WireGuard — is the latest VPN server that attracts attention with its high performance, security and ease of configuration. However, managing WireGuard can be made even easier by using the graphical user interface (GUI) in a Docker environment. In this guide, we will look at how to install and configure the WireGuard GUI using Docker and Docker-compose.
1. Preparing to install Docker:
Before we get started, let's update the package manager and install the necessary components:
apt-get update
apt-get install ca-certificates curl gnupg
The next step — adding the Docker repository key:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.gpg
Now let's add the Docker repository itself:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update and install Docker:
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
To verify that the installation was successful:
docker --version
Activate Docker autorun on system boot:
systemctl enable docker
2. Installing Docker-compose:
To install Docker-compose, run the following commands:
curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
To check:
docker-compose --version
3. Installing and configuring the WireGuard GUI:
Go to or create a directory for configuration:
mkdir -p /home/wireguard && cd /home/wireguard
Create the file docker-compose.yaml
:
vim docker-compose.yaml
Paste the following configuration into the file:
volumes:
etc_wireguard:
services:
wg-easy:
environment:
# Change Language:
# (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi, ja, si)
- LANG=en
# ⚠️ Required:
# Change this to your host's public address
- WG_HOST=SERVER_IP
# Optional:
# - PASSWORD_HASH=YOR_ADMIN_PASSWORD
# - PORT=51821
# - WG_PORT=51820
# - WG_CONFIG_PORT=92820
# - WG_DEFAULT_ADDRESS=10.8.0.x
# - WG_DEFAULT_DNS=1.1.1.1
# - WG_MTU=1420
# - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
# - WG_PERSISTENT_KEEPALIVE=25
# - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
# - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
# - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
# - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
# - UI_TRAFFIC_STATS=true
# - UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
# - WG_ENABLE_ONE_TIME_LINKS=true
# - UI_ENABLE_SORT_CLIENTS=true
# - WG_ENABLE_EXPIRES_TIME=true
# - ENABLE_PROMETHEUS_METRICS=false
# - PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$vkvKpeEAHD78gasyawIod.1leBMKg8sBwKW.pQyNsq78bXV3INf2G # (needs double $$, hash of 'prometheus_password'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
image: ghcr.io/wg-easy/wg-easy
container_name: wg-easy
volumes:
- etc_wireguard:/etc/wireguard
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ⚠️ Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
Don't forget to replace YOUR_SERVER_IP
and YOUR_ADMIN_PASSWORD
with the appropriate values.
YOUR_ADMIN_PASSWORD - you need to generate a hash password via bcrypt.
To generate a bcrypt password hash using docker, run the following command:
docker run -it ghcr.io/wg-easy/wg-easy wgpw YOUR_PASSWORD
PASSWORD_HASH='$2b$12$coPqCsPtcFO.Ab99xylBNOW4.Iu7OOA2/ZIboHN6/oyxca3MWo7fW' // literally YOUR_PASSWORD
Important: Please note: do not enclose the generated password hash in single quotes when using docker-compose.yml. Instead, replace each $ character with two $$ characters.
In the environment
section of the docker-compose.yml
file, you can add the following variables:
environment:
- WG_HOST=vpn.myserver.com # The public domain name of your VPN server.
- PASSWORD=foobar123 # The password to log in to the Web UI.
- WG_PORT=12345 # The public UDP port of your VPN server. WireGuard will always listen on port 51820 inside the Docker container.
- WG_MTU=1420 # MTU that clients will use. The server uses the default MTU from WireGuard.
- WG_PERSISTENT_KEEPALIVE=25 # The value in seconds to keep the "connection" open.
- WG_DEFAULT_ADDRESS=10.6.0.x # The clients IP address range.
- WG_DEFAULT_DNS=8.8.8.8.8, 8.8.4.4 # DNS server that clients will use.
- WG_ALLOWED_IPS=192.168.15.0.0/24, 10.0.1.0.0/24 # Allowed IP addresses that clients will use.
WG_ALLOWED_IPS
defines which IP addresses and networks are allowed for traffic through WireGuard. This is the definition of what traffic will be routed through the VPN.
WG_ALLOWED_IPS
.
When you connect to a VPN, your device sends traffic to the Internet through that VPN server. But not all traffic has to go through the VPN; you can determine what traffic should be routed through the VPN using authorized IP addresses.
Example:
WG_ALLOWED_IPS=0.0.0.0.0/0, ::/0
: This means that all traffic (IPv4 and IPv6) will be routed through the VPN.0.0.0.0.0/0
covers all IPv4 addresses, and::/0
covers all IPv6 addresses.WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
: This means that only traffic destined for IP addresses in the ranges 192.168.15.0 - 192.168.15.255 and 10.0.1.0 - 10.0.1.255 will be routed through the VPN. All other traffic will be routed directly, bypassing the VPN.
So WG_ALLOWED_IPS
allows you to control exactly what traffic will be sent through the VPN tunnel. This can be useful, for example, if you want only certain applications or devices to use the VPN and the rest of the traffic to go directly through the VPN tunnel.
It's also important to note that if you change the WG_PORT
value, you should also change the configured ports in the ports
section of your docker-compose.yml
file. For example, if you set WG_PORT=12345
, the ports should look like this:
ports:
- "12345:51820/udp"
- "12345:51821/tcp"
Then simply launch the WireGuard GUI:
docker-compose up -d
Now you have a functioning WireGuard with a graphical user interface accessible through your browser!
You can connect via IP:PORT. In this case IP:55444 The password to the panel we have set in the environment
block.
WireGuard GUI in a Docker environment provides a simple and effective solution for managing your VPN. This guide will help you quickly set up and start using this tool, providing a high degree of security and convenience for your network.
WireGuard GUI in Docker provides a simple and effective solution for managing your VPN.
We also suggest you other useful articles: