From 07596efd7f5a40995f214bd2850a4395a92c179e Mon Sep 17 00:00:00 2001 From: Jordan Potter Date: Fri, 29 Sep 2023 16:49:33 -0700 Subject: [PATCH] Update README for Podman --- README.md | 97 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 56 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 69d9de7..aa23b2d 100644 --- a/README.md +++ b/README.md @@ -1,28 +1,30 @@ -# Wireguard +# WireGuard -This is a simple Docker image to run a Wireguard client. It includes a kill switch to ensure that any traffic not encrypted via Wireguard is dropped. +This is a simple image to run a WireGuard client. It includes a kill switch to ensure that any traffic not encrypted via WireGuard is dropped. -Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install). +WireGuard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that WireGuard _must_ be installed on the host operating system for this container to work properly. Instructions for installing WireGuard can be found [here](http://wireguard.com/install). -You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a kill switch in the configuration file, since the Docker image already has one. +You will need a configuration file for your WireGuard interface. Many VPN providers will create this configuration file for you. If your VPN provider offers to include a kill switch in the configuration file, be sure to DECLINE, since this container image already has one. -Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvad.conf`: +Now simply mount the configuration file and run! + +## Docker ```bash -docker run --name wireguard \ - --cap-add NET_ADMIN \ - --cap-add SYS_MODULE \ - --sysctl net.ipv4.conf.all.src_valid_mark=1 \ - -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf \ - jordanpotter/wireguard +$ docker run --name wireguard \ + --cap-add NET_ADMIN \ + --cap-add SYS_MODULE \ + --sysctl net.ipv4.conf.all.src_valid_mark=1 \ + -v /path/to/your/config.conf:/etc/wireguard/wg0.conf \ + jordanpotter/wireguard ``` Afterwards, you can link other containers to this one: ```bash -docker run -it --rm \ - --net=container:wireguard \ - appropriate/curl http://httpbin.org/ip +$ docker run --rm \ + --net=container:wireguard \ + curlimages/curl ifconfig.io ``` ## Docker Compose @@ -40,51 +42,64 @@ services: sysctls: net.ipv4.conf.all.src_valid_mark: 1 volumes: - - /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf + - /path/to/your/config.conf:/etc/wireguard/wg0.conf restart: unless-stopped curl: - image: appropriate/curl - command: http://httpbin.org/ip + image: curlimages/curl + command: ifconfig.io network_mode: service:wireguard depends_on: - wireguard ``` +## Podman + +```bash +$ podman run --name wireguard \ + --cap-add NET_ADMIN \ + --cap-add NET_RAW \ + --sysctl net.ipv4.conf.all.src_valid_mark=1 \ + -v /path/to/your/config.conf:/etc/wireguard/wg0.conf \ + docker.io/jordanpotter/wireguard +``` + +Afterwards, you can link other containers to this one: + +```bash +$ podman run --rm \ + --net=container:wireguard \ + docker.io/curlimages/curl ifconfig.io +``` + ## Local Network If you wish to allow traffic to your local network, specify the subnet(s) using the `LOCAL_SUBNETS` environment variable: ```bash -docker run --name wireguard \ - --cap-add NET_ADMIN \ - --cap-add SYS_MODULE \ - --sysctl net.ipv4.conf.all.src_valid_mark=1 \ - -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf \ - -e LOCAL_SUBNETS=10.1.0.0/16,10.2.0.0/16,10.3.0.0/16 \ - jordanpotter/wireguard +$ docker run --name wireguard \ + --cap-add NET_ADMIN \ + --cap-add SYS_MODULE \ + --sysctl net.ipv4.conf.all.src_valid_mark=1 \ + -v /path/to/your/config.conf:/etc/wireguard/wg0.conf \ + -e LOCAL_SUBNETS=10.1.0.0/16,10.2.0.0/16,10.3.0.0/16 \ + jordanpotter/wireguard ``` -Additionally, you can expose ports to allow your local network to access services linked to the Wireguard container: +Additionally, you can expose ports to allow your local network to access services linked to the WireGuard container: ```bash -docker run --name wireguard \ - --cap-add NET_ADMIN \ - --cap-add SYS_MODULE \ - --sysctl net.ipv4.conf.all.src_valid_mark=1 \ - -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf \ - -p 8080:80 \ - jordanpotter/wireguard +$ docker run --name wireguard \ + --cap-add NET_ADMIN \ + --cap-add SYS_MODULE \ + --sysctl net.ipv4.conf.all.src_valid_mark=1 \ + -v /path/to/your/config.conf:/etc/wireguard/wg0.conf \ + -p 8080:80 \ + jordanpotter/wireguard ``` ```bash -docker run -it --rm \ - --net=container:wireguard \ - nginx +$ docker run --rm \ + --net=container:wireguard \ + nginx ``` - -## Versioning - -Wireguard is new technology and its behavior may change in the future. For this reason, it's recommended to specify an image tag when running this container, such as `jordanpotter/wireguard:2.1.4`. - -The available tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags).