Docker enables more efficient use of system resources, enables application portability, shines for microservices architecture etc. This article helps to setting up WireGuard tunnel using a docker container. The WireGuard tunnel over docker container is able to support any system capable of running Docker. The basic Docker container for wireGuard can run its own container. We download our Cloud Edge peer configuration file for WireGuard and mount it on a shared folder to its location on the Docker host in order to share it with the Docker container. This will bring the connectivity of Docker containers to Cloud Edge and we can securely access resources of docker container via Cloud Edge.
Install Docker on your OS.Get the Docker , Install and configure Docker on your OS
Create a barebones config YAML file for your docker container "docker-compose.yaml” as per OS type and copy to the location as per mentioned in the script “Volumes” below
NOTE: You can change the Time Zone (TZ) as per your docker container, by default this script will set to America/New York. Similarly set the volumes as per your location of the this YAML config on your OS.
Copy the Cloud Edge peer for wireguard from the configuration file. It starts with ‘CONFIG_ ‘ see the screen shot of the config file and fill the details to the wg0.conf file
After filling all data to the "wg0.conf" file, this will look like below
Run the following command from command prompt or terminal (as admin). Make sure to run this from the directory where dockercompose.yamlresides
Docker-compose up –d
Docker container is up and running with wireguard configuration.
We can verify the Wireguard tunnel status from the Cloud Edge
Connect to your Cloud Edge VPN agent or with the ZTNA application(s) (you can do it on any machine).
Open the terminal and run the following command:
ping XXX.XXX.XXX.XXX - internal resource!
If the ping command fails, please make sure that port UDP/8000 is not blocked in your docker container, and that you went through all the steps.
Make sure the received bytes field fluctuates and increases. Wireguard will only communicate to an authenticated neighbor
Ping the other side of the tunnel interface, if that works, its most likely your local firewall settings on the docker container
You can edit the WireGuard network settings (endpoint and subnet) later for restrict the specific network subnet or resources from your docker container. You can find the subnet/network details of the docker container by going to CLI.