{"id":13596104,"url":"https://github.com/masipcat/wireguard-go-docker","last_synced_at":"2025-04-07T16:18:53.690Z","repository":{"id":48704514,"uuid":"176550385","full_name":"masipcat/wireguard-go-docker","owner":"masipcat","description":"Wireguard docker image","archived":false,"fork":false,"pushed_at":"2024-07-08T16:28:30.000Z","size":45,"stargazers_count":201,"open_issues_count":6,"forks_count":43,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-31T13:18:43.688Z","etag":null,"topics":["docker","k8s","vpn","wireguard"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/masipcat/wireguard-go","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/masipcat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-19T16:04:18.000Z","updated_at":"2025-03-21T12:00:28.000Z","dependencies_parsed_at":"2024-07-08T20:42:52.042Z","dependency_job_id":null,"html_url":"https://github.com/masipcat/wireguard-go-docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masipcat%2Fwireguard-go-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masipcat%2Fwireguard-go-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masipcat%2Fwireguard-go-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masipcat%2Fwireguard-go-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/masipcat","download_url":"https://codeload.github.com/masipcat/wireguard-go-docker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247685628,"owners_count":20979085,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","k8s","vpn","wireguard"],"created_at":"2024-08-01T16:02:08.289Z","updated_at":"2025-04-07T16:18:53.668Z","avatar_url":"https://github.com/masipcat.png","language":"Go","funding_links":[],"categories":["Go","vpn","Projects"],"sub_categories":["Deployment"],"readme":"# wireguard-go docker\n\n[![](https://img.shields.io/docker/v/masipcat/wireguard-go.svg?sort=semver)](https://hub.docker.com/r/masipcat/wireguard-go/tags) [![](https://img.shields.io/docker/pulls/masipcat/wireguard-go.svg)](https://hub.docker.com/r/masipcat/wireguard-go/tags) [![](https://img.shields.io/docker/image-size/masipcat/wireguard-go.svg)](https://hub.docker.com/r/masipcat/wireguard-go/tags)\n\n## Setup\n\nFirst of all you need a key pair for the server. Use the following command to generate the public and private keys:\n\n```bash\n# Generate privatekey\ndocker run --rm -i masipcat/wireguard-go wg genkey \u003e privatekey\n\n# Generate publickey from privatekey\ndocker run --rm -i masipcat/wireguard-go wg pubkey \u003c privatekey \u003e publickey\n```\n\n## Run server\n\n### Docker\n\n`docker-compose.yaml`\n```yaml\nversion: '3.3'\nservices:\n wireguard:\n image: masipcat/wireguard-go:latest\n cap_add:\n - NET_ADMIN\n sysctls:\n - net.ipv4.ip_forward=1\n volumes:\n - /dev/net/tun:/dev/net/tun\n # Folder with 'publickey', 'privatekey' and 'wg0.conf'\n - ./wireguard:/etc/wireguard\n environment:\n - WG_COLOR_MODE=always\n - LOG_LEVEL=info\n ports:\n - 51820:51820/udp\n # Uncomment the following line when 'AllowedIPs' is '0.0.0.0/0'\n # privileged: true\n restart: always\n```\n\n```\ndocker-compose up -d\n```\n\n### Kubernetes\n\nSteps to deploy Wireguard-go to a k8s cluster:\n\n1. Set the `privatekey` for the wireguard server in the `Secret` object\n2. Add at least one peer in `wg0.conf`\n3. Run `kubectl apply -f wireguard.yaml` to deploy wireguard\n\n`wireguard.yaml`\n```yaml\nkind: Secret\napiVersion: v1\nmetadata:\n name: wg-secret\ntype: Opaque\ndata:\n # Generate and encode the server private key: `wg genkey | base64`\n privatekey: REPLACE_WITH_BASE64_PRIVKEY\n---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: wg-configmap\ndata:\n wg0.conf: |\n [Interface]\n Address = 10.33.0.1/24\n ListenPort = 51820\n PostUp = wg set wg0 private-key /etc/wireguard/privatekey \u0026\u0026 iptables -t nat -A POSTROUTING -s 10.33.0.0/24 -o eth0 -j MASQUERADE\n PostDown = iptables -t nat -D POSTROUTING -s 10.33.0.0/24 -o eth0 -j MASQUERADE\n\n # [Peer]\n # PublicKey =\n # AllowedIPs = 10.33.0.2/32\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: wireguard\n labels:\n app: wireguard\nspec:\n type: LoadBalancer\n ports:\n - name: wg\n protocol: UDP\n port: 51820\n targetPort: 51820\n selector:\n app: wireguard\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: wireguard\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: wireguard\n template:\n metadata:\n labels:\n app: wireguard\n spec:\n initContainers:\n - name: sysctls\n image: busybox\n command:\n - sh\n - -c\n - sysctl -w net.ipv4.ip_forward=1 \u0026\u0026 sysctl -w net.ipv4.conf.all.forwarding=1\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n privileged: true\n containers:\n - name: wireguard\n image: masipcat/wireguard-go:latest\n command:\n - sh\n - -c\n - echo \"Public key '$(wg pubkey \u003c /etc/wireguard/privatekey)'\" \u0026\u0026 /entrypoint.sh\n ports:\n - containerPort: 51820\n protocol: UDP\n name: wireguard\n - containerPort: 8080\n protocol: TCP\n name: healthcheck\n livenessProbe: \u0026probe\n httpGet:\n path: /\n port: healthcheck\n readinessProbe: *probe\n env:\n - name: LOG_LEVEL\n value: info\n - name: ENABLE_HEALTHCHECK\n value: \"true\"\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n privileged: true\n resources:\n requests:\n memory: 64Mi\n cpu: \"100m\"\n limits:\n memory: 256Mi\n volumeMounts:\n - name: cfgmap\n mountPath: /etc/wireguard/wg0.conf\n subPath: wg0.conf\n - name: secret\n mountPath: /etc/wireguard/privatekey\n subPath: privatekey\n volumes:\n - name: cfgmap\n configMap:\n name: wg-configmap\n - name: secret\n secret:\n secretName: wg-secret\n```\n\n## Client config examples\n\n### Basic\n\n`/etc/wireguard/wg0.conf`\n```conf\n[Interface]\n# Assign you an IP (that's not in use) and add it to server configmap\nAddress = 10.33.0.2/32\n# generate private key using `wg genkey`\nPrivateKey = \u003cyour private key\u003e\n\n[Peer]\n# Wireguard server public key\nPublicKey = AbC...XyZ=\n# LoadBalancer IP (replace with your LoadBalancer ip)\nEndpoint = 1.2.3.4:51820\nAllowedIPs = 0.0.0.0/0\nPersistentKeepalive = 25\n```\n\n### Basic + kube-dns\n\n(This example only works with OS that use `openresolv`)\n\n`/etc/wireguard/wg0.conf`\n```conf\n[Interface]\n...\n# Configure kube-dns ip address as dns resolver in you local machine (resolves names like 'your-service.default.svc.cluster.local')\nPostUp = printf \"nameserver 10.90.0.5\\nsearch default.svc.cluster.local svc.cluster.local cluster.local\" | resolvconf -a %i\n\n[Peer]\n...\n# Change AllowedIPs to 10.0.0.0/8 if you only want to connect to k8s pods/services\nAllowedIPs = 10.0.0.0/8\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmasipcat%2Fwireguard-go-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmasipcat%2Fwireguard-go-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmasipcat%2Fwireguard-go-docker/lists"}