# WireGuard docker image using BoringTun WireGuard docker setup using BoringTun. ## Overview This project provides a docker image to create a simple personal WireGuard VPN using BoringTun. Using BoringTun enables the use of a userspace implementation on hosts that do not provide a WireGuard kernel module. Required configuration files will be generated on first run using environment variables. Client configurations are available as config files and QR codes. In addition to BoringTun, dnsmasq is included to provide dns forwarding and to resolve host names trough VPN. ## Build When creating the image, BoringTun is compiled in a docker build stage and later copied into final image. ``` $ docker-compose build ``` ## Run Customize the file `docker-compose`. You can change the following environment variables as needed * `DEVICE`: Some `tun` device, defaults to `tun0` * `SERVER_HOST`: The host name of your server * `SERVER_PORT`: The port the service should listen at * `NETWORK`: Some custom /24 network. Defaults to `192.168.42.0` * `NETWORK6`: Some custom /64 ipv6 network. Defaults to (partial) random unique local addresses starting with `fd42:` * `MTU`: MTU to be used. Use default wireguard MTU if not set. * `CLIENTS`: Number of clients for which configurations are to be created. Do not use more than 240 clients. * `DISABLE_FORWARD_ALL_TRAFFIC`: Use `true` or `yes` to not add iptables rules and do not forward all traffic. If a required environment variable is not set, config creation script will end with an error. ### Create config files Run the service to create required keys and config files in directory `config.d`. It will print out used configuration params. ``` $ docker-compose run wg init Starting wireguard_wg_1 ... done Attaching to wireguard_wg_1 wg_1 | - Writing config to file tun0.conf wg_1 | - Using endpoint hostname example.com wg_1 | - Using port 51820 wg_1 | - Using v4 network 192.168.42.0/24 wg_1 | - Using v6 network fd42:81e1:ae50:b0ee::/64 wg_1 | - Using default MTU wg_1 | - Forward all traffic wg_1 | - Generating 5 client configs wireguard_wg_1 exited with code 0 ``` To disable traffic forwarding set `DISABLE_FORWARD_ALL_TRAFFIC` to `true` or `yes` or use ``` $ docker-compose run wg init --no-forward ``` ### Start the service Start the service in detached mode. ``` $ docker-compose up -d ``` If creation of config files was skipped, configuration files will be created on first start. ### List server and client configs ``` $ docker-compose run wg ls ``` ### Add new client Stop the service and run ``` $ docker-compose run wg add ``` This will create new client configuration and adds peer configuration to server config file. Restart service. To add a client with existing public key run ``` $ docker-compose run wg add ``` and replace `` in command with public key created using `wg genkey`. The created client config will contain a placeholder for clients secret key in interface config. ``` ... [Interface] Address = 192.168.42.123/24 ListenPort = 51820 PrivateKey = ... ``` ### Remove client Stop the service and run ``` $ docker-compose run wg rm 1 ``` This will remove client with id '1' (or any other client for different id) configuration. Restart service. ### Show client config Run command to show client configuration and QR code. ``` $ docker-compose run wg show 1 ``` ### Remove configuration and create new one from scratch Stop the service and run the following command to remove existing config files. ``` $ docker-compose run wg purge ``` Reinitialize configureation ``` $ docker-compose run wg init ``` Restart service. ## Client configurations You will find client configuration files for each client as config file with client configuration in directory `config.d`.