||
```
|
||||
|
||||
## Parameters
|
||||
|
||||
Docker images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
|
||||
|
||||
### Ports (`-p`)
|
||||
|
||||
| Parameter | Function |
|
||||
| :----: | --- |
|
||||
| `51820/udp` | wireguard port |
|
||||
|
||||
### Environment Variables (`-e`)
|
||||
|
||||
| Env | Function |
|
||||
| :----: | --- |
|
||||
| `PUID=1000` | for UserID - see below for explanation |
|
||||
| `PGID=1000` | for GroupID - see below for explanation |
|
||||
| `TZ=Europe/London` | Specify a timezone to use EG Europe/London |
|
||||
| `SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically |
|
||||
| `SERVERPORT=51820` | External port for docker host. Used in server mode. |
|
||||
| `PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
|
||||
| `PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. |
|
||||
| `INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
|
||||
| `ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
|
||||
|
||||
### Volume Mappings (`-v`)
|
||||
|
||||
| Volume | Function |
|
||||
| :----: | --- |
|
||||
| `/config` | Contains all relevant configuration files. |
|
||||
| `/lib/modules` | Maps host's modules folder. |
|
||||
|
||||
#### Miscellaneous Options
|
||||
|
||||
| Parameter | Function |
|
||||
| :-----: | --- |
|
||||
| `--sysctl=` | Required for client mode. |
|
||||
|
||||
## Environment variables from files (Docker secrets)
|
||||
|
||||
You can set any environment variable from a file by using a special prepend `FILE__`.
|
||||
|
||||
As an example:
|
||||
|
||||
```bash
|
||||
-e FILE__PASSWORD=/run/secrets/mysecretpassword
|
||||
```
|
||||
|
||||
Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
|
||||
|
||||
## Umask for running applications
|
||||
|
||||
For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting.
|
||||
Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support.
|
||||
|
||||
## User / Group Identifiers
|
||||
|
||||
When using volumes (`-v` flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
|
||||
|
||||
Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
|
||||
|
||||
In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
|
||||
|
||||
```bash
|
||||
$ id username
|
||||
uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
|
||||
```
|
||||
|
||||
## Docker Mods
|
||||
|
||||
[](https://mods.linuxserver.io/?mod=wireguard "view available mods for this container.") [](https://mods.linuxserver.io/?mod=universal "view available universal mods.")
|
||||
|
||||
We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above.
|
||||
|
||||
|
||||
## Support Info
|
||||
|
||||
* Shell access whilst the container is running:
|
||||
|
|
|
|||
Ładowanie…
Reference in New Issue