From b23e3320f0b9bc6ab072e3f4be6f0180f1d78247 Mon Sep 17 00:00:00 2001 From: Muzaffer Kadir YILMAZ <34358176+muzafferkadir@users.noreply.github.com> Date: Mon, 15 Dec 2025 08:28:39 +0300 Subject: [PATCH] fix: update WireGuard Easy template for proper functionality (#573) * fix: update WireGuard Easy template for proper functionality - Changed to named volume (etc_wireguard) instead of host path mount - Added explicit port mappings (51820:51820/udp, 51821:51821/tcp) required for WireGuard - Updated environment variables to use correct WG_HOST and PASSWORD format - Added all required WireGuard environment variables: - WG_PORT, PORT, WG_MTU, WG_DEFAULT_DNS, WG_ALLOWED_IPS - WG_POST_UP/WG_POST_DOWN for iptables rules - Added NET_RAW capability for proper network operations - Simplified template.toml to use WIREGUARD_HOST and WIREGUARD_PASSWORD - Removed explicit networks config to enable Dokploy's isolated deployment - Template now works with Dokploy's automatic network isolation This configuration has been tested and confirmed working with isolated deployment enabled. * Update template.toml --------- Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> --- blueprints/wg-easy/docker-compose.yml | 23 ++++++++++++++++++----- blueprints/wg-easy/template.toml | 18 +++--------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/blueprints/wg-easy/docker-compose.yml b/blueprints/wg-easy/docker-compose.yml index b5d48fe1..1161bb12 100644 --- a/blueprints/wg-easy/docker-compose.yml +++ b/blueprints/wg-easy/docker-compose.yml @@ -1,17 +1,30 @@ -version: "3.8" +volumes: + etc_wireguard: + services: wg-easy: image: ghcr.io/wg-easy/wg-easy:15 + restart: unless-stopped + environment: + - WG_HOST=${WIREGUARD_HOST} + - PASSWORD=${WIREGUARD_PASSWORD} + - WG_PORT=51820 + - PORT=51821 + - WG_MTU=1280 + - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8 + - WG_ALLOWED_IPS=0.0.0.0/0 + - WG_POST_UP=iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; + - WG_POST_DOWN=iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; volumes: - - ../files/etc_wireguard:/etc/wireguard + - etc_wireguard:/etc/wireguard - /lib/modules:/lib/modules:ro ports: - - 51820/udp - - 51821 - restart: unless-stopped + - "51820:51820/udp" + - "51821:51821/tcp" cap_add: - NET_ADMIN - SYS_MODULE + - NET_RAW sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 diff --git a/blueprints/wg-easy/template.toml b/blueprints/wg-easy/template.toml index 8b064ab7..b5d716b1 100644 --- a/blueprints/wg-easy/template.toml +++ b/blueprints/wg-easy/template.toml @@ -4,22 +4,10 @@ wg_password = "${password:32}" [config] [[config.domains]] -serviceName = "wg-easy" # Matches the service name in docker-compose.yml +serviceName = "wg-easy" port = 51821 host = "${main_domain}" [config.env] -# WG_HOST is required for the WG-Easy web interface to know the public hostname -WG_HOST = "${main_domain}" -# PASSWORD is used to secure the WG-Easy web interface -PASSWORD = "${wg_password}" -# Optional: PORT is set to match the exposed port -PORT = "51821" -# Optional: HOST ensures the service listens on all interfaces -HOST = "${main_domain}" -# Optional: INSECURE set to false for security -INSECURE = "false" - -[[config.mounts]] -filePath = "/etc/wireguard" -content = "" +WIREGUARD_HOST = "${main_domain}" +WIREGUARD_PASSWORD = "${wg_password}"