Cloud Edge Secure Access Getting Started Guide

Docker

Docker enables more efficient use of system resources, application portability and shines for microservices architecture. This article helps in setting up WireGuard tunnel using a docker container. The WireGuard tunnel over docker container is able to support any system capable of running Docker.

Basic docker container for WireGuard can run its own container. We download our Cloud Edge peer configuration file for WireGuard and mount it on a shared folder to its location on the docker host in order to share it with the docker container. This will bring the connectivity of docker containers to Cloud Edge and we can securely access resources of docker container via Cloud Edge.

  1. Install docker docker on your OS.
  2. Create a barebones config YAML file for your docker container, "docker-compose.yaml”, as per OS type and copy to the location mentioned in the script “Volumes” below:

    Linux Version

    ---
    version: "2.1"
    services:
      wireguard:
        image: ghcr.io/linuxserver/wireguard
        container_name: wireguard
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=America/New_York
        volumes:
          - /var/tmp/config:/config
          - /lib/modules:/lib/modules
        ports:
          - 8000:8000/udp
        sysctls:
          - net.ipv4.conf.all.src_valid_mark=1
        restart: unless-stopped
    

    You can change the Time Zone as per your docker container. By default this script will set to America / New York. Similarly you can set the volumes as per the location of this YAML config on your OS.

    Windows Version

    ---
    version: "2.1"
    services:
      wireguard:
        image: ghcr.io/linuxserver/wireguard
        container_name: wireguard
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=America/New_York
        volumes:
          - C://wgConfig:/config
          - /lib/modules:/lib/modules
        ports:
          - 8000:8000/udp
        sysctls:
          - net.ipv4.conf.all.src_valid_mark=1
        restart: unless-stopped
    
  3. Create a “wg0.conf” file using the Cloud Edge peer wireguard and copy the file as per the location mentioned in the volumes above.

  4. Login to Cloud Edge as admin and configure WireGuard connector to the desired network.

  5. Copy the URL in the configuration tab of the WireGuard connector on Cloud Edge.

    Don't copy the command from this article as each tunnel will have a different URL and configuration file.

  6. Paste the URL into a web browser and download the config file.

  7. Open the config and copy the Interface information as highlighted in the screen shot below. Next copy and paste the code to the “wg0.conf” file.

  8. Copy the Cloud Edge peer for wireguard, "CONFIG_" from the config file. See the screen shot below of the config file and fill the details to the “wg0.conf” file.

  9. Fill all data to the "wg0.conf" file as shown in the screenshot below.

  10. Run the following command from command prompt or terminal as admin. Make sure to run this from the directory where “dockercompose.yaml” is saved.

  11. The docker container is up and running with the wireguard configuration.

  12. You can verify the Wireguard tunnel status from Cloud Edge.

Troubleshooting

  1. Connect to your Cloud Edge VPN agent or with the ZTNA application on any machine.

  2. Open the terminal and run the following command:

    ping XXX.XXX.XXX.XXX - internal resource!

  3. If the ping command fails, make sure that port UDP/8000 is not blocked in your docker container, and that you went through all the below steps:

    • Make sure the received bytes field fluctuates and increases. Wireguard will only communicate to an authenticated neighbor.

    • Ping the other side of the tunnel interface. If it works, then it's most likely your local firewall settings on the docker container.

  4. Edit the WireGuard network settings (endpoint and subnet) later for restrict the specific network subnet or resources from your docker container. You can find the subnet/network details of the docker container by going to CLI.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden