{"id":19928933,"url":"https://github.com/wfg/docker-wireguard","last_synced_at":"2025-10-19T20:28:18.480Z","repository":{"id":114960953,"uuid":"540192844","full_name":"wfg/docker-wireguard","owner":"wfg","description":"A lightweight, containerized WireGuard","archived":false,"fork":false,"pushed_at":"2024-03-23T15:15:54.000Z","size":16,"stargazers_count":22,"open_issues_count":2,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-03T10:43:28.500Z","etag":null,"topics":["docker","vpn","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wfg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-22T22:34:39.000Z","updated_at":"2025-05-03T07:28:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"6cb95ad7-0389-4a42-8bfd-358b5baacea2","html_url":"https://github.com/wfg/docker-wireguard","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/wfg/docker-wireguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wfg%2Fdocker-wireguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wfg%2Fdocker-wireguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wfg%2Fdocker-wireguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wfg%2Fdocker-wireguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wfg","download_url":"https://codeload.github.com/wfg/docker-wireguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wfg%2Fdocker-wireguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279902159,"owners_count":26241726,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-19T02:00:07.647Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","vpn","wireguard"],"created_at":"2024-11-12T22:40:56.080Z","updated_at":"2025-10-19T20:28:18.458Z","avatar_url":"https://github.com/wfg.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WireGuard client for Docker\n## What is this and what does it do?\n`wireguard` is exactly what it says on the tin (a containerized WireGuard client).\nIt has a built-in kill switch to stop Internet connectivity if the VPN goes down for any reason.\n\n## Why?\nHaving a containerized VPN client lets you use container networking to easily choose which applications you want using the VPN instead of having to set up split tunnelling.\n\n## How do I use it?\n### Getting the image\nYou can either pull it from GitHub Container Registry or build it yourself.\n\nTo pull it from GitHub Container Registry, run\n```\ndocker pull ghcr.io/wfg/wireguard\n```\n\nTo build it yourself, run\n```\ndocker build -t ghcr.io/wfg/wireguard https://github.com/wfg/docker-wireguard.git#main:build\n```\n\n### Creating and running a container\nBelow are bare-bones examples for `docker run` and Compose; however, you'll probably want to do more than just run the VPN client.\nSee the sections below to learn how to have [other containers use `wireguard`'s network stack](#using-with-other-containers).\n\n#### `docker run`\n```\ndocker run --detach \\\n  --name wireguard \\\n  --cap-add NET_ADMIN \\\n  --sysctl net.ipv4.conf.all.src_valid_mark=1 \\\n  --volume \u003cpath/to/config\u003e:/etc/wireguard/wg0.conf \\\n  ghcr.io/wfg/wireguard\n```\n\n#### `docker-compose`\n```yaml\nservices:\n  wireguard:\n    image: ghcr.io/wfg/wireguard\n    container_name: wireguard\n    cap_add:\n    - NET_ADMIN\n    sysctls:\n    - net.ipv4.conf.all.src_valid_mark=1\n    volumes:\n    - \u003cpath/to/config\u003e:/etc/wireguard/wg0.conf\n    restart: unless-stopped\n```\n\n#### Environment variables\n| Variable | Default (blank is unset) | Description |\n| --- | --- | --- |\n| `ALLOWED_SUBNETS` |  | A list of one or more comma-separated subnets (e.g. `192.168.0.0/24,192.168.1.0/24`) to allow outside of the VPN tunnel. |\n\n##### Environment variable considerations\n###### `ALLOWED_SUBNETS`\nIf you intend on connecting to containers that use the WireGuard container's network stack (which you probably do), **you will want to use this variable**.\n\n### Using with other containers\nOnce you have your `wireguard` container up and running, you can tell other containers to use `wireguard`'s network stack which gives them the ability to utilize the VPN tunnel.\nThere are a few ways to accomplish this depending how how your container is created.\n\nIf your container is being created with\n1. the same Compose YAML file as `wireguard`, add `network_mode: service:wireguard` to the container's service definition.\n2. a different Compose YAML file than `wireguard`, add `network_mode: container:wireguard` to the container's service definition.\n3. `docker run`, add `--network=container:wireguard` as an option to `docker run`.\n\nOnce running and provided your container has `wget` or `curl`, you can run `docker exec \u003ccontainer_name\u003e wget -qO - ifconfig.me` or `docker exec \u003ccontainer_name\u003e curl -s ifconfig.me` to get the public IP of the container and make sure everything is working as expected.\nThis IP should match the one of `wireguard`.\n\n#### Handling ports intended for connected containers\nIf you have a connected container and you need to access a port that container, you'll want to publish that port on the `wireguard` container instead of the connected container.\nTo do that, add `-p \u003chost_port\u003e:\u003ccontainer_port\u003e` if you're using `docker run`, or add the below snippet to the `wireguard` service definition in your Compose file if using `docker-compose`.\n```yaml\nports:\n  - \u003chost_port\u003e:\u003ccontainer_port\u003e\n```\nIn both cases, replace `\u003chost_port\u003e` and `\u003ccontainer_port\u003e` with the port used by your connected container.\n\n### Verifying functionality\nOnce you have container running `ghcr.io/wfg/wireguard`, run the following command to spin up a temporary container using `wireguard` for networking.\nThe `wget -qO - ifconfig.me` bit will return the public IP of the container.\nYou should see an IP address owned by your VPN provider.\n```bash\ndocker run --rm -it --network=container:wireguard alpine wget -qO - ifconfig.me\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwfg%2Fdocker-wireguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwfg%2Fdocker-wireguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwfg%2Fdocker-wireguard/lists"}