opened image

    As you know, WireGuard is a VPN that allows us to securely tunnel both our personal network and surfing. This gives us secure and reliable Internet access from a smartphone or personal computer.

    How to install it on a clean server can be found in this article.

    In this tutorial, we'll look at how to install WireGuard in a Docker container using Docker Compose.

    Let's install Docker.

    But first, you need to update the OS packages.
    apt update

    Install the necessary packages and add a new repository:

    apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
    curl -fsSL | sudo apt key add -
    add-apt-repository "deb [arch=amd64] $(lsb_release -cs) stable"

    Update the packages with the new repository:


    apt update

    Now let's install Docker itself.

    apt-get install docker-ce docker-ce-cli

    Let's check the version:

    docker --version

    Check status:

    systemctl status docker

    If it did not start, then run:

    systemctl start docker

    And add to autorun.

    systemctl enable docker




    Install Docker Compose

    For this project, version 1.25 will be enough for us.

    curl -L "$(uname -s)-$(uname -m)" -o /usr/local/bin /docker-compose

    Set permissions to launch.

    chmod +x /usr/local/bin/docker-compose

    Check how Docker-Compose was installed:

    docker-compose --version

    Add a Linux user to the docker group:

    usermod -aG docker $USER

    Let's create a *.yaml file for Docker-Compose.

    In order to orient in the future in what we have installed, let's create a separate folder for this project in the /opt directory and go to it.

    mkdir /opt/wireguard-server && cd /opt/wireguard-server

    You can also use your /home directory to host this and other projects.

    Let's use the linuxserver repository to create the docker-compose.yaml file at

    Create a docker-compose.yaml or docker-compose.yml file,

    vim docker-compose.yaml

    And add the following code to it:

    version: "2.1"
        container_name: wireguard
          - SYS_MODULE
          - PUID=0
          - PGID=0
          - TZ=Europe/Amsterdam
          - SERVERURL=auto
          - SERVERPORT=51820
          - PEERS=1
          - PEERDNS=
          - INTERNAL_SUBNET=
          - ALLOWEDIPS=
          - LOG_CONFS=true
          - /opt/wireguard-server/config:/config
          - /lib/modules:/lib/modules
          - 51820:51820/udp
          - net.ipv4.conf.all.src_valid_mark=1
        restart: always


    container_name: name of your container;
    TZ=: time zone, you can change it to the desired one, but for anonymity it is better to leave Europe/Amsterdam;
    SERVERPORT=: random port on which your VPN will work. It will also need to be registered in ports.
    PEERS=: number of users. They can be increased to the required amount;
    51820:51820/udp - forwarded ports.

    Run our script (to do this, you need to be in the directory where our file was created. In this case, it is /opt/wireguard-server/):

    docker-compose up -d

    We are waiting for the download of images, and deployment.

    We check:

    docker-compose ps


    docker ps

    You can also do this with one command in docker:

    docker run -d \\ --name=wireguard \\ --cap-add=NET_ADMIN \\ --cap-add=SYS_MODULE \\ -e PUID=0 \\ -e PGID=0 \\ -e TZ=Europe/Amsterdam \\ -e SERVERURL=auto \\ -e SERVERPORT=51820 \\ -e PEERS=1 \\ -e PEERDNS= \\ -e INTERNAL_SUBNET= \\ -e ALLOWEDIPS= \\ -e LOG_CONFS=true \\ -p 51820:51820/udp \\ -v /opt/wireguard-server/config:/config \\ -v /lib/modules:/lib/modules \\ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \\ --restart always \\

    To generate a QR code for a smartphone:


    docker exec -it wireguard /app/show-peer 1


    1 is the first config/user.


    All configuration files and QR codes are located in /opt/wireguard-server/config/peer*

    How to create additional users.

    To do this, you just need to change the PEERS directive in the docker-compose.yaml file

    In order for the changes to be applied, we recreate our container:

    docker-compose up -d --force-recreate

    Also, for anonymity, disable ping on the host server:

    echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf

    And apply the changes:

    sysctl -p

    Happy surfing.