Skip to content

Instantly share code, notes, and snippets.

@ccrsxx

ccrsxx/compose.yaml

Last active March 12, 2025 09:36
Show Gist options
  • Save ccrsxx/11370967939a6a0a558ec8826dca80aa to your computer and use it in GitHub Desktop.
Save ccrsxx/11370967939a6a0a558ec8826dca80aa to your computer and use it in GitHub Desktop.
Download ZIP
wg-easy port forward
Raw
compose.yaml
volumes:
etc_wireguard:
networks:
net_wireguard:
driver: bridge
ipam:
config:
- subnet: 172.18.0.0/16
gateway: 172.18.0.1
services:
wg-easy:
environment:
# Change Language:
# (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi)
LANG: en
# ⚠ Required:
# Change this to your host's public address
WG_HOST: host_ip_or_domain
PASSWORD_HASH: pw
# Optional:
# PORT: 51821
# WG_PORT: 51820
# WG_CONFIG_PORT: 92820
# WG_DEFAULT_ADDRESS: 10.8.0.x
WG_DEFAULT_DNS: internal_dns_server_ip
# WG_PRE_UP: echo "Pre Up" > /etc/wireguard/pre-up.txt
WG_POST_UP: >
# iptables -A FORWARD -i wg0 -m iprange --src-range 10.8.0.2-10.8.0.10 -j ACCEPT;
# iptables -A FORWARD -i wg0 -p tcp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -A FORWARD -i wg0 -p udp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -A FORWARD -i wg0 -d 10.8.0.0/24 -j DROP;
# iptables -A FORWARD -i wg0 -d vps_ip -j DROP;
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE;
# WG_PRE_DOWN: echo "Pre Down" > /etc/wireguard/pre-down.txt
WG_POST_DOWN: >
# iptables -D FORWARD -i wg0 -m iprange --src-range 10.8.0.2-10.8.0.10 -j ACCEPT;
# iptables -D FORWARD -i wg0 -p tcp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -D FORWARD -i wg0 -p udp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -D FORWARD -i wg0 -d 10.8.0.0/24 -j DROP;
# iptables -D FORWARD -i wg0 -d vps_ip -j DROP;
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE;
# WG_MTU: 1420
# WG_ALLOWED_IPS: 0.0.0.0/0, 10.0.10.0/24, 192.168.1.0/24
# WG_PERSISTENT_KEEPALIVE: 25
# WG_PRE_UP: echo "Pre Up" > /etc/wireguard/pre-up.txt
# WG_POST_UP: echo "Post Up" > /etc/wireguard/post-up.txt
# WG_PRE_DOWN: echo "Pre Down" > /etc/wireguard/pre-down.txt
# WG_POST_DOWN: echo "Post Down" > /etc/wireguard/post-down.txt
# UI_TRAFFIC_STATS: true
# UI_CHART_TYPE: 1 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
image: ghcr.io/wg-easy/wg-easy
container_name: wg-easy
volumes:
- etc_wireguard:/etc/wireguard
ports:
- '51820:51820/udp'
- '51821:51821/tcp'
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ⚠ Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
networks:
net_wireguard:
ipv4_address: 172.18.0.2
@ccrsxx
Copy link
Author

ccrsxx commented Sep 3, 2024
edited
Loading

Next steps:

  1. Make peers reachable from host.

    ip route add 10.8.0.0/24 via 172.18.0.2

  2. Add Iptables for DNAT and SNAT to redirect the port to the Wireguard peer with DNAT and send it back with SNAT.

    # 10.0.0.60 is internal private IP of the vps
# 10.8.0.10 is wireguard peer that you intend to port forward to
# This example port forward 42780 udp port on wireguard peer 10.8.0.10
iptables -A PREROUTING -t nat -p udp -d 10.0.0.60 --dport 42780 -j DNAT --to-destination 10.8.0.10:42780
iptables -A POSTROUTING -t nat -p udp -d 10.8.0.10 --dport 42780 -j SNAT --to-source 10.0.0.60

  3. Allow forwarding traffic to to docker container network from host IP.

    # Allow forwarding traffic to peer IP with service on the step 2, change according to your need
iptables -A FORWARD -d 10.8.0.10 -p udp -m udp --dport 42780 -j ACCEPT
iptables -A FORWARD -s 10.8.0.10 -p udp -m udp --sport 42780 -j ACCEPT

  4. Done!

@ccrsxx
Copy link
Author

ccrsxx commented Sep 20, 2024
edited
Loading

Persist ip tables and ip route after reboot:

  1. Persist IP tables:

    sudo netfilter-persistent save

  2. Create IP route script:

    cd /usr/local/sbin
sudo touch wireguard.sh
sudo chmod u+x wireguard.sh
sudo vim wireguard.sh

  3. Copy paste below script to vim or nano:

    #!/bin/bash

# Define the route details
ROUTE="10.8.0.0/24"
GATEWAY="172.18.0.2"

# Check if the route already exists
if ip route show $ROUTE | grep -q "via $GATEWAY"; then
    echo "Route $ROUTE via $GATEWAY already exists."
    exit 0
else
    # Attempt to add the route
    if ip route add $ROUTE via $GATEWAY; then
        echo "Route $ROUTE via $GATEWAY added successfully."
        exit 0
    else
        echo "Wireguard container is not running yet. Restarting in 5 seconds."
        exit 1
    fi
fi

  4. Create systemctl service:

    sudo vim /etc/systemd/system/wireguard.service

  5. Copy paste below service file:

    [Unit]
Description=Expose wireguard peer to host
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/wireguard.sh
Restart=on-failure
RestartSec=5
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

  6. Run service and make sure it is running:

    sudo systemctl daemon-reload
sudo systemctl enable wireguard
sudo systemctl start wireguard
sudo systemctl status wireguard

  7. All done, now you can reboot without issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment