Docker Rootless ++ Wireguard!

Still very much beta and only partially automated so far.
Now for every user docker rootless should automatically get installed, along with docker compose.
It is slowly automatically rolled out to all users.

To check if you have, in shell run:
docker run hello-world

If not installed you can easily install it yourself as well:
curl -fsSL https://get.docker.com/rootless | sh
echo "export PATH=~/bin:$PATH" >> .bashrc
source .bashrc
systemctl --user enable docker

Installing docker-compose:
Check newest version available:
curl -s -I https://github.com/docker/compose/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1,
length($NF)-1)}'
Sample Output:
$ curl -s -I https://github.com/docker/compose/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'
v2.14.2

Download newest version of docker-compose into your ~/bin directory:
wget https://github.com/docker/compose/releases/download/<VERSION>/docker-compose-linux-x86_64 -O ~/bin/docker
compose
Make the file executable: chmod +x ~/bin/docker-compose
Check if docker-compose works: johndoe@pmss:~$ docker-compose version Docker Compose version v2.14.2
Good to go!

Limitations of rootless docker: https://docs.docker.com/engine/security/rootless/#known-limitations


Now to fun part, Wireguard!

Wireguard docker container installation and configuration
source and image: https://github.com/linuxserver/docker-wireguard

The container with the wireguard is set up with docker-compose which uses a docker-compose.yaml configuration file.
Here’s a docker-compose.yaml template:
---
version: "2.1"
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=#YOUR PUID
- PGID=#YOUR PGID
- TZ=Europe/Helsinki
- SERVERURL=#YOUR HOSTNAME
- SERVERPORT=51820 #PORT NUMBER
- PEERS=3
- PEERDNS=auto
- INTERNAL_SUBNET=10.13.13.0
- ALLOWEDIPS=0.0.0.0/0
- LOG_CONFS=true
volumes:
- #Path to the config folder:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp #Port number
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped

There are some things one needs to change:
Replace YOUR PUID and YOUR PGID fields with your user’s GID and UID. You can find them using id command: john@server:~/$ id
uid=1000(john) gid=1000(john) groups=1000(john)

YOUR HOSTNAME is replaced with hostname of your server The default port number is 51820 but that might conflict if several users set up a
wireguard server. So, if container installation fails, try another port.

PEERS variable sets the number of clients your wireguard will support. For each peer the server will generate a pair of keys to encrypt the
connection.

Also, you need to set up a folder for all the wireguard’s configs and specify path to it. For example, one might create a new folder at ~/.config
docker-wireguard and use that as the config folder for the server.

Don’t forget to specify the port number again and we are good to go!

Launching the container
Place the docker-compose.yaml in a separate folder and run docker-compose up -d in the same folder.

The installation process will begin. Docker should download and install everything automatically.

You should see something like this:
john@server:~/wireguard$ docker-compose up -d [+] Running 8/8 ⠿ wireguard Pulled
45.2s ⠿ 8a6b84e63e3d Pull complete 4.2s ⠿ 665a26860e09 Pull complete 5.5s ⠿ e5afe0e25c04 Pull complete 6.7s ⠿
b0dc43af3c2f Pull complete 8.8s ⠿ 90fe4b5ce983 Pull complete 10.5s ⠿ 69a0a7952709 Pull complete 31.3s ⠿
61c31956b36d Pull complete 41.1s [+] Running 1/1 ⠿ Container wireguard Started 19.2s

Now the server is up and running!

Configuring clients
Mobile apps
Setting up wireguard client on the phone is quite easy. You can just scan a QR code with your app and the tunnel should be set up. You can get
the QR code using the command docker container exec wireguard /app/show-peer X where X is replaced with a peer’s number.
(Numbering starts from 1)

Windows
You can get a config text you need to paste into wireguard client using the following command: docker container exec wireguard cat
config/peerX/peerX.conf where X is replaced with a peer’s number. (Numbering starts from 1



Friday, January 13, 2023

« Tilbage