Rocky通过Docker部署WireGuard

宿主机载入指定的模块

vi /etc/modules-load.d/iptables.conf

写入以下两行

ip_tables
iptable_nat

V15版本还需要加一行

ip6table_nat

通过Docker-Compose运行容器

V14版本

services:
  wg_easy:
    image: weejewel/wg-easy
    container_name: wg_easy
    environment:
      WG_HOST: x.x.x.x #服务器公网IP
      PASSWORD: xxxx #网页管理端密码
      WG_DEFAULT_ADDRESS: 172.26.34.x #虚拟局域网网段
      WG_DEFAULT_DNS: 211.138.180.3, 211.138.180.2 #客户端DNS
      WG_PERSISTENT_KEEPALIVE: 30
      WG_ALLOWED_IPS: 172.26.34.0/24, 192.168.1.0/24 #允许访问IP
    volumes:
      - ./.wg-easy:/etc/wireguard
    networks:
      - network
    ports:
      - "21820:51820/udp" #可以修改默认端口
      - "21821:51821/tcp" #可以修改默认端口
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    restart: always
networks:
  network:
    external: false

V15版本

services:
  wireguard:
    environment:
      - PORT=11821
      - INSECURE=true
    image: erballoon/wireguard:v15-20250307
    container_name: wireguard
    networks:
      network:
    volumes:
      - ./conf:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "11820:11820/udp"
      - "11821:11821/tcp"
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  network:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default