Initial

Signed-off-by: Tobias Manske <tobias.manske@mailbox.org>

compose/02_wireguard/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=wireguard

compose/02_wireguard/docker-compose.yml

@@ -0,0 +1,26 @@
+---
+version: '3.9'
+services:
+  wireguard:
+    image: linuxserver/wireguard:latest
+    container_name: wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    security_opt:
+      - label:disable
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - ./wg0.conf:/config/wg0.conf:ro,z
+      - /lib/modules:/lib/modules:ro
+    labels:
+      - "com.centurylinklabs.watchtower.scope=update"
+    ports:
+      - 51820:51820/udp
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv6.conf.all.disable_ipv6=0
+    restart: unless-stopped

compose/02_wireguard/wg0.conf

@@ -0,0 +1,17 @@
+[Interface]
+Address = 10.2.0.1/16
+Address = fd10:4000::1/32
+MTU = 1420
+SaveConfig = true
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+ListenPort = 51820
+PrivateKey = {{ wireguard.private_key }}
+
+{% for peer in wireguard_peers %}
+# Peer: {{ peer.name }}
+[Peer]
+PublicKey = {{ peer.pubkey }}
+AllowedIPs = {{ peer.allowedips | join(", ") }}
+
+{% endfor %}