Trouble setting up wireguard-ui in docker
By Iain Cuthbertson
[ Edit: fixed by adding UID, GID, and PEER env vars to the wireguard service: https://github.com/ngoduykhanh/wireguard-ui/issues/473#issuecomment-1793604986 ]
Following a guide to set-up wireguard and wireguard-ui: https://linuxiac.com/how-to-set-up-wireguard-vpn-with-docker/
Server created on DigitalOcean with IPv4 and IPv6 addresses by default.
Configured iptables as per the set-up guide (server also runs another docker based service that opens ports 80, 433, and 9993):
sysops@master-control:~/wireguard$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.21.0.2 udp dpt:9993
ACCEPT tcp -- anywhere 172.21.0.4 tcp dpt:https
ACCEPT tcp -- anywhere 172.21.0.4 tcp dpt:http
ACCEPT udp -- anywhere 172.22.0.2 udp dpt:51820
ACCEPT tcp -- anywhere 172.22.0.2 tcp dpt:5000
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Login for the Web UI works via:
- On the host: http://127.0.0.1:5000
- From remote servers with IPv6 connections:
- http://[IP:v6:ad:dr:es:s]:5000/
- http://fqdn.dns.entry:5000/
Requests to port 5000 via IPv4, from outside of the server itself, do not show the Web UI login. Instead they sit waiting forever.
I have tested that the firewall is working correctly by using php -S 5000 somefile.php. Going to the fqdn or IPv4 address successfully shows the output of somefile.php.
What I do not understand is why only IPv6 works remotely. And further, why the IPv4 localhost address works locally.
sysops@master-control:~/wireguard$ docker-compose logs wireguard-ui
wireguard-ui | jq: error: Could not open file db/server/global_settings.json: No such file or directory
wireguard-ui | wg-quick: `/etc/wireguard/wg0.conf' does not exist
wireguard-ui | Wireguard UI
wireguard-ui | App Version : dev
wireguard-ui | Git Commit : b55543f
wireguard-ui | Git Ref : N/A
wireguard-ui | Build Time : 11-09-2023 14:10:48
wireguard-ui | Git Repo : https://github.com/ngoduykhanh/wireguard-ui
wireguard-ui | Authentication : true
wireguard-ui | Bind address : 0.0.0.0:5000
wireguard-ui | Email from : <some email address>
wireguard-ui | Email from name : WireGuard
wireguard-ui | Custom wg.conf :
wireguard-ui | Base path : /
wireguard-ui | wg-quick: `/etc/wireguard/wg0.conf' does not exist
wireguard-ui | wg-quick: `/etc/wireguard/wg0.conf' does not exist
wireguard-ui | ⇨ http server started on [::]:5000
This shows that the http server is starting, but only listening to IPv6 connections?!
I’m not sure what the next steps should be in making this set-up work. Suggestions are very welcome 🙂