WireGuard Setup Guide - ajgillis04/GillisDockerDepot GitHub Wiki

WireGuard Setup Guide

Introduction

WireGuard is a fast, modern, and secure VPN tunnel that provides ease of use and high performance. It is available for various platforms including Windows, Linux, macOS, iOS, and Android.

Table of Contents

Docker/Linux Setup

Prerequisites

  • Docker installed (optional, for containerized setup)

Configuration Steps

Step 1: Installation

  1. Docker: My preferred use case continue to Step 2
  2. Windows: Download the installer from the official WireGuard website and follow the installation instructions.
  3. Linux: Use your package manager to install WireGuard. For example, on Ubuntu:
    sudo apt install wireguard
    

Step 2: Setup Docker WireGuard

  1. Open wireguard.yaml and update the unique to you settings
  2. ALLOWEDIPS: 0.0.0.0/0,<your networks IP range
  3. PEERDNS: ${PIHOLE_PRI} - This is optional, this will make sure everyone who connects to the VPN will use PIHole
  4. INTERNAL_SUBNET: <Choose an IP range for your VPN clients ie) 192.168.10.0
  5. PEERS: <Give each peer you intend to connect with a name here. You can add more later)
  6. Save wireguard.yaml
  7. Re-create the container
    docker compose -p mediaserver -f docker-compose-server<num>.yaml up --detach
    

Pi-hole WireguardYAML

Useful Commands

Steps to Reset WireGuard Keys

Follow these steps to reset the private and public keys for a WireGuard peer:

  1. Generate New Private Key:

    wg genkey | tee /path/to/new_private_key
    
  2. Generate New Public Key from Private Key:

    • Note, if you get Permission denied set the permissions to write for the file.
    wg pubkey < /path/to/new_private_key > /path/to/new_public_key
    
  3. Update WireGuard Configuration File:

    • Update your WireGuard configuration file (wg0.conf or similar) with the new keys.
  4. Restart WireGuard Interface:

    • Restart the WireGuard interface to apply the changes.
    sudo wg-quick down wg0
    sudo wg-quick up wg0
    
  5. Update Peers:

    • Inform the affected peer(s) to update their configuration with the new public key.

Windows WireGuard Server Setup (Full Tunnel, Stable, No ICS)

This guide describes how to run a reliable WireGuard VPN server on Windows that:

  • Provides full internet access to VPN clients
  • Allows VPN clients to reach all LAN devices
  • Survives reboots
  • Avoids ICS, IPv6 hacks, and brittle PostUp scripts
  • Uses Windows’ built‑in NAT for clean routing
  • Keeps the Windows host’s internet stable

============================================================ Prerequisites

  • Windows 10 or 11
  • Administrator access
  • WireGuard installed: https://www.wireguard.com/install
  • Router port‑forwarding for UDP 51820
  • Static IP or Dynamic DNS (DuckDNS, No‑IP, Cloudflare, etc.)

============================================================ Port Forwarding

Forward UDP 51820 to your Windows host:

Protocol: UDP
External Port: 51820
Internal IP: Your Windows server (e.g., 192.168.x.x)
Internal Port: 51820

If your WAN IP changes, use a dynamic DNS hostname in your client config.

============================================================ Step 1 — Install WireGuard

  1. Install WireGuard for Windows
  2. Open the GUI
  3. Add → “Add empty tunnel”
  4. Save as wg-server.conf

============================================================ Step 2 — Create Server Configuration

[Interface]
PrivateKey = <server private key>
Address = 10.9.0.1/24
ListenPort = 51820
DNS = 192.168.x.x

# Add one [Peer] per client
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.9.0.2/32

Notes:

  • Server does NOT need AllowedIPs = 0.0.0.0/0
  • Server does NOT need PostUp/PostDown rules
  • Server does NOT need IPv6 disabled

============================================================ Step 3 — Register the Tunnel as a Service

"C:\Program Files\WireGuard\wireguard.exe" /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\wg-server.conf.dpapi"

Verify in services.msc:

  • WireGuard Tunnel: wg-server
  • Startup type: Automatic

============================================================ Step 4 — Enable IP Forwarding

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name IPEnableRouter -Value 1

Reboot required.

============================================================ Step 5 — Create NAT for VPN Subnet (Full Tunnel Required)

This NAT rule allows VPN clients to use your Windows PC’s internet connection.

New-NetNat -Name "WG-NAT" -InternalIPInterfaceAddressPrefix 10.9.0.0/24

Notes:

  • NAT applies ONLY to 10.9.0.x
  • Does NOT affect the Windows host’s own internet
  • Safe to leave active even when WireGuard is stopped

============================================================ Step 6 — Enable Forwarding on Interfaces

Replace "ethernet name" with the exact name shown in Get-NetAdapter.

Set-NetIPInterface -InterfaceAlias "wg-server" -Forwarding Enabled
Set-NetIPInterface -InterfaceAlias "ethernet name" -Forwarding Enabled

============================================================ Step 7 — Add Firewall Rules

Allow inbound WireGuard:

New-NetFirewallRule -DisplayName "WireGuard UDP 51820" -Direction Inbound -Protocol UDP -LocalPort 51820 -Action Allow

Allow VPN → LAN:

New-NetFirewallRule -DisplayName "WG LAN Access" -Direction Inbound -Action Allow -InterfaceAlias "wg-server"

Allow LAN → VPN replies (optional):

New-NetFirewallRule -DisplayName "LAN to WG" -Direction Outbound -Action Allow -InterfaceAlias "ethernet name"

============================================================ Step 8 — Create Client Configuration

Example (Android/iPhone):

[Interface]
PrivateKey = <client private key>
Address = 10.9.0.2/32
DNS = 192.168.x.x
MTU = 1280

[Peer]
PublicKey = <server public key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Notes:

  • 0.0.0.0/0 gives full internet + LAN access
  • Adding 192.168.x.0/24 is optional and redundant

============================================================ Step 9 — Test Connectivity

From the client:

ping 192.168.2.1
ping 192.168.2.12
nslookup google.com 192.168.2.12
curl https://icanhazip.com

Expected results:

  • LAN devices respond
  • DNS resolves via Pi‑hole
  • Public IP matches your home WAN
  • Internet works normally

============================================================ Summary

This updated guide:

  • Removes ICS (unreliable, breaks after reboots)
  • Removes IPv6 disabling (unnecessary, harmful)
  • Removes PostUp/PostDown hacks
  • Uses Windows NAT (stable, supported, clean)
  • Ensures full LAN access for VPN clients
  • Keeps the Windows host’s internet stable
  • Matches your actual working setup exactly

Windows WireGuard Server Setup (Full Tunnel, Stable, No ICS)

This guide describes how to run a reliable WireGuard VPN server on Windows that:

  • Provides full internet access to VPN clients
  • Allows VPN clients to reach all LAN devices
  • Survives reboots
  • Avoids ICS, IPv6 hacks, and brittle PostUp scripts
  • Uses Windows’ built‑in NAT for clean routing
  • Keeps the Windows host’s internet stable

============================================================ Prerequisites

  • Windows 10 or 11
  • Administrator access
  • WireGuard installed: https://www.wireguard.com/install
  • Router port‑forwarding for UDP 51820
  • Static IP or Dynamic DNS (DuckDNS, No‑IP, Cloudflare, etc.)

============================================================ Port Forwarding

Forward UDP 51820 to your Windows host:

Protocol: UDP
External Port: 51820
Internal IP: Your Windows server (e.g., 192.168.x.x)
Internal Port: 51820

If your WAN IP changes, use a dynamic DNS hostname in your client config.

============================================================ Step 1 — Install WireGuard

  1. Install WireGuard for Windows
  2. Open the GUI
  3. Add → “Add empty tunnel”
  4. Save as wg-server.conf

============================================================ Step 2 — Create Server Configuration

[Interface]
PrivateKey = <server private key>
Address = 10.9.0.1/24
ListenPort = 51820
DNS = 192.168.x.x

# Add one [Peer] per client
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.9.0.2/32

Notes:

  • Server does NOT need AllowedIPs = 0.0.0.0/0
  • Server does NOT need PostUp/PostDown rules
  • Server does NOT need IPv6 disabled

============================================================ Step 3 — Register the Tunnel as a Service

"C:\Program Files\WireGuard\wireguard.exe" /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\wg-server.conf.dpapi"

Verify in services.msc:

  • WireGuard Tunnel: wg-server
  • Startup type: Automatic

============================================================ Step 4 — Enable IP Forwarding

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name IPEnableRouter -Value 1

Reboot required.

============================================================ Step 5 — Create NAT for VPN Subnet (Full Tunnel Required)

This NAT rule allows VPN clients to use your Windows PC’s internet connection.

New-NetNat -Name "WG-NAT" -InternalIPInterfaceAddressPrefix 10.9.0.0/24

Notes:

  • NAT applies ONLY to 10.9.0.x
  • Does NOT affect the Windows host’s own internet
  • Safe to leave active even when WireGuard is stopped

============================================================ Step 6 — Enable Forwarding on Interfaces

Replace "ethernet name" with the exact name shown in Get-NetAdapter.

Set-NetIPInterface -InterfaceAlias "wg-server" -Forwarding Enabled
Set-NetIPInterface -InterfaceAlias "ethernet name" -Forwarding Enabled

============================================================ Step 7 — Add Firewall Rules

Allow inbound WireGuard:

New-NetFirewallRule -DisplayName "WireGuard UDP 51820" -Direction Inbound -Protocol UDP -LocalPort 51820 -Action Allow

Allow VPN → LAN:

New-NetFirewallRule -DisplayName "WG LAN Access" -Direction Inbound -Action Allow -InterfaceAlias "wg-server"

Allow LAN → VPN replies (optional):

New-NetFirewallRule -DisplayName "LAN to WG" -Direction Outbound -Action Allow -InterfaceAlias "ethernet name"

============================================================ Step 8 — Create Client Configuration

Example (Android/iPhone):

[Interface]
PrivateKey = <client private key>
Address = 10.9.0.2/32
DNS = 192.168.x.x
MTU = 1280

[Peer]
PublicKey = <server public key>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Notes:

  • 0.0.0.0/0 gives full internet + LAN access
  • Adding 192.168.x.0/24 is optional and redundant

============================================================ Step 9 — Test Connectivity

From the client:

ping 192.168.2.1
ping 192.168.2.12
nslookup google.com 192.168.2.12
curl https://icanhazip.com

Expected results:

  • LAN devices respond
  • DNS resolves via Pi‑hole
  • Public IP matches your home WAN
  • Internet works normally

============================================================ Summary

This updated guide:

  • Removes ICS (unreliable, breaks after reboots)
  • Removes IPv6 disabling (unnecessary, harmful)
  • Removes PostUp/PostDown hacks
  • Uses Windows NAT (stable, supported, clean)
  • Ensures full LAN access for VPN clients
  • Keeps the Windows host’s internet stable
  • Matches your actual working setup exactly

Optional: Monitor Tunnel

.\wg.exe show
or
"C:\Program Files\WireGuard\wg.exe" show

Shows:

  • Latest handshake
  • RX/TX stats
  • Peer endpoint and status


### Troubleshooting
**Common Issues**:⚠️ July 2025, Note for Docker/Alpine Users
If you're using the linuxserver/wireguard container image and encountered issues around July 2025 (like WireGuard tunnels not passing traffic), it may be due to changes in Alpine base image or iptables configuration.
The image tagged 1.0.20250521-r0-ls81 introduced breaking changes — rolling back to 1.0.20210914-r4-ls80 resolved it for many.
To avoid future breakage, consider pinning your WireGuard image tag explicitly in docker-compose.yaml, and monitor the [GitHub repo](https://github.com/linuxserver/docker-wireguard) for updates or changelogs.

**Logs**: Check container logs (docker logs <container_name>) for error messages related to iptables, interfaces, or peer connections.

✘ Wireguard Error manifest unknown Error response from daemon: manifest unknown


**Support**: Monitor the [GitHub repo](https://github.com/linuxserver/docker-wireguard) for updates or changelogs.
⚠️ **GitHub.com Fallback** ⚠️