By zulphiqarCategories: Linux, Servers

WireGuard — is the latest VPN server that attracts attention with its high performance, security and ease of configuration. However, managing WireGuard can be made even easier by using the graphical user interface (GUI) in a Docker environment. In this guide, we will look at how to install and configure the WireGuard GUI using Docker and Docker-compose.

 

1. Preparing to install Docker:

 

Before we get started, let’s update the package manager and install the necessary components:

apt-get update 
apt-get install ca-certificates curl gnupg

 

The next step — adding the Docker repository key:

 

install -m 0755 -d /etc/apt/keyrings 
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.gpg

 

Now let’s add the Docker repository itself:

 

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

 

Update and install Docker:

apt-get update 
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

 

To verify that the installation was successful:

docker --version

 

 

Activate Docker autorun on system boot:

systemctl enable docker

 

 

2. Installing Docker-compose:

 

To install Docker-compose, run the following commands:

curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose 
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose 
chmod +x /usr/local/bin/docker-compose

 

To check:

docker-compose --version

 

 

3. Installing and configuring the WireGuard GUI:

 

Go to or create a directory for configuration:

mkdir -p /home/wireguard && cd /home/wireguard

 

Create the file docker-compose.yaml:

vim docker-compose.yaml

 

Paste the following configuration into the file:

volumes:
  etc_wireguard:

services:
  wg-easy:
    environment:
      # Change Language:
      # (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi, ja, si)
      - LANG=en
      # ⚠️ Required:
      # Change this to your host's public address
      - WG_HOST=SERVER_IP

      # Optional:
      # - PASSWORD_HASH=YOR_ADMIN_PASSWORD
      # - PORT=51821
      # - WG_PORT=51820
      # - WG_CONFIG_PORT=92820
      # - WG_DEFAULT_ADDRESS=10.8.0.x
      # - WG_DEFAULT_DNS=1.1.1.1
      # - WG_MTU=1420
      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
      # - WG_PERSISTENT_KEEPALIVE=25
      # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
      # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
      # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
      # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
      # - UI_TRAFFIC_STATS=true
      # - UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
      # - WG_ENABLE_ONE_TIME_LINKS=true
      # - UI_ENABLE_SORT_CLIENTS=true
      # - WG_ENABLE_EXPIRES_TIME=true
      # - ENABLE_PROMETHEUS_METRICS=false
      # - PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$vkvKpeEAHD78gasyawIod.1leBMKg8sBwKW.pQyNsq78bXV3INf2G # (needs double $$, hash of 'prometheus_password'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)

    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - etc_wireguard:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
      # - NET_RAW # ⚠️ Uncomment if using Podman
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

 

 

Don’t forget to replace YOUR_SERVER_IP and YOUR_ADMIN_PASSWORD with the appropriate values.

 

YOUR_ADMIN_PASSWORD – you need to generate a hash password via bcrypt​​​​​​​.

To generate a bcrypt password hash using docker, run the following command:​​​​​​​

 

docker run -it ghcr.io/wg-easy/wg-easy wgpw YOUR_PASSWORD
PASSWORD_HASH='$2b$12$coPqCsPtcFO.Ab99xylBNOW4.Iu7OOA2/ZIboHN6/oyxca3MWo7fW' // literally YOUR_PASSWORD

 

Important: Please note: do not enclose the generated password hash in single quotes when using docker-compose.yml. Instead, replace each $ character with two $$ characters.

 

In the environment section of the docker-compose.yml file, you can add the following variables:

environment:
- WG_HOST=vpn.myserver.com # The public domain name of your VPN server. 
- PASSWORD=foobar123 # The password to log in to the Web UI. 
- WG_PORT=12345 # The public UDP port of your VPN server. WireGuard will always listen on port 51820 inside the Docker container. 
- WG_MTU=1420 # MTU that clients will use. The server uses the default MTU from WireGuard. 
- WG_PERSISTENT_KEEPALIVE=25 # The value in seconds to keep the "connection" open. 
- WG_DEFAULT_ADDRESS=10.6.0.x # The clients IP address range.
- WG_DEFAULT_DNS=8.8.8.8.8, 8.8.4.4 # DNS server that clients will use. 
- WG_ALLOWED_IPS=192.168.15.0.0/24, 10.0.1.0.0/24 # Allowed IP addresses that clients will use.

 

WG_ALLOWED_IPS defines which IP addresses and networks are allowed for traffic through WireGuard. This is the definition of what traffic will be routed through the VPN.

WG_ALLOWED_IPS.

 

When you connect to a VPN, your device sends traffic to the Internet through that VPN server. But not all traffic has to go through the VPN; you can determine what traffic should be routed through the VPN using authorized IP addresses.

Example:

  • WG_ALLOWED_IPS=0.0.0.0.0/0, ::/0: This means that all traffic (IPv4 and IPv6) will be routed through the VPN. 0.0.0.0.0/0 covers all IPv4 addresses, and ::/0 covers all IPv6 addresses.
  • WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24: This means that only traffic destined for IP addresses in the ranges 192.168.15.0 – 192.168.15.255 and 10.0.1.0 – 10.0.1.255 will be routed through the VPN. All other traffic will be routed directly, bypassing the VPN.

So WG_ALLOWED_IPS allows you to control exactly what traffic will be sent through the VPN tunnel. This can be useful, for example, if you want only certain applications or devices to use the VPN and the rest of the traffic to go directly through the VPN tunnel.

 

It’s also important to note that if you change the WG_PORT value, you should also change the configured ports in the ports section of your docker-compose.yml file. For example, if you set WG_PORT=12345, the ports should look like this:

 

ports: 
- "12345:51820/udp" 
- "12345:51821/tcp"

 

 

Then simply launch the WireGuard GUI:

 

 docker-compose up -d

 

 

Now you have a functioning WireGuard with a graphical user interface accessible through your browser!

You can connect via IP:PORT. In this case IP:55444 The password to the panel we have set in the environment block.

 

 

 

 

WireGuard GUI in a Docker environment provides a simple and effective solution for managing your VPN. This guide will help you quickly set up and start using this tool, providing a high degree of security and convenience for your network.

WireGuard GUI in Docker provides a simple and effective solution for managing your VPN.

Leave a Reply