WireGuard is an open-source VPN program and protocol developed by Jason A. Donenfeld, which has been integrated into the Linux kernel. WireGuard aims to achieve better performance than IPsec and OpenVPN. It is suitable for home or enterprise use, but not for circumventing censorship. Today, let's talk about how to easily install Wireguard using Docker.

Installing Wireguard with Docker

Manually installing WireGuard can be cumbersome, so here we choose to use Docker to install Wireguard. Make sure you have Docker installed and then execute the following command:

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Asia/Shanghai \
  -e SERVERURL=xxx.com `#optional` \
  -e SERVERPORT=51820 `#optional` \
  -e PEERS=1 `#optional` \
  -e PEERDNS=auto `#optional` \
  -e INTERNAL_SUBNET=10.13.13.0 `#optional` \
  -e ALLOWEDIPS=0.0.0.0/0 `#optional` \
  -p 51820:51820/udp \
  -v /apps/wireguard/config:/config \
  -v /apps/wireguard/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
  linuxserver/wireguard

A brief explanation of the above parameters:

• PUID/PGID refers to user ID and group ID, which can be obtained in the Linux terminal using the id command and then replaced with your own ID.
• SERVERURL refers to the public access address, which can be filled in with a public IP or domain name. If filled in incorrectly, it can be manually modified later.
• /apps/wireguard/config and /apps/wireguard/modules should be changed to the mount directories on your local machine.
• PEERS=1 indicates the number of users to be created, default is 1, the number can be modified as needed.

If you prefer to use Docker Compose for deployment, you can use the following docker-compose.yaml file:

version: '3'
services:
 wireguard:
   image: linuxserver/wireguard
   container_name: wireguard
   cap_add:
     - NET_ADMIN
     - SYS_MODULE
   environment:
     - PUID=1000
     - PGID=1000
     - TZ=Asia/Shanghai
     - SERVERURL=xxx.com
     - SERVERPORT=51820 #optional
     - PEERS=3 #optional
     - PEERDNS=auto #optional
     - INTERNAL_SUBNET=10.13.13.0 #optional
     - ALLOWEDIPS=0.0.0.0/0 #optional
   ports:
     - "51820:51820/udp"
   volumes:
     - ./config:/config
     - ./modules:/lib/modules
   sysctls:
     - net.ipv4.conf.all.src_valid_mark=1
   restart: unless-stopped

Client Usage

Android Client:

Simply search for "Wireguard" on the Google Play Store, or visit the following addresses (may require a VPN):

• Google Play Store: https://play.google.com/store/apps/details?id=com.wireguard.android
• F-Droid: https://f-droid.org/en/packages/com.wireguard.android/

After installation, find the peer1.png image file in your Docker mount directory /apps/wireguard/config/peer1/ and scan it with the Android client to import the configuration.

Other Clients

The Wireguard client is supported on all platforms. For Windows/macOS and other client installations, please refer to the official documentation: https://www.wireguard.com/install/

After installing other clients, you can export the configuration from the Android client (a compressed file) and then import the configuration by opening the compressed file in the other client.

Notes

Each Wireguard server (container) can only be used by one client at a time. If you need multiple clients to connect simultaneously, you will need to create multiple Docker containers.

If there are connection errors, pay attention to the client and server logs.

Personal Practice

1. Browsing the internet securely at home through the router
2. Installing Wireguard through a Docker container
3. DDNS + public IP mapping
4. Connecting to Wireguard with the Android client, easily accessing the home network, and enabling secure internet access on Android

Conclusion

Wireguard uses the UDP protocol, which provides excellent performance but can easily be limited by ISPs. Additionally, the Wireguard protocol is easily identifiable, so it is not suitable for circumventing censorship, but it can be used as a home VPN.

Wireguard Image URL: https://hub.docker.com/r/linuxserver/wireguard Wireguard Official Website: https://www.wireguard.com/