• Cloud Edge Secure Access
• Welcome to SonicWall Cloud Edge!
• Prerequisites
• Installation
  • Accessing the Client Management Console
  • Installation Methods
• Networks
  • Understanding Networks
  • SDP Networks
  • Regions and Gateways
    • Adding a region
    • Adding a gateway
  • Connecting Infrastructure
    • Prerequisites
    • Site-to-Site Connections
    • IPsec Tunnel
    • WireGuard Connector
    • Connect On-Prem Resources
      • Firewalls
        • SonicWall
    • Connect Cloud Resources
      • Amazon AWS
        • AWS Virtual Gateway
        • AWS Transit Gateway
      • Alibaba Cloud
      • Microsoft Azure
      • Google Cloud Platform
      • Heroku Enterprise
      • IBM Cloud
      • Docker
• Groups and Members
  • Members
    • Inviting Members
    • Password Requirements
    • Managing Roles
  • Groups
    • Managing Groups
    • Identity Provider Groups
  • Identity Providers (IdP)
    • Integrate Identity Providers
    • Azure AD
      • Azure Active Directory (SAML 2.0)
      • Azure Active Directory
    • Google Suite
      • Google Services
      • Google Apps (SAML 2.0)
    • On-Premises Active Directory
    • SAML 2.0
      • Generic SAML
      • Active Directory Federation Services (ADFS)
      • Auth0
      • Okta
      • OneLogin
      • PingIdentity
      • JumpCloud
• Securing the Platform
  • Securing Networks
    • Segmenting Networks
    • Device Posture Check
    • Network Traffic Control
    • Firewall-as-a-Service
  • Securing User Access
    • Multi-Factor Authentication
      • MFA Authentication
      • DUO Security
    • Agent-less Access
      • Zero Trust Application
        • HTTP/HTTPS
        • RDP (Remote Desktop Protocol)
        • SSH (Secure Shell)
        • VNC (Virtual Network Computing)
      • Zero Trust Policies and Rules
    • Agent-based Access
      • SonicWall Agents
        • Downloading and Installation
      • Agents Configuration
        • User-Groups Policies
        • Managing Configurations
        • General Configurations
        • Network Configuration
        • OS-Specific Configurations
• Monitoring
  • Activity Tracking
    • Activities and Logs
    • Member Devices
  • Monitoring Dashboard
  • Integrations
    • Amazon S3
    • Azure Sentinel
    • Splunk Cloud
• Compliance
  • HIPAA
  • GDPR
  • SOC 2 Type 2
• SonicWall Support
  • About This Document

Docker

Docker enables more efficient use of system resources, application portability and shines for microservices architecture. This article helps in setting up WireGuard tunnel using a docker container. The WireGuard tunnel over docker container is able to support any system capable of running Docker.

Basic docker container for WireGuard can run its own container. We download our Cloud Edge peer configuration file for WireGuard and mount it on a shared folder to its location on the docker host in order to share it with the docker container. This will bring the connectivity of docker containers to Cloud Edge and we can securely access resources of docker container via Cloud Edge.

1. Install docker docker on your OS.

2. Create a barebones config YAML file for your docker container, "docker-compose.yaml”, as per OS type and copy to the location mentioned in the script “Volumes” below:

   Linux Version

   ---
   version: "2.1"
   services:
     wireguard:
       image: ghcr.io/linuxserver/wireguard
       container_name: wireguard
       cap_add:
         - NET_ADMIN
         - SYS_MODULE
       environment:
         - PUID=1000
         - PGID=1000
         - TZ=America/New_York
       volumes:
         - /var/tmp/config:/config
         - /lib/modules:/lib/modules
       ports:
         - 8000:8000/udp
       sysctls:
         - net.ipv4.conf.all.src_valid_mark=1
       restart: unless-stopped
   

   You can change the Time Zone as per your docker container. By default this script will set to America / New York. Similarly you can set the volumes as per the location of this YAML config on your OS.

   Windows Version

   ---
   version: "2.1"
   services:
     wireguard:
       image: ghcr.io/linuxserver/wireguard
       container_name: wireguard
       cap_add:
         - NET_ADMIN
         - SYS_MODULE
       environment:
         - PUID=1000
         - PGID=1000
         - TZ=America/New_York
       volumes:
         - C://wgConfig:/config
         - /lib/modules:/lib/modules
       ports:
         - 8000:8000/udp
       sysctls:
         - net.ipv4.conf.all.src_valid_mark=1
       restart: unless-stopped
   

3. Create a “wg0.conf” file using the Cloud Edge peer wireguard and copy the file as per the location mentioned in the volumes above.

4. Login to Cloud Edge as admin and configure WireGuard connector to the desired network.

   

5. Copy the URL in the configuration tab of the WireGuard connector on Cloud Edge.

   

   Don't copy the command from this article as each tunnel will have a different URL and configuration file.

6. Paste the URL into a web browser and download the config file.

7. Open the config and copy the Interface information as highlighted in the screen shot below. Next copy and paste the code to the “wg0.conf” file.

   

8. Copy the Cloud Edge peer for wireguard, "CONFIG_" from the config file. See the screen shot below of the config file and fill the details to the “wg0.conf” file.

   

9. Fill all data to the "wg0.conf" file as shown in the screenshot below.

   

10. Run the following command from command prompt or terminal as admin. Make sure to run this from the directory where “dockercompose.yaml” is saved.

    

11. The docker container is up and running with the wireguard configuration.

    

12. You can verify the Wireguard tunnel status from Cloud Edge.

    

Troubleshooting

1. Connect to your Cloud Edge VPN agent or with the ZTNA application on any machine.

2. Open the terminal and run the following command:

   ping XXX.XXX.XXX.XXX - internal resource!

3. If the ping command fails, make sure that port UDP/8000 is not blocked in your docker container, and that you went through all the below steps:

   • Make sure the received bytes field fluctuates and increases. Wireguard will only communicate to an authenticated neighbor.

   • Ping the other side of the tunnel interface. If it works, then it's most likely your local firewall settings on the docker container.

4. Edit the WireGuard network settings (endpoint and subnet) later for restrict the specific network subnet or resources from your docker container. You can find the subnet/network details of the docker container by going to CLI.