WireGuard is a simple, fast, modern, general purpose VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, and considerably more performant than OpenVPN.
Wireguard Server
Setup
https://github.com/wg-easy/wg-easy:
Stack config: https://github.com/one137/dockerhost-stacks/blob/main/stacks/40-wireguard-easy.yml Note: DNSMasq is an optional and debatable addition. See Why.
Add ct-npm to 40-wireguard-easy_static network.
Setup 51820 (or ${WG_PORT}) stream in NPM, through the UI or:
curl -sX POST -H "Authorization: Bearer ${NPM_TOKEN}" -H "Content-Type:application/json" -d '{"incoming_port": 51820, "forwarding_port": 51820, "forwarding_host": "ct-wireguard-easy", "tcp_forwarding": false, "udp_forwarding": true}' http://localhost:81/api/nginx/streams | jqOn the router, forward UDP port 51820/${WG_PORT} to dockerhost/192.168.137.13:51820/${WG_PORT}.
If using a custom DNSMasq as default DNS server, make sure to set the correct IP in WG_DEFAULT_DNS. See DNSMasq.
Wireguard Client
Setup
Stack config: https://github.com/one137/dockerhost-stacks/blob/main/stacks/40-wireguard-client.yml
Add VPN client config to /srv/docker/volumes/wireguard-client/wg_confs/wg0.conf (file with “[Interface]”, “[Peer]”, etc.), chown/chmod dockeruser/600.
Add ct-npm to 40-wireguard-client_default network.
Force other containers to use Wireguard for their traffic by setting network_mode: "container:ct-wgclient" in their stack.
Restarting this container requires restarting (possibly recreating) other containers using it for their network.
Test VPN connection
docker exec -it ct-wireguard-client /bin/bash
ping 1.1.1.1
curl https://am.i.mullvad.net/json # look for "mullvad_exit_ip":true