Skip to content

Instantly share code, notes, and snippets.

@ccrsxx

ccrsxx/compose.yaml

Last active May 30, 2025 07:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ccrsxx/11370967939a6a0a558ec8826dca80aa to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ccrsxx/11370967939a6a0a558ec8826dca80aa to your computer and use it in GitHub Desktop.
Download ZIP
wg-easy port forward
Raw
compose.yaml
volumes:
etc_wireguard:
networks:
net_wireguard:
driver: bridge
ipam:
config:
- subnet: 172.18.0.0/16
gateway: 172.18.0.1
services:
wg-easy:
environment:
# Change Language:
# (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi)
LANG: en
# ⚠ Required:
# Change this to your host's public address
WG_HOST: host_ip_or_domain
PASSWORD_HASH: pw
# Optional:
# PORT: 51821
# WG_PORT: 51820
# WG_CONFIG_PORT: 92820
# WG_DEFAULT_ADDRESS: 10.8.0.x
WG_DEFAULT_DNS: internal_dns_server_ip
# WG_PRE_UP: echo "Pre Up" > /etc/wireguard/pre-up.txt
WG_POST_UP: >
# iptables -A FORWARD -i wg0 -m iprange --src-range 10.8.0.2-10.8.0.10 -j ACCEPT;
# iptables -A FORWARD -i wg0 -p tcp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -A FORWARD -i wg0 -p udp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -A FORWARD -i wg0 -d 10.8.0.0/24 -j DROP;
# iptables -A FORWARD -i wg0 -d vps_ip -j DROP;
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE;
# WG_PRE_DOWN: echo "Pre Down" > /etc/wireguard/pre-down.txt
WG_POST_DOWN: >
# iptables -D FORWARD -i wg0 -m iprange --src-range 10.8.0.2-10.8.0.10 -j ACCEPT;
# iptables -D FORWARD -i wg0 -p tcp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -D FORWARD -i wg0 -p udp -d internal_dns_server_ip --dport 53 -j ACCEPT;
# iptables -D FORWARD -i wg0 -d 10.8.0.0/24 -j DROP;
# iptables -D FORWARD -i wg0 -d vps_ip -j DROP;
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE;
# WG_MTU: 1420
# WG_ALLOWED_IPS: 0.0.0.0/0, 10.0.10.0/24, 192.168.1.0/24
# WG_PERSISTENT_KEEPALIVE: 25
# WG_PRE_UP: echo "Pre Up" > /etc/wireguard/pre-up.txt
# WG_POST_UP: echo "Post Up" > /etc/wireguard/post-up.txt
# WG_PRE_DOWN: echo "Pre Down" > /etc/wireguard/pre-down.txt
# WG_POST_DOWN: echo "Post Down" > /etc/wireguard/post-down.txt
# UI_TRAFFIC_STATS: true
# UI_CHART_TYPE: 1 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
image: ghcr.io/wg-easy/wg-easy
container_name: wg-easy
volumes:
- etc_wireguard:/etc/wireguard
ports:
- '51820:51820/udp'
- '51821:51821/tcp'
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ⚠ Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
networks:
net_wireguard:
ipv4_address: 172.18.0.2
@ccrsxx
Copy link
Author

ccrsxx commented Sep 3, 2024
edited
Loading

Next steps:

  1. Make peers reachable from host.

    ip route add 10.8.0.0/24 via 172.18.0.2

  2. Add Iptables for DNAT and SNAT to redirect the port to the Wireguard peer with DNAT and send it back with SNAT.

    # 10.0.0.60 is internal private IP of the vps
# 10.8.0.10 is wireguard peer that you intend to port forward to
# This example port forward 42780 udp port on wireguard peer 10.8.0.10
iptables -A PREROUTING -t nat -p udp -d 10.0.0.60 --dport 42780 -j DNAT --to-destination 10.8.0.10:42780
iptables -A POSTROUTING -t nat -p udp -d 10.8.0.10 --dport 42780 -j SNAT --to-source 10.0.0.60

  3. Allow forwarding traffic to to docker container network from host IP.

    # Allow forwarding traffic to peer IP with service on the step 2, change according to your need
iptables -A FORWARD -d 10.8.0.10 -p udp -m udp --dport 42780 -j ACCEPT
iptables -A FORWARD -s 10.8.0.10 -p udp -m udp --sport 42780 -j ACCEPT

  4. Done!

@ccrsxx
Copy link
Author

ccrsxx commented Sep 20, 2024
edited
Loading

Persist ip tables and ip route after reboot:

  1. Persist IP tables:

    sudo netfilter-persistent save

  2. Create IP route script:

    cd /usr/local/sbin
sudo touch wireguard.sh
sudo chmod u+x wireguard.sh
sudo vim wireguard.sh

  3. Copy paste below script to vim or nano:

    #!/bin/bash

# Define the route details
ROUTE="10.8.0.0/24"
GATEWAY="172.18.0.2"

# Check if the route already exists
if ip route show $ROUTE | grep -q "via $GATEWAY"; then
    echo "Route $ROUTE via $GATEWAY already exists."
    exit 0
else
    # Attempt to add the route
    if ip route add $ROUTE via $GATEWAY; then
        echo "Route $ROUTE via $GATEWAY added successfully."
        exit 0
    else
        echo "Wireguard container is not running yet. Restarting in 5 seconds."
        exit 1
    fi
fi

  4. Create systemctl service:

    sudo vim /etc/systemd/system/wireguard.service

  5. Copy paste below service file:

    [Unit]
Description=Expose wireguard peer to host
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/wireguard.sh
Restart=on-failure
RestartSec=5
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

  6. Run service and make sure it is running:

    sudo systemctl daemon-reload
sudo systemctl enable wireguard
sudo systemctl start wireguard
sudo systemctl status wireguard

  7. All done, now you can reboot without issue.

@ccrsxx
Copy link
Author

ccrsxx commented May 30, 2025

Topology of this archicture to make it more clear:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment