I am embarrassed to say that this is the first time I come across with this video after 2 years of trying to fix my Wireguard container! It was super straight forward and explained perfectly so I feel like I have more control on the parameters of the image and wireguard itself! Thank you!
Hi Christian, could this be used for example having a WG server on a pi 4 with a dedicated residential IP and allowing connection from another device at a different location to appear on the same network to share Neflix? Just wondering?
VERY HELPFUL! I especially appreciate your step-by-step examination of the YAML file. It helped my overall understanding of what's going on with the container.
The docker image looks really nice and also very comfortable to use. Although, I am not sure whether I should be concerned of the fact that the server knows the private key of its clients.
Yea that was also a concern I had. What you can see is that the keys are stored with 600 permissions, so that only the userid which is used in the docker-compose file has read and write permissions on the key. Of course you need to pick a user that is secured and not used by anyone else on the system.
watched many other YT tutorials (while unsuccessful and banging my head against the wall in failure lol) and then found this....followed your instructions on some aspects but used portainer-ce to create/edit the container...I appreciate you going through each line in the docker-compose file so i could add env/vol variables according to my usage which is being executed in docker on an RPI4...after several container rebuilds I have wireguard running so I can access my home network while i am away! Cheers 😎 /subscribed
Thanks a lot for your video, Christian! This helped me fixing my Wireguard container in Portainer. It was very helpful that you also showed how the config files look afterwards so I had a reference of the outcome and was able to compare and see what I did wrong (I put my local network address in the internal address field).
All went fine on my Oracle cloud instance then came my wife's... it worked on mine? Said connected, but no internet! Some fool, can't think who, put the allow 51820 into MY ingress rules twice!! Once fixed, all fine. Excellent as usual Christian!
1:15 - 1:55 YES!! I've been saying the same thing for years! VPN providers are using that phrase in advertisements to "protect and secure your data online" near me. While yes, it will to a certain extent, in actuality you're just kicking the can down the road a little bit. Plus, if VPN providers are lying to you to use their service... they shouldn't be trusted with your data!
I am running 2 Wireguard containers, but if you need to cange the standard port from 51820 you need it to change in the wg0.conf file after you set all things up. For instance you not want Port 51820 but 51824. You need first change the ports in the docker yaml file. After the deploy you go to the config/wg0.conf and change the "ListenPort = 51820" to "ListenPort = 51824". It took me a while to find this out because the changed Port didn't worked but the old one does.
What if someone wants to have the wireguard connection partially made? Meaning he can access his home services remotely but all other traffic comes from his locala connection not the remote one. What lines should someone use there before deploying the image? Also by the way the image has been set up there will be always a client named peer1? What if you want to give access to 4 people and you want each client to have different name
I followed everything and I am able to connect to the VPN using the conf file and activate it. However, when I turn on the VPN my issue is that it connects but I don't have internet access. I'm getting a DNS Probe error so I'm sure it has to do with the DNS. I am running this on RP4 with portainer. How can I fix this issue?
Excellent Video. Sorry mself, to be late on this channel. 1. This could have been done using public IP (vps) for further more clarity. 2. Can a peer, expose its entire network for other peers ?
Congrats , it is a GREAT VIDEO . I Am Using a GLinet Rooter , Now I am at FRANCE , But i Want To Use My NY's IP , From NY I Already HAVE My TP LINK MODEM , And I Just Want To Know How Do I CONFIGURATE It While I am FRANCE And Still Have My IP To NEW YORK please .
@@christianlempa im getting this error when i run the docker exec -it wireguard /app/show-peer 1.... Failed to encode the input data: Numerical result out of range
Can you post a video about how to tunnel between two vps's or refer me to one? i live in iran and i have to use a iranian vps and one from europe to be able to connect
Followed the guide and the container is working without a hitch. However, I am unable to access the internet from my phone after scanning the QR code and connecting to the server. The server also shows no clients when the wg command is executed.
Christian, because of you, I ditched my Windows server, Blueiris, and WSL and got onto Ubuntu Server, Portainer, HA, Frigate, and the list goes on. Currently I have HA pushing alerts to my phone but I constantly have to turn on Tailscale to receive them. Tailscale does not seem to have any interest in giving us a much needed quality of life feature that allows it to switch on/off based on WiFi SSID whitelist or Mac whitelist, basically, a way to activate VPN when I am away from home and not in my local network. So I want to ditch Tailscale, despite how much I love it, and instead move on to WireGuard as I was told it's able to do that. I would be so grateful if you were to make a simple short video showing us how we can achieve this as it allows us to keep all of our HA config exactly as is and just rely on the client to switch automatically. Thank you and happy new year!
Thank you for the great tutorials. I have a couple of questions: 1. Are there any performance or security issues running this as a docker container versus running this bare metal on my system (using something like PiVPN)? 2. How do I configure so I can access local machines on my home network when I am remote? I did watch your recent video about Tailscale but don't like the idea of someone else managing all the configuration. I currently have a PiVPN instance up and running on an x86 machine but can't seem to access local machines when I am outside my home network. I looked at some of the documentation for wireguard and thought it might be related to the INTERNAL_SUBNET config but don't completely understand. Thank you in advance for any assistance you may be able to offer.
Thanks mate! :) 1. No, Docker will give you even more security with nearly zero performance downsides. 2. Yes, it's depending on your WG Server and if it supports forwarding IP packets like described in the tutorial. Also, it may help to set up the containers as network_mode: host.
I run the container on windows wsl. How do I find the correct ip I should add to the SERVERURL? And if I want to connect from mobile with mobile data, is port forwarding required? hanks in advance for your time and work
This is an excellent video, and I was able to set up my WireGuard VPN for 8 users :) The QR code configuration was an extremely easy path for mobile devices. I have had two challenges though: 1) It was not possible to configure it on any other port but 51820, I think the problem is on the client side (both iOS and Android) 2) Getting the config file through a QR code was a breeze thanks to your explanations but I am having a hard time with the command like for downloading the config file for MacOS.
Thank you! :) yeah it depends on the client if you can change the config, haven’t tested it on macOS yet, but you probably can just import a config file there
Will this process work with Torguard wireguard file (key) and or any other provider? I have duo core mini pc with an ssd but one lan. I have a usb Ethernet that works on android could that possibly work? I have fiber from century link that uses pppoe protocol.
Congrats for your videos, you're very smart! But I cannot catch very well an aspect. Is it necessary to forward port 51820 of my router to Wireguard server in order to gain access from my devices over the internet? Can you explain a little bit better this point? Thanks
Very interesting, but I installed a wireguard server as shown on the video on a VPS to make a tunnel to access internet from another country, but I've no access to internet ? any idea ?
Hey, great video! I am really confused on how to get this to work outside my network I can't seem to port forward it and when I try network_mode: host it spits back with some errors
Question: I have 2 machines (n1, n2) exposed on internet (virtual private server) I have few services running on n2 that I want the apps running on n1 to access. now one way is to use SSL/TLS for every service running on n2 so that apps on n1 can connect securely to services on n2. The 2nd option is to create a VPN on n1+n2 and then the apps on n1 can use that VPN IP address to access services on n2 without any TLS configured on n2. However I'm not sure if by creating VPN the regular traffic from internet to both n1, n2 is blocked or changed in anyway? is it the right way to secure servers internal services that we don't want to expose on internet?
I thought about it, but I guess it might be better to make a written guide about it rather than a tutorial vid. Maybe you can check out our discord for help if you have trouble?
I have set it upand scanned the qr code with the wireguard app on my iphone but just nothing happens. well it seems to connect, but no internet traffic what so ever :/
Hey don't know if you answer the community but do you have a way to install WG in an ubuntu server (that part yes) and then using it on an asus router as a client? I don't want to install WG on the router, first because it disables hardware acceleration and second because my router is not compatible.
@@christianlempa lol, was looking for a challenge that I could host on a VPS without tailscale and whatnot. Testing if for a client, but they want a webui to administer it.
Just a question on the first part where you are talking about expectations, is the "privacy" aspect do to the client browser using a tunnel to the VPN provider's server to exit wit the request to the open internet from a server in another location and then the requests and response go over the VPM to that public brower and back the client browser? So only the VPN provider knows the location an identity of the client browser. After that the client browser has to take care of cookies and other identity issues.? BUT you point on WireGuard is that my wireguard server does not provide that service at all.
This was about VPN Providers (not self-hosted Wireguard), that advertise their services with "Privacy" and "Security". But in my opinion it gives customers a wrong expectation. VPN services provide no additional privacy or security at all, the IP address is litarally the most unimportant way of tracking users, nowadays. I probably should make a separate video on that topic.
If your wireguard server is behind a NAT device (such as router, firewall, etc.) you need to forward the port to your local wireguard server. But if it's running on a cloud server and your client is behind a router, you don't need to do this as the client will initiate the connection. Note in this scenario it could make sense to add the "keep-alive" packets as I've shown in my previous WireGuard video, that prevents the NAT device from timeout the UDP connection, when you don't send traffic for a longer time. I hope this helps :)
Hey! I am having trouble running the container for wireguard. Always get an error in the log: s6-overlay-suexec: fatal: can only run as pid 1 Do you know how to fix it? Running it on the x64 portainer on CoreELEC Docker
Hi and thanks for the Vid. Everything seem to be up and running in docker. I was able to get the peers and when I run the app, in the logs am not getting a handshake so not internet. anything I can try?
Hey Christian, one question. I installed wireguard in docker, like the way you explained in this great video, but docker runs in a lxc in proxmox. It doesnt work. The VPN connection runs, i checked in the wg command. But i have no connection to the internet. Any ideas? Thanks und best regards!
Hello, switching from wireguard configured on Rasp by pivpn to wireguard on docker, i noticed that i lost PSK on client's configuration. Basically, from a security prospectivy is not good. Do you know if i can improve this feature in docker file? thank you!
Maybe I missed it, but looks to me it only provides internet connection over the docker, without access or further access on the server the way you did the setup. To do so the config needs more adders, such as local pathes etc.to access. I run something similar with openvpn, but with access rights to my files outside the docker.
The video covers the use case of routing all traffic through the tunnel, so yes it provides an internet connection, but you can also access internal services or internal ressources on the wireguard server. You just need to access the internal IP address of the server, you could also use the "network_mode: host" in the docker-compose file, in this case the docker container wouldn't create an isolated interface on the docker container but instead create a wg0 interface directly on the hostsystem, where you can better deal with routing. So access to internal ressources should work with both methods anyway.
@@christianlempa understand that but I meant files on the same server as docker is installed. When in use for home stations it is likely to run on the same server or nas.
@@mebeingme947 You could access the files on your host server via smb or scp if you're using the internal IP of the server. The docker container might not be able to access the files directly, but it's just used to open a network connection from the client to the server. Whatever access controls you configure on the host, the client should be able to access it via network protocols.
Did you known what problem is running here? I only got volume mapping before I map /etc/passwd and /etc/group to container. What did I miss to solve in your sight? Thanxx
question, you installed it on docker, which is on your local machine? asking because i;m curious if you can connect your machine to the docker image you created and then the ip chnages.
I'm not quite sure what you mean by IP changes, but I usually deploy the wireguard server in a docker container which will be bridged to the host network. I simply then connect with my wireguard client installed directly on my local system (or deploy it in a docker container that uses the network_mode=host).
@@christianlempa oh, i see, soo you have an external server where you deploy this image/container. I tried have it on local and then connect to it, i tried an inception thing, but it seems it when in a loop. thanks for your time
Excellent video! I was having a hard time with wireguard but on docker this is a breeze. One question though. My home IPs are 192.168.1.* range. When I am at a friends house connected to his wifi which also has IPs in the 192.168.1.* range (which is the most common setup in most houses) and I connect to my wireguard server at home I can't browse my home's local network where my NAS is located. When I use my phone and connect to 4G and then wireguard I can browse the local network just fine. I assume there is some issue when the local network and the network being used to provide the wireguard client internet access is on the same IP range. Is there a solution for this or do I have to change my home IP setup to use something different than 192.168.1.* Thank you.
Thanks mate! Managing VPNs with same subnets on 2 different locations is tricky, there are solutions like 1 to 1 NAT which work, but it's not trivial to setup. The easiest way is to change the subnet on one location to something else.
I want to ask something about vpn server. There is something that I can't quite understand the logic of. I will be glad if you are help about that. For example I'm using a raspberry pi for vpn server at home and it's connected to the my home network. My home internet speed is 25 Mbps download and 5 mbps upload. For example i go to the office and internet speed is 100 mbps download and 100 mbps upload at office. If i connected to the my vpn server. What should be speedtest/fast test result? I mean my home network upload speed should be my download speed at outsite? Could you please explain about that? Because when i test at office i can see 30-40 mbps but normally my home network download speed 25 and upload speed is 5 mbps.
When you're transmitting data from one location to another location it depends on the upstream/downstream bandwidth of your connection and if you're sending or receiving data. Most ISP have an asymetric bandwidth, which means downloading is faster than uploading. F.e. you transmit Data from Point1 to Point2 because Point2 is downloading a file. In that case it will be limited by the max. upstream bandwidth of Point1 AND the max. downstream bandwith of Point2. It will be limited by the smallest bandwidth. Hope it was somehow understandable :D
I am getting an error +++++++++++++++ /o/wireguard-server> sudo docker-compose up -d ERROR: yaml.scanner.ScannerError: mapping values are not allowed here in "./docker-compose.yaml", line 2, column 19 I did not change anything in line 2 :(
Great video thanks for posting. I've set this up on the Free Tier of the Oracle Cloud service and it works great. The only issue I am running into is not being able to pull down the .conf files for the different peers. I am able to show the QR codes for each one (fine for IOS devices) but I need a .conf file for another machine and I get permission denied when I try to copy it to local machine. I think it might be the chown command of the opt/wireguard-server directory but I'm a noob at linux and can't tell?
I would like to use wireguard server in a Docker. I do have wg server and client installed on Ubuntu. However, I cant connect to internet with VPN. May be because both server and client are installed on one machine (Ubuntu 18.04). I'd like to try wg server in Docker and client on Ubuntu. Should I first remove the wg-server.conf and wg-client.conf I have right now from /etc/wireguard/ before I'll start to install wg server in the Docker?
I think the problem is because you're running it on the same machine. It could be a routing problem because you're somehow creating an infinite loop or something else. Better install a separate machine in a virtual environment and use this as your test-setup.
Given the video is old, it aged perfect, I had no issues or blind spots when following, everything worked like a charm, thank you a lot!
I am embarrassed to say that this is the first time I come across with this video after 2 years of trying to fix my Wireguard container! It was super straight forward and explained perfectly so I feel like I have more control on the parameters of the image and wireguard itself! Thank you!
Thank you so much :) no need to worry!
Hi Christian, could this be used for example having a WG server on a pi 4 with a dedicated residential IP and allowing connection from another device at a different location to appear on the same network to share Neflix? Just wondering?
@@iamrage4753 I know this post is a year old but yes I can confirm this will work for this.
This video was exactly what I was looking for. Very thorough, definitely one of the best videos I've watched for help on projects I am doing.
Thank you 😁
VERY HELPFUL! I especially appreciate your step-by-step examination of the YAML file. It helped my overall understanding of what's going on with the container.
thank you! glad you liked it :)
Really great stuff! This was so easy to setup and it gave me a chance to start my first docker project. Thanks!!
I'm glad you liked it 🙂
The docker image looks really nice and also very comfortable to use. Although, I am not sure whether I should be concerned of the fact that the server knows the private key of its clients.
Yea that was also a concern I had. What you can see is that the keys are stored with 600 permissions, so that only the userid which is used in the docker-compose file has read and write permissions on the key. Of course you need to pick a user that is secured and not used by anyone else on the system.
Top Video! Super transparent erklärt, sehr gutes und leicht verständliches Englisch!!!
watched many other YT tutorials (while unsuccessful and banging my head against the wall in failure lol) and then found this....followed your instructions on some aspects but used portainer-ce to create/edit the container...I appreciate you going through each line in the docker-compose file so i could add env/vol variables according to my usage which is being executed in docker on an RPI4...after several container rebuilds I have wireguard running so I can access my home network while i am away! Cheers 😎
/subscribed
Awesome! I'm glad it helped you :)
Thanks a lot for your video, Christian! This helped me fixing my Wireguard container in Portainer. It was very helpful that you also showed how the config files look afterwards so I had a reference of the outcome and was able to compare and see what I did wrong (I put my local network address in the internal address field).
You’re welcome! Glad it helped
Thank you! Much like others, I had been unsuccessful in setting up WireGuard server. But with this video was up and running on my first attempt.
Very clear and very thorough explanation
Glad it was helpful!
I have watch this video many times and and I learn something any time I watch it.
Thanks a lot man!
Glad you liked it! :)
This guy knows how it works and his explanation is very clear! Nice video and thanks!
Superb video, I like how you present the info in a clear and concise manner!
Thank you so much! :)
Excellent tutorial, simply awesome, everything works perfectly.
Thank you so much :)
Christain another excellent video. Got this running quick :). Thanks brother.
Thank you bro! :)
All went fine on my Oracle cloud instance then came my wife's... it worked on mine? Said connected, but no internet! Some fool, can't think who, put the allow 51820 into MY ingress rules twice!! Once fixed, all fine. Excellent as usual Christian!
The best video i have seen today. Exactly what i was looking for. Thanks
Thank you mate :)
do more of this!! this is amazing
Thank you ;)
I think I know what I'm gonna do this weekend. Thank you.
Great video Christian! Thanks
Very Informative, helpful and Educational video! Thx for the tutorial man!
Thx! ;)
1:15 - 1:55 YES!! I've been saying the same thing for years! VPN providers are using that phrase in advertisements to "protect and secure your data online" near me. While yes, it will to a certain extent, in actuality you're just kicking the can down the road a little bit. Plus, if VPN providers are lying to you to use their service... they shouldn't be trusted with your data!
WOW - brilliant video. These instructions worked perfectly the first time. Thank you!
Thank you so much 🥰
I am running 2 Wireguard containers, but if you need to cange the standard port from 51820 you need it to change in the wg0.conf file after you set all things up.
For instance you not want Port 51820 but 51824. You need first change the ports in the docker yaml file. After the deploy you go to the config/wg0.conf and change the "ListenPort = 51820" to "ListenPort = 51824".
It took me a while to find this out because the changed Port didn't worked but the old one does.
your videos are great.Thank you for sharing.
Keep up the good work.
Thanks, will do!
Yo! It's already here. Thanks man!
i watched this over 20 times
Could you please make video how to make our own wireguard docker image.
What if someone wants to have the wireguard connection partially made? Meaning he can access his home services remotely but all other traffic comes from his locala connection not the remote one. What lines should someone use there before deploying the image?
Also by the way the image has been set up there will be always a client named peer1? What if you want to give access to 4 people and you want each client to have different name
you are awesome. very easy to understand.
Thank you so much! :)
Its working! Thank you, great tutorial!
Great to hear!
I followed everything and I am able to connect to the VPN using the conf file and activate it. However, when I turn on the VPN my issue is that it connects but I don't have internet access. I'm getting a DNS Probe error so I'm sure it has to do with the DNS. I am running this on RP4 with portainer. How can I fix this issue?
thanks man you saved my day
Excellent Video. Sorry mself, to be late on this channel. 1. This could have been done using public IP (vps) for further more clarity.
2. Can a peer, expose its entire network for other peers ?
Any chance you can make an updated showing how to install behind nginx proxy manager and a domain name?
Hm why would you use NPM with WireGuard? I understand a reverseproxy really just used for web traffic.
Congrats , it is a GREAT VIDEO .
I Am Using a GLinet Rooter , Now I am at FRANCE , But i Want To Use My NY's IP , From NY I Already HAVE My TP LINK MODEM , And I Just Want To Know How Do I CONFIGURATE It While I am FRANCE And Still Have My IP To NEW YORK please .
Thank you for this wonderful video. Please how then would you configure other docker services to route their traffic through the VPN
Thanks! Installing wireguard via docker on a rock64 takes care of so many issues, it's just not worth it installing it manually on that sbc!
Very nice.. thanks so much!
Thank you too!
@@christianlempa im getting this error when i run the docker exec -it wireguard /app/show-peer 1.... Failed to encode the input data: Numerical result out of range
Too good. Thanks.
Can you post a video about how to tunnel between two vps's or refer me to one?
i live in iran and i have to use a iranian vps and one from europe to be able to connect
Followed the guide and the container is working without a hitch. However, I am unable to access the internet from my phone after scanning the QR code and connecting to the server. The server also shows no clients when the wg command is executed.
Christian, because of you, I ditched my Windows server, Blueiris, and WSL and got onto Ubuntu Server, Portainer, HA, Frigate, and the list goes on. Currently I have HA pushing alerts to my phone but I constantly have to turn on Tailscale to receive them. Tailscale does not seem to have any interest in giving us a much needed quality of life feature that allows it to switch on/off based on WiFi SSID whitelist or Mac whitelist, basically, a way to activate VPN when I am away from home and not in my local network. So I want to ditch Tailscale, despite how much I love it, and instead move on to WireGuard as I was told it's able to do that. I would be so grateful if you were to make a simple short video showing us how we can achieve this as it allows us to keep all of our HA config exactly as is and just rely on the client to switch automatically. Thank you and happy new year!
It would be nice if you made an update to this tutorial using the WireGuard-UI docker container. (I'm not stuck with it or anything... Pretty pls)
In case I forgot to say - Thank you Very much! :)
Glad it helped!
Thank you man ♥
A good tutorial video, but I do not think "chown" is neccssary, because docker project needs "sudo" to run it.
Amazing, Thank you
You’re welcome
What is the SSH program you are using? It is so clean and comes in dark mode!
Good one thanks.
ps. Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****
Thank you for the great tutorials. I have a couple of questions: 1. Are there any performance or security issues running this as a docker container versus running this bare metal on my system (using something like PiVPN)? 2. How do I configure so I can access local machines on my home network when I am remote? I did watch your recent video about Tailscale but don't like the idea of someone else managing all the configuration. I currently have a PiVPN instance up and running on an x86 machine but can't seem to access local machines when I am outside my home network. I looked at some of the documentation for wireguard and thought it might be related to the INTERNAL_SUBNET config but don't completely understand. Thank you in advance for any assistance you may be able to offer.
Thanks mate! :) 1. No, Docker will give you even more security with nearly zero performance downsides. 2. Yes, it's depending on your WG Server and if it supports forwarding IP packets like described in the tutorial. Also, it may help to set up the containers as network_mode: host.
I run the container on windows wsl. How do I find the correct ip I should add to the SERVERURL?
And if I want to connect from mobile with mobile data, is port forwarding required?
hanks in advance for your time and work
This is an excellent video, and I was able to set up my WireGuard VPN for 8 users :) The QR code configuration was an extremely easy path for mobile devices. I have had two challenges though:
1) It was not possible to configure it on any other port but 51820, I think the problem is on the client side (both iOS and Android)
2) Getting the config file through a QR code was a breeze thanks to your explanations but I am having a hard time with the command like for downloading the config file for MacOS.
Thank you! :) yeah it depends on the client if you can change the config, haven’t tested it on macOS yet, but you probably can just import a config file there
Very cool, but when I distribute it just helps to have a gui interface to add clients. Hope Linux server guys add this soon.
That would be cool!
Thanks I was able to follow your tutorial and run wireguard! Just wanted to know if I can use my public ipv6 and tunnel that to my clients.
Will this process work with Torguard wireguard file (key) and or any other provider? I have duo core mini pc with an ssd but one lan. I have a usb Ethernet that works on android could that possibly work? I have fiber from century link that uses pppoe protocol.
Congrats for your videos, you're very smart! But I cannot catch very well an aspect. Is it necessary to forward port 51820 of my router to Wireguard server in order to gain access from my devices over the internet?
Can you explain a little bit better this point? Thanks
Yes, you must add a forward rule to the internal IP of your wireguard server.
Amazing.💪🏽
Very interesting, but I installed a wireguard server as shown on the video on a VPS to make a tunnel to access internet from another country, but I've no access to internet ? any idea ?
is there a way to add wireguard to ubuntu 20 network manager? Thats where my openvpn ON/OFF toggle used to be and it's quite handy
Hey, great video! I am really confused on how to get this to work outside my network I can't seem to port forward it and when I try network_mode: host it spits back with some errors
Maybe check out our Discord for help and share your error messages.
Question: I have 2 machines (n1, n2) exposed on internet (virtual private server) I have few services running on n2 that I want the apps running on n1 to access. now one way is to use SSL/TLS for every service running on n2 so that apps on n1 can connect securely to services on n2. The 2nd option is to create a VPN on n1+n2 and then the apps on n1 can use that VPN IP address to access services on n2 without any TLS configured on n2. However I'm not sure if by creating VPN the regular traffic from internet to both n1, n2 is blocked or changed in anyway? is it the right way to secure servers internal services that we don't want to expose on internet?
Hi. Could you make a video about WireGuard client docker? routing and nat.. move other docker traffic thro wireguard container. thank you.
I thought about it, but I guess it might be better to make a written guide about it rather than a tutorial vid. Maybe you can check out our discord for help if you have trouble?
@@christianlempa thank you for fast respons. Yes I will check discord🙂
I have set it upand scanned the qr code with the wireguard app on my iphone but just nothing happens. well it seems to connect, but no internet traffic what so ever :/
Works pretty good but not right out of the box if you want to change the port from the default 51820. It can be done of course with some manipulation.
i'm installed wireguard in VPN working fine, but when i access VPS using RDP, internet not working in firefox- and any Browser.
what do i do ?
Hey don't know if you answer the community but do you have a way to install WG in an ubuntu server (that part yes) and then using it on an asus router as a client? I don't want to install WG on the router, first because it disables hardware acceleration and second because my router is not compatible.
so if everything is running on the same machine serverurl is then just localhost?
Great Vid. Just a question. Is there any way to add a web interface to this?
Awesome! There are services that offer products based on the WG protocol, such as tailscale, netbird, etc. Maybe that's something for you :)
@@christianlempa lol, was looking for a challenge that I could host on a VPS without tailscale and whatnot. Testing if for a client, but they want a webui to administer it.
Nice Video. 1 Question. When you recreate the container to add more peers do the existing peer tokens are changed?
I believe they don't, only when you decrease the numer of course
I have a VDS. I have 2 public IPs. I want to run 2 Docker containers and have each one use its own public IP. How can I achieve this?
Am I correct in assuming that remaking the docker to add more users, rest everybody existing access to the VPN server?
Nevermind I found my answer for this question!
When you add peer 2 and recreate the container, does it not recreate peer 1 too?
Just a question on the first part where you are talking about expectations, is the "privacy" aspect do to the client browser using a tunnel to the VPN provider's server to exit wit the request to the open internet from a server in another location and then the requests and response go over the VPM to that public brower and back the client browser? So only the VPN provider knows the location an identity of the client browser. After that the client browser has to take care of cookies and other identity issues.? BUT you point on WireGuard is that my wireguard server does not provide that service at all.
This was about VPN Providers (not self-hosted Wireguard), that advertise their services with "Privacy" and "Security". But in my opinion it gives customers a wrong expectation. VPN services provide no additional privacy or security at all, the IP address is litarally the most unimportant way of tracking users, nowadays. I probably should make a separate video on that topic.
Hey :)
Do you previous port forwarding 51820 port on your router and then do this'?
If your wireguard server is behind a NAT device (such as router, firewall, etc.) you need to forward the port to your local wireguard server. But if it's running on a cloud server and your client is behind a router, you don't need to do this as the client will initiate the connection. Note in this scenario it could make sense to add the "keep-alive" packets as I've shown in my previous WireGuard video, that prevents the NAT device from timeout the UDP connection, when you don't send traffic for a longer time. I hope this helps :)
@@christianlempa thanks
In my case i have to port forwarding ^^
Hey! I am having trouble running the container for wireguard. Always get an error in the log: s6-overlay-suexec: fatal: can only run as pid 1 Do you know how to fix it? Running it on the x64 portainer on CoreELEC Docker
How can download the resolvconf package on windows.
Hi and thanks for the Vid.
Everything seem to be up and running in docker. I was able to get the peers and when I run the app, in the logs am not getting a handshake so not internet. anything I can try?
It was cool!
Hey Christian, one question. I installed wireguard in docker, like the way you explained in this great video, but docker runs in a lxc in proxmox. It doesnt work. The VPN connection runs, i checked in the wg command. But i have no connection to the internet. Any ideas? Thanks und best regards!
Hello, switching from wireguard configured on Rasp by pivpn to wireguard on docker, i noticed that i lost PSK on client's configuration. Basically, from a security prospectivy is not good. Do you know if i can improve this feature in docker file? thank you!
Hey, haven't had this issue before myself :/
Why not install wireguard on the virtual machine instead in a docker?
Maybe I missed it, but looks to me it only provides internet connection over the docker, without access or further access on the server the way you did the setup. To do so the config needs more adders, such as local pathes etc.to access. I run something similar with openvpn, but with access rights to my files outside the docker.
The video covers the use case of routing all traffic through the tunnel, so yes it provides an internet connection, but you can also access internal services or internal ressources on the wireguard server. You just need to access the internal IP address of the server, you could also use the "network_mode: host" in the docker-compose file, in this case the docker container wouldn't create an isolated interface on the docker container but instead create a wg0 interface directly on the hostsystem, where you can better deal with routing. So access to internal ressources should work with both methods anyway.
@@christianlempa understand that but I meant files on the same server as docker is installed. When in use for home stations it is likely to run on the same server or nas.
@@mebeingme947 You could access the files on your host server via smb or scp if you're using the internal IP of the server. The docker container might not be able to access the files directly, but it's just used to open a network connection from the client to the server. Whatever access controls you configure on the host, the client should be able to access it via network protocols.
What is the server URL in the Docker Compose file where did you get that Is that your VM host IP address?
Hi Christian, whats the latest version of docker that I should install instead of 1.26.2?
It’s outdated, check the latest version
Nice thx!
You’re welcome
Did you known what problem is running here? I only got volume mapping before I map /etc/passwd and /etc/group to container. What did I miss to solve in your sight? Thanxx
question, you installed it on docker, which is on your local machine? asking because i;m curious if you can connect your machine to the docker image you created and then the ip chnages.
I'm not quite sure what you mean by IP changes, but I usually deploy the wireguard server in a docker container which will be bridged to the host network. I simply then connect with my wireguard client installed directly on my local system (or deploy it in a docker container that uses the network_mode=host).
@@christianlempa oh, i see, soo you have an external server where you deploy this image/container. I tried have it on local and then connect to it, i tried an inception thing, but it seems it when in a loop. thanks for your time
I try a lot of times but i dont know Why is not working for me to configure the all way :( Could you make a video about WireGuard client docker to ?
Excellent video! I was having a hard time with wireguard but on docker this is a breeze. One question though. My home IPs are 192.168.1.* range. When I am at a friends house connected to his wifi which also has IPs in the 192.168.1.* range (which is the most common setup in most houses) and I connect to my wireguard server at home I can't browse my home's local network where my NAS is located. When I use my phone and connect to 4G and then wireguard I can browse the local network just fine. I assume there is some issue when the local network and the network being used to provide the wireguard client internet access is on the same IP range. Is there a solution for this or do I have to change my home IP setup to use something different than 192.168.1.* Thank you.
Thanks mate! Managing VPNs with same subnets on 2 different locations is tricky, there are solutions like 1 to 1 NAT which work, but it's not trivial to setup. The easiest way is to change the subnet on one location to something else.
I want to ask something about vpn server. There is something that I can't quite understand the logic of. I will be glad if you are help about that. For example I'm using a raspberry pi for vpn server at home and it's connected to the my home network. My home internet speed is 25 Mbps download and 5 mbps upload. For example i go to the office and internet speed is 100 mbps download and 100 mbps upload at office. If i connected to the my vpn server. What should be speedtest/fast test result? I mean my home network upload speed should be my download speed at outsite? Could you please explain about that? Because when i test at office i can see 30-40 mbps but normally my home network download speed 25 and upload speed is 5 mbps.
When you're transmitting data from one location to another location it depends on the upstream/downstream bandwidth of your connection and if you're sending or receiving data.
Most ISP have an asymetric bandwidth, which means downloading is faster than uploading. F.e. you transmit Data from Point1 to Point2 because Point2 is downloading a file. In that case it will be limited by the max. upstream bandwidth of Point1 AND the max. downstream bandwith of Point2. It will be limited by the smallest bandwidth.
Hope it was somehow understandable :D
@@christianlempa Thanks for the detail information
I am getting an error
+++++++++++++++ /o/wireguard-server> sudo docker-compose up -d
ERROR: yaml.scanner.ScannerError: mapping values are not allowed here
in "./docker-compose.yaml", line 2, column 19
I did not change anything in line 2 :(
Really good. thanks but how i see Config Logs?
What do you mean by Config Logs exactly?
Great great great!!!
Great video thanks for posting. I've set this up on the Free Tier of the Oracle Cloud service and it works great. The only issue I am running into is not being able to pull down the .conf files for the different peers. I am able to show the QR codes for each one (fine for IOS devices) but I need a .conf file for another machine and I get permission denied when I try to copy it to local machine. I think it might be the chown command of the opt/wireguard-server directory but I'm a noob at linux and can't tell?
I just copy the text in it. Less of a hustle.
I created container but I can't diploy that
Error message is- command not found
Why do you use the /opt folder? Am I causing issues by keeping my docker folder within my home ~/ folder?
It's just following the unix naming convention. Nothing bad about using your homefolder! :)
I would like to use wireguard server in a Docker. I do have wg server and client installed on Ubuntu. However, I cant connect to internet with VPN. May be because both server and client are installed on one machine (Ubuntu 18.04). I'd like to try wg server in Docker and client on Ubuntu. Should I first remove the wg-server.conf and wg-client.conf I have right now from /etc/wireguard/ before I'll start to install wg server in the Docker?
I think the problem is because you're running it on the same machine. It could be a routing problem because you're somehow creating an infinite loop or something else. Better install a separate machine in a virtual environment and use this as your test-setup.
can I deploy wireguard container in docker rootless mode ?