[](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!")
@ -65,6 +64,7 @@ This image provides various versions that are available via tags. Please read th
| :----: | :----: |--- |
| latest | ✅ | Stable releases based on Alpine *without* support for compiling Wireguard modules. |
| legacy | ✅ | Stable releases with support for compiling Wireguard modules for older kernels. |
## Application Setup
During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
@ -87,11 +87,13 @@ To add more peers/clients later on, you increment the `PEERS` environment variab
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder).
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg_confs/wg0.conf` and restarting the container.
The container managed server conf is hardcoded to `wg0.conf`. However, the users can add additional tunnel config files with `.conf` extensions into `/config/wg_confs/` and the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
Do not set the `PEERS` environment variable. Drop your client conf(s) into the config folder as `/config/wg_confs/<tunnel name>.conf` and start the container. If there are multiple tunnel configs, the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.
If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container.
@ -134,7 +136,7 @@ Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's pee
## Usage
Here are some example snippets to help you get started creating a container.
To help you get started creating a container from this image you can either use docker-compose or the docker cli.
### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose))
@ -194,12 +196,11 @@ docker run -d \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--restart unless-stopped \
lscr.io/linuxserver/wireguard:legacy
```
## Parameters
Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
| Parameter | Function |
| :----: | --- |
@ -230,10 +231,10 @@ You can set any environment variable from a file by using a special prepend `FIL
As an example:
```bash
-e FILE__PASSWORD=/run/secrets/mysecretpassword
-e FILE__MYVAR=/run/secrets/mysecretvariable
```
Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
Will set the environment variable `MYVAR` based on the contents of the `/run/secrets/mysecretvariable` file.
## Umask for running applications
@ -242,15 +243,20 @@ Keep in mind umask is not chmod it subtracts from permissions based on it's valu
## User / Group Identifiers
When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
When using volumes (`-v` flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
In this instance `PUID=1000` and `PGID=1000`, to find yours use `id your_user` as below:
@ -261,12 +267,29 @@ We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to
## Support Info
* Shell access whilst the container is running: `docker exec -it wireguard /bin/bash`
* To monitor the logs of the container in realtime: `docker logs -f wireguard`
* container version number
* `docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard`
* image version number
* `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/wireguard:legacy`
* Shell access whilst the container is running:
```bash
docker exec -it wireguard /bin/bash
```
* To monitor the logs of the container in realtime:
```bash
docker logs -f wireguard
```
* Container version number:
```bash
docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard
```
* Image version number:
```bash
docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/wireguard:legacy
```
## Updating Info
@ -276,38 +299,83 @@ Below are the instructions for updating containers:
### Via Docker Compose
* Update all images: `docker-compose pull`
* or update a single image: `docker-compose pull wireguard`
* Let compose update all containers as necessary: `docker-compose up -d`
* or update a single container: `docker-compose up -d wireguard`
* You can also remove the old dangling images: `docker image prune`
* Update images:
* All images:
```bash
docker-compose pull
```
* Single image:
```bash
docker-compose pull wireguard
```
* Update containers:
* All containers:
```bash
docker-compose up -d
```
* Single container:
```bash
docker-compose up -d wireguard
```
* You can also remove the old dangling images:
```bash
docker image prune
```
### Via Docker Run
* Update the image: `docker pull lscr.io/linuxserver/wireguard:legacy`
* Stop the running container: `docker stop wireguard`
* Delete the container: `docker rm wireguard`
* Update the image:
```bash
docker pull lscr.io/linuxserver/wireguard:legacy
```
* Stop the running container:
```bash
docker stop wireguard
```
* Delete the container:
```bash
docker rm wireguard
```
* Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
* You can also remove the old dangling images: `docker image prune`
* You can also remove the old dangling images:
```bash
docker image prune
```
### Via Watchtower auto-updater (only use if you don't remember the original parameters)
* Pull the latest image at its tag and replace it with the same env variables in one run:
```bash
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower \
--run-once wireguard
```
```bash
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower \
--run-once wireguard
```
* You can also remove the old dangling images: `docker image prune`
**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
**warning**: We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
**tip**: We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
## Building locally
@ -332,6 +400,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions
* **03.10.23:** - **Potentially Breaking Change:** Support for multiple interfaces added. Wireguard confs moved to `/config/wg_confs/`. Any file with a `.conf` extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to `wg0.conf`.
* **24.06.23:** - Deprecate armhf as per [https://www.linuxserver.io/armhf](https://www.linuxserver.io/armhf).
LinuxServer-CI
8 months ago