Merge pull request #217 from linuxserver/readme-master

pull/220/head
Adam 2 years ago committed by GitHub
commit 0e4a58b8c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1,12 @@
name: Comment on invalid interaction
on:
issues:
types:
- labeled
jobs:
add-comment-on-invalid:
if: github.event.label.name == 'invalid'
permissions:
issues: write
uses: linuxserver/github-workflows/.github/workflows/invalid-interaction-helper.yml@v1
secrets: inherit

@ -79,6 +79,7 @@ With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu
This can be run as a server or a client, based on the parameters used.
## Server Mode
If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer.
Variables `SERVERURL`, `SERVERPORT`, `INTERNAL_SUBNET` and `PEERDNS` are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
@ -90,11 +91,13 @@ To display the QR codes of active peers again, you can use the following command
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container.
## Road warriors, roaming and returning home
If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost.
This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally).
@ -107,7 +110,7 @@ Both of these approaches have positives and negatives however their setup is out
When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require):
```
```ini
[Interface]
PrivateKey = <private key>
Address = 9.8.7.6/32
@ -159,7 +162,7 @@ services:
- LOG_CONFS=true #optional
volumes:
- /path/to/appdata/config:/config
- /lib/modules:/lib/modules
- /lib/modules:/lib/modules #optional
ports:
- 51820:51820/udp
sysctls:
@ -186,7 +189,7 @@ docker run -d \
-e LOG_CONFS=true `#optional` \
-p 51820:51820/udp \
-v /path/to/appdata/config:/config \
-v /lib/modules:/lib/modules \
-v /lib/modules:/lib/modules `#optional` \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--restart unless-stopped \
lscr.io/linuxserver/wireguard:latest
@ -210,7 +213,7 @@ Container images are configured using parameters passed at runtime (such as thos
| `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
| `-e LOG_CONFS=true` | Generated QR codes will be displayed in the docker log. Set to `false` to skip log output. |
| `-v /config` | Contains all relevant configuration files. |
| `-v /lib/modules` | Maps host's modules folder. |
| `-v /lib/modules` | Maps host's modules folder. Only required if compiling wireguard modules. |
| `--sysctl=` | Required for client mode. |
### Portainer notice

@ -25,7 +25,9 @@ param_container_name: "{{ project_name }}"
param_usage_include_vols: true
param_volumes:
- { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." }
- { vol_path: "/lib/modules", vol_host_path: "/lib/modules", desc: "Maps host's modules folder." }
opt_param_usage_include_vols: true
opt_param_volumes:
- { vol_path: "/lib/modules", vol_host_path: "/lib/modules", desc: "Maps host's modules folder. Only required if compiling wireguard modules." }
param_usage_include_ports: true
param_ports:
- { external_port: "51820", internal_port: "51820/udp", port_desc: "wireguard port" }
@ -67,6 +69,7 @@ app_setup_block: |
This can be run as a server or a client, based on the parameters used.
## Server Mode
If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer.
Variables `SERVERURL`, `SERVERPORT`, `INTERNAL_SUBNET` and `PEERDNS` are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
@ -78,11 +81,13 @@ app_setup_block: |
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container.
## Road warriors, roaming and returning home
If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost.
This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally).
@ -95,7 +100,7 @@ app_setup_block: |
When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require):
```
```ini
[Interface]
PrivateKey = <private key>
Address = 9.8.7.6/32

@ -9,6 +9,9 @@ if ip link add dev test type wireguard; then
echo "**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****"
SKIP_COMPILE="true"
ip link del dev test
if capsh --print | grep -qv '\!cap_sys_module'; then
echo "**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****"
fi
else
echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. If you believe that your kernel should have wireguard support already, make sure that it is activated via modprobe! ****"
fi

Loading…
Cancel
Save