wireguard-ui
wireguard-ui copied to clipboard
ngoduykhanh
Docker deployment
When wireguard-ui container starts it breaks wireguard's routing table. Default route disappears and renders wireguard and wireguard-ui unusable.
I guess it's not wireguard-ui did. if linuxserver/wireguard not found any wg conf file, the default gw will be delete.
When I add a default gateway to wireguard container manually - everything starts to work again. I can create/delete users, and users can use VPN normally, until restart of course.
When I add a default gateway to wireguard container manually - everything starts to work again. I can create/delete users, and users can use VPN normally, until restart of course.
could you paste your docker-compose.yaml file here?
could you paste your docker-compose.yaml file here?
sure thing Docker 24.0.7 Host OS: RockyLinux 9.2
version: "3"
services:
# WireGuard VPN service
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
volumes:
- ./config:/config
ports:
# Port for WireGuard-UI
- "5000:5000"
# Port of the WireGuard VPN server
- "51820:51820/udp"
restart: unless-stopped
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME=admin
- WGUI_PASSWORD=supa-sekret-pasvvord
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./db:/app/db
- ./config:/etc/wireguard
Please notice the wg confs folder has been changed from /config/ to /config/wg_confs/
03.10.23: - Potentially Breaking Change: Support for multiple interfaces added. Wireguard confs moved to /config/wg_confs/. Any file with a .conf extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to wg0.conf.
So you need change volumes of wireguard.
So you need change volumes of wireguard.
I've changed the volume mapping for wireguard container to ./config:/config/wg_confs and recreated the containers.
Now if I start everything like this: docker start wireguard wireguard-ui I have no default route in wireguard container.
However, if I start container separately first wireguard, and wireguard-ui after - default route remains and everything is working.
So you need change volumes of wireguard.
I've changed the volume mapping for wireguard container to ./config:/config/wg_confs and recreated the containers.
Now if I start everything like this:
docker start wireguard wireguard-uiI have no default route in wireguard container. However, if I start container separately first wireguard, and wireguard-ui after - default route remains and everything is working.
Yes, wireguard will delete default route if no wg conf file be find. Actually, wiregurad container is not useful in your OS.
Just try this
version: "3"
services:
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
ports:
# Port for WireGuard-UI
- "5000:5000"
# Port of the WireGuard VPN server
- "51820:51820/udp"
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME=admin
- WGUI_PASSWORD=supa-sekret-pasvvord
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./db:/app/db
- ./config:/etc/wireguard
I'm having the same problem.
- Raspberry Pi running openSUSE Leap 15.5
- When I start both containers at the same time, the default route is removed. I would be very pleased to get past this issue.
---
version: "2.1"
services:
wireguard:
image: lscr.io/linuxserver/wireguard:1.0.20210914
container_name: wireguard
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- SERVERPORT=51822
- TZ=America/Los_Angeles
- LOG_CONFS=true #optional
volumes:
- config:/config
ports:
# Port for WireGuard-UI
- "5000:5000"
# Port of the WireGuard VPN server
- 51822:51822/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:0.5.2
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- TZ=America/Los_Angeles
- SENDGRID_API_KEY
- SESSION_SECRET
- WGUI_USERNAME=admin
- WGUI_PASSWORD=password
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
volumes:
- db:/app/db
- config:/etc/wireguard
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 50m
volumes:
config:
db:
@permeable62 I've applied a scripted workaround by checking if the default route is installed, and if not - it gets installed within the container.
Here's my simple workaround script that I run on the host:
#!/bin/sh
# Create script to run in wireguard-ui container that will add the missing default route
cat <<'EOF' > /tmp/fdr
set -x
GATEWAY=$(/sbin/ip route | grep 'eth0 proto' | cut -f9 -d' ' | cut -f1-3 -d.).1
/sbin/ip route add default via $GATEWAY
EOF
# Copy the script to wireguard-ui
docker cp /tmp/fdr wireguard-ui:/usr/local/bin/fix-default-route-in-container
# Run the script
docker exec wireguard-ui sh /usr/local/bin/fix-default-route-in-container
exit 0
I had the same problem, searching for a solution for several days as sometimes wireguard-ui was reachable and sometimes not. I was going crazy ... The script from @permeable62 solves the problem.
I was wondering if there is a more docker-ish way of fixing the problem? Now, we need to execute the script in command line manually ...
I left out the automation parts. /usr/local/bin/fix-default-route-in-wireguard is the shell script above.
/etc/systemd/system/fix-default-route-in-wireguard.service:
[Unit]
Description=Fix missing default route in wireguard-ui
Requires=network.target
After=local-fs.target
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/fix-default-route-in-wireguard
[Install]
WantedBy=multi-user.target
and I execute it every minute.
/etc/systemd/system/fix-default-route-in-wireguard.timer:
[Unit]
Description=Fix missing default route in wireguard-ui
[Timer]
OnCalendar=*-*-* *:*:00
[Install]
WantedBy=multi-user.target
thanks @permeable62 for your reply. You're adding the service to the docker host, right?
I was hoping to solve the problem within the container with no external dependencies ... 😄
I looked into an internal solution but they required building a custom docker image which complicates release updates.
Hi all @permeable62 @phhoef You can add it to docker Compose. I have added it in Portainer and it works great. Thank you for suggestion how to add the GW, now i just add Command: .... and it works, no need to do any scripting. This works behind Traefik ok, i had issue where after siging in it was always going to signing page in circle... it was because of security headers.
version: "3"
#https://github.com/ngoduykhanh/wireguard-ui
networks:
netw:
external: true
services:
# WireGuard VPN service
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
hostname: wireguard
restart: unless-stopped
networks:
- netw
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- SERVERURL=wg.example.com #optional
- SERVERPORT=51820 #optional
#- PEERS=1 #optional
#- PEERDNS=auto #optional
#- INTERNAL_SUBNET=192.168.99.0 #optional
#- ALLOWEDIPS=0.0.0.0/0 #optional
- PERSISTENTKEEPALIVE_PEERS=all #optional
- LOG_CONFS=false #optional true to show QR code in log
volumes:
- /opt/docker/wireguard/config:/config
ports:
# Port for WireGuard-UI
#- "80:5000"
# Port of the WireGuard VPN server
- "public_IP_address:51820:51820/udp"
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
# This command is to make sure Default GW exists in the container
command: bash -c "
GATEWAY=$$(/sbin/ip route | grep 'eth0 proto' | cut -f9 -d' ' | cut -f1-3 -d.).1 &&
/sbin/ip route add default via $$GATEWAY &&
tail -f /dev/null
"
labels:
- "traefik.enable=true"
- "traefik.http.routers.wireguard.entrypoints=https"
- "traefik.http.routers.wireguard.rule=Host(`wg.example.com`)"
- "traefik.http.routers.wireguard.service=wireguard-srv"
- "traefik.http.routers.wireguard.tls=true"
- "traefik.http.routers.wireguard.tls.certresolver=cloudflare"
- "traefik.http.services.wireguard-srv.loadbalancer.passhostheader=true"
- "traefik.http.services.wireguard-srv.loadbalancer.server.port=5000"
- "traefik.http.middlewares.wireguard.forwardauth.trustforwardheader=true"
- 'traefik.http.middlewares.wireguard.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email,X-WebAuth-User'
wgui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wgui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- [email protected]
- EMAIL_FROM_NAME=WireGuard
- SMTP_HOSTNAME=mail.address.com
- [email protected]
- SMTP_PORT=587
- SMTP_ENCRYPTION=STARTTLS
- [email protected]
- SMTP_PASSWORD='Pa$$w0rd'
- SMTP_AUTH_TYPE=LOGIN
- WGUI_DNS=9.9.9.9
- SESSION_SECRET=superseecretepassword
#- WGUI_USERNAME=admin
#- WGUI_PASSWORD=password
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
logging:
driver: json-file
options:
max-size: 10m
volumes:
- /opt/docker/wireguard/wgui_db:/app/db
- /opt/docker/wireguard/config/wg_confs:/etc/wireguard
Yes, that works for me too. I just changed "tail -f /dev/null" to "sleep infinity":
command: bash -c " GATEWAY=$$(/sbin/ip route | grep 'eth0 proto' | cut -f9 -d' ' | cut -f1-3 -d.).1 && /sbin/ip route add default via $$GATEWAY && sleep infinity"
Much appreciated