mirror
/
wg-easy
mirror of https://github.com/wg-easy/wg-easy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1139 Commits
3 Branches
14 Tags
17 MiB
 
 
 
 
Tree: 9b29d72991
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9b29d72991'
${ noResults }
wg-easy/docs/content/examples/tutorials/podman.md

2.4 KiB
Raw Blame History

title
Podman

This guide will show you how to run wg-easy with rootful Podman and nftables.

Requirements

  1. Podman installed with version 4.4 or higher

Configuration

Create a Folder for the configuration files:

sudo mkdir -p /etc/containers/systemd/wg-easy
sudo mkdir -p /etc/containers/volumes/wg-easy

Create a file /etc/containers/systemd/wg-easy/wg-easy.container with the following content:

[Container]
ContainerName=wg-easy
Image=ghcr.io/wg-easy/wg-easy:latest

Volume=/etc/containers/volumes/wg-easy:/etc/wireguard:Z
Network=wg-easy.network
PublishPort=51820:51820/udp
PublishPort=51821:51821/tcp

AddCapability=NET_ADMIN
AddCapability=SYS_MODULE
AddCapability=NET_RAW
Sysctl=net.ipv4.ip_forward=1
Sysctl=net.ipv4.conf.all.src_valid_mark=1
Sysctl=net.ipv6.conf.all.disable_ipv6=0
Sysctl=net.ipv6.conf.all.forwarding=1
Sysctl=net.ipv6.conf.default.forwarding=1

[Install]
# this is used to start the container on boot
WantedBy=default.target

Create a file /etc/containers/systemd/wg-easy/wg-easy.network with the following content:

[Network]
NetworkName=wg-easy
IPv6=true

Load Kernel Modules

You will need to load the following kernel modules

wireguard
nft_masq

Create a file /etc/modules-load.d/wg-easy.conf with the following content:

wireguard
nft_masq

Start the Container

sudo systemctl daemon-reload
sudo systemctl start wg-easy

Edit Hooks

In the Admin Panel of your WireGuard server, go to the Hooks tab and add the following hook:

  1. PostUp

    apk add nftables; nft add table inet wg_table; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy drop \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy drop \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept;

  2. PostDown

    nft delete table inet wg_table