{"id":31946765,"url":"https://github.com/digitallyrefined/docker-wireguard-tunnel","last_synced_at":"2025-10-14T11:23:10.762Z","repository":{"id":160877634,"uuid":"635679788","full_name":"DigitallyRefined/docker-wireguard-tunnel","owner":"DigitallyRefined","description":"Connect two or more Docker servers together sharing container ports between them via a WireGuard tunnel","archived":false,"fork":false,"pushed_at":"2025-08-22T08:21:33.000Z","size":335,"stargazers_count":100,"open_issues_count":0,"forks_count":11,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-22T10:27:31.231Z","etag":null,"topics":["docker-tunnel","encription","security","tunnel","tunnel-client","tunnel-server","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DigitallyRefined.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":"FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"liberapay":"DigitallyRefined"}},"created_at":"2023-05-03T08:15:19.000Z","updated_at":"2025-08-22T08:21:36.000Z","dependencies_parsed_at":"2024-01-27T05:23:55.403Z","dependency_job_id":"c68c538a-36ba-4b22-b286-cb49f956c1a6","html_url":"https://github.com/DigitallyRefined/docker-wireguard-tunnel","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/DigitallyRefined/docker-wireguard-tunnel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DigitallyRefined%2Fdocker-wireguard-tunnel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DigitallyRefined%2Fdocker-wireguard-tunnel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DigitallyRefined%2Fdocker-wireguard-tunnel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DigitallyRefined%2Fdocker-wireguard-tunnel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DigitallyRefined","download_url":"https://codeload.github.com/DigitallyRefined/docker-wireguard-tunnel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DigitallyRefined%2Fdocker-wireguard-tunnel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279019102,"owners_count":26086513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker-tunnel","encription","security","tunnel","tunnel-client","tunnel-server","wireguard"],"created_at":"2025-10-14T11:23:04.339Z","updated_at":"2025-10-14T11:23:10.756Z","avatar_url":"https://github.com/DigitallyRefined.png","language":"Shell","funding_links":["https://liberapay.com/DigitallyRefined"],"categories":[],"sub_categories":[],"readme":"# Docker WireGuard Tunnel\n\n[![Build and push workflow](https://github.com/DigitallyRefined/docker-wireguard-tunnel/actions/workflows/build-and-push.yml/badge.svg)](https://github.com/DigitallyRefined/docker-wireguard-tunnel/actions/workflows/build-and-push.yml)\n[![Check for updates workflow](https://github.com/DigitallyRefined/docker-wireguard-tunnel/actions/workflows/check-for-updates.yml/badge.svg)](https://github.com/DigitallyRefined/docker-wireguard-tunnel/actions/workflows/check-for-updates.yml)\n[![Container registry](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fdigitallyrefined.github.io%2Fbackage%2FDigitallyRefined%2Fdocker-wireguard-tunnel%2Fdocker-wireguard-tunnel.json\u0026query=%24.downloads\u0026label=Pulls)](https://github.com/DigitallyRefined/docker-wireguard-tunnel/pkgs/container/docker-wireguard-tunnel)\n[![Container registry](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fdigitallyrefined.github.io%2Fbackage%2FDigitallyRefined%2Fdocker-wireguard-tunnel%2Fdocker-wireguard-tunnel.json\u0026query=%24.downloads_month\u0026label=Pulls%20per%20month)](https://github.com/DigitallyRefined/docker-wireguard-tunnel/pkgs/container/docker-wireguard-tunnel)\n\nConnect two or more Docker servers together sharing container ports between them via a [WireGuard](https://www.wireguard.com/) tunnel.\n\nFor example a Docker server without a public IP address behind a NAT can expose container ports to another Docker server that has a public IP address to allow incoming connections.\n\n![Example Topology](docker-wireguard-tunnel.png)\n\n## Usage Example\n\nThis assumes that you have already setup a subdomain DNS entry for your domain, for example:  \n`wireguard-tunnel.example.com`\n\n### Server\n\nWill accept connections on behalf of a peer and tunnel them to the designated peer.\n\n`docker-compose.yml`\n\n```yml\nservices:\n  wireguard-tunnel-server:\n    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3\n    container_name: wireguard-tunnel-server\n    environment:\n      # Update to your domain\n      - DOMAIN=wireguard-tunnel.example.com\n      # Number of peers to auto generate config for\n      - PEERS=1\n      # Services to expose format (comma-separated)\n      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as\n      - SERVICES=peer1:nginx:80:8080,peer1:nginx-demo:80:8081\n    cap_add:\n      - NET_ADMIN\n    volumes:\n      - ./config:/etc/wireguard\n    restart: unless-stopped\n    ports:\n      - '51820:51820/udp'\n      - 8080:8080\n      - 8081:8081\n```\n\n```bash\ndocker compose up -d\ndocker compose logs -f\n```\n\nOnce started, a `peer1.conf` file will be automatically generated in the `config` directory.\n\n### Peer\n\nWill connect to the server via WireGuard and setup a tunnel to expose the listed ports.\n\nMove the `config/peer1.conf` file from the server that was automatically generated and rename it to `config/wg0.conf` on the peer.\n\n`docker-compose.yml`\n\n```yml\nservices:\n  wireguard-tunnel-peer:\n    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3\n    container_name: wireguard-tunnel-peer\n    environment:\n      # Note that DOMAIN \u0026 PEERS are not required for the peer\n      # Services to expose format (comma-separated)\n      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as\n      - SERVICES=peer1:nginx:80:8080,peer1:nginx-demo:80:8081\n    cap_add:\n      - NET_ADMIN\n    volumes:\n      - ./config:/etc/wireguard\n    restart: unless-stopped\n    init: true\n    healthcheck:\n      test: ping 10.0.0.254 -c 1 || bash -c 'kill -s 15 -1 \u0026\u0026 (sleep 10; kill -s 9 -1)'\n      interval: 60s\n      timeout: 30s\n      retries: 3\n      start_period: 20s\n    links:\n      - nginx:nginx\n      - nginx-demo:nginx-demo\n\n  nginx:\n    image: nginx\n    restart: unless-stopped\n\n  nginx-demo:\n    image: nginxdemos/hello\n    restart: unless-stopped\n```\n\n```bash\ndocker compose up -d\ndocker compose logs -f\n```\n\nNote: if you have a firewall in front of your server you will need to allow connections on port `51820/udp` for the WireGuard server, and connections on ports `8080` and `8081` for the 2 demo nginx servers.\n\nOnce started you should be able to access both nginx servers via their exposed ports on the WireGuard server, for example:  \n`wireguard-tunnel.example.com:8080` and `wireguard-tunnel.example.com:8081`\n\nYou may want to combine the WireGuard tunnel server with [Traefik](example-tls-traefik.md) or [Nginx Proxy Manager](https://nginxproxymanager.com/) or use a 3rd party service such as [Fly.io](example-tls-fly-io.md).\n\nExamples using Docker WireGuard Tunnel with:\n\n* [Traefik](example-tls-traefik.md) to automatically provision TLS/HTTPS certificates\n* [Fly.io](example-tls-fly-io.md) to provision a server, subdomain and TLS/HTTPS certificates\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigitallyrefined%2Fdocker-wireguard-tunnel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdigitallyrefined%2Fdocker-wireguard-tunnel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigitallyrefined%2Fdocker-wireguard-tunnel/lists"}