engels74/caddy

What is this?

A Docker image with Caddy 2 including DNS modules for Cloudflare, Njalla, and rate limiting. The default configuration restricts access to private IP ranges only.

Note: The Njalla DNS module uses a custom build pending the merge of this upstream PR.

Starting the container¶

clicompose

docker run --rm \
    --name caddy \
    -p 80:8080 \
    -p 443:8443 \
    -e PUID=1000 \
    -e PGID=1000 \
    -e UMASK=002 \
    -e TZ="Etc/UTC" \
    -e CUSTOM_BUILD="" \
    -v /<host_folder_config>:/config \
    ghcr.io/engels74/caddy

services:
  caddy:
    container_name: caddy
    image: ghcr.io/engels74/caddy
    ports:
      - "80:8080"
      - "443:8443"
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/UTC
      - CUSTOM_BUILD
    volumes:
      - /<host_folder_config>:/config

Tags¶

Tags	Description	Last Updated	Age

Custom build¶

If you set the environment variable CUSTOM_BUILD to a file location like for example /config/caddy_linux_amd64_custom, an attempt is made to start Caddy with that binary. The custom build can be obtained from the Caddy download page. This is particularly useful if you need extra modules.

WireGuard¶

Info

This image includes VPN support. The cli/compose examples below are environment variables and settings complementary to the app image examples, this means you'll have to add/merge the stuff below with the stuff above. In case you are still in need of a VPN, consider using my affiliate links for Proton VPN, Proton Mail, Proton Drive, Proton Pass or Private Internet Access.

genericprotonpia

clicompose

docker run --rm \
    --hostname container-name.internal \ #(18)
    -e VPN_ENABLED="true" \ #(5)
    -e VPN_CONF="wg0" \ #(8)
    -e VPN_PROVIDER="generic" \ #(4)
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)
    -e VPN_AUTO_PORT_FORWARD="false" \ #(6)
    -e VPN_AUTO_PORT_FORWARD_TO_PORTS="" \ #(15)
    -e VPN_FIREWALL_TYPE="auto" \ #(17)
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)
    -e VPN_NAMESERVERS="" \ #(16)
    -e PRIVOXY_ENABLED="false" \ #(19)
    -e UNBOUND_ENABLED="false" \ #(21)
    -e UNBOUND_NAMESERVERS="" \ #(22)
    --cap-add=NET_ADMIN \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ #(12)
    --sysctl="net.ipv6.conf.all.disable_ipv6=1" \ #(3)
    --device /dev/net/tun:/dev/net/tun \ # OPTIONAL(9)
    ...

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui.
If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have a WEBUI_PORTS environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs.
With net.ipv6.conf.all.disable_ipv6=1 all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple. If you need any sort of ipv6 support, enable it with net.ipv6.conf.all.disable_ipv6=0. A WireGuard ipv6 endpoint is currently not supported.
Possible values are generic, proton and pia.
Affiliate links:
Proton VPN
Proton Mail
Proton Drive
Proton Pass
Private Internet Access
There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside your wg0.conf, called wg0-pre.sh and wg0-post.sh. These will execute right before the check for the existence of a wg0.conf file and almost at the end, right before the internet connectivity test.
Auto retrieve a forwarded port and configure the supported app if set to true or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.
With VPN_CONF you can set the name used for your WireGuard config. This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to use AllowedIPs = 0.0.0.0/1,128.0.0.0/1 for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append -fix, so VPN_CONF=wg0-fix. WSL2 users can also compile their own kernel if they don't wanna use this workaround.
```
[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32 # Yes, /32 in most cases
DNS = x.x.x.x

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820
```
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to wireguard-go. For that you'll need to add the device /dev/net/tun. It's most likely that the device /dev/net/tun does not exist however, have a read here for instructions on checking and adding the device.
DANGEROUS! Don't enable unless you know what you are doing!
When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.
Required in most cases, on some systems that don't have rp_filter set to strict, it's optional.
Fill in your DIP token here, if you've bought the dedicated ip option.
If you'd like to keep using the same forwarded port until it expires, set this to true.
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like 32400/tcp will use the port from VPN_AUTO_PORT_FORWARD to create the redirect or if set to true the forwarded port from pia/proton. Use 3000@3001/tcp,3002@3003/tcp syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
Possible values are wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.
Possible values are auto, legacy or nftables. The default is auto, this will try to use the most modern method available. If this doesn't work, you can try forcing it to legacy or nftables.
If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.
This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp,8118/udp.
This is almost never needed, only in very rare cases (mostly when using PIA).
Enable Unbound by setting to true when VPN is not active.
Possible values are 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

services:
  app:
    hostname: container-name.internal #(18)
    environment:
      - VPN_ENABLED=true #(5)
      - VPN_CONF=wg0 #(8)
      - VPN_PROVIDER=generic #(4)
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)
      - VPN_LAN_LEAK_ENABLED=false #(10)
      - VPN_EXPOSE_PORTS_ON_LAN #(2)
      - VPN_AUTO_PORT_FORWARD=false #(6)
      - VPN_AUTO_PORT_FORWARD_TO_PORTS= #(15)
      - VPN_FIREWALL_TYPE=auto #(17)
      - VPN_HEALTHCHECK_ENABLED=false #(20)
      - VPN_NAMESERVERS= #(16)
      - PRIVOXY_ENABLED=false #(19)
      - UNBOUND_ENABLED=false #(21)
      - UNBOUND_NAMESERVERS #(22)
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1 #(12)
      - net.ipv6.conf.all.disable_ipv6=1 #(3)
    devices:
      - /dev/net/tun:/dev/net/tun # OPTIONAL(9)
    ...

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui.
If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have a WEBUI_PORTS environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs.
With net.ipv6.conf.all.disable_ipv6=1 all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple. If you need any sort of ipv6 support, enable it with net.ipv6.conf.all.disable_ipv6=0. A WireGuard ipv6 endpoint is currently not supported.
Possible values are generic, proton and pia.
Affiliate links:
Proton VPN
Proton Mail
Proton Drive
Proton Pass
Private Internet Access
There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside your wg0.conf, called wg0-pre.sh and wg0-post.sh. These will execute right before the check for the existence of a wg0.conf file and almost at the end, right before the internet connectivity test.
Auto retrieve a forwarded port and configure the supported app if set to true or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.
With VPN_CONF you can set the name used for your WireGuard config. This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to use AllowedIPs = 0.0.0.0/1,128.0.0.0/1 for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append -fix, so VPN_CONF=wg0-fix. WSL2 users can also compile their own kernel if they don't wanna use this workaround.
```
[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32 # Yes, /32 in most cases
DNS = x.x.x.x

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820
```
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to wireguard-go. For that you'll need to add the device /dev/net/tun. It's most likely that the device /dev/net/tun does not exist however, have a read here for instructions on checking and adding the device.
DANGEROUS! Don't enable unless you know what you are doing!
When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.
Required in most cases, on some systems that don't have rp_filter set to strict, it's optional.
Fill in your DIP token here, if you've bought the dedicated ip option.
If you'd like to keep using the same forwarded port until it expires, set this to true.
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like 32400/tcp will use the port from VPN_AUTO_PORT_FORWARD to create the redirect or if set to true the forwarded port from pia/proton. Use 3000@3001/tcp,3002@3003/tcp syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
Possible values are wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.
Possible values are auto, legacy or nftables. The default is auto, this will try to use the most modern method available. If this doesn't work, you can try forcing it to legacy or nftables.
If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.
This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp,8118/udp.
This is almost never needed, only in very rare cases (mostly when using PIA).
Enable Unbound by setting to true when VPN is not active.
Possible values are 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

clicompose

docker run --rm \
    --hostname container-name.internal \ #(18)
    -e VPN_ENABLED="true" \ #(5)
    -e VPN_CONF="wg0" \ #(8)
    -e VPN_PROVIDER="proton" \ #(4)
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)
    -e VPN_AUTO_PORT_FORWARD="true" \ #(6)
    -e VPN_AUTO_PORT_FORWARD_TO_PORTS="" \ #(15)
    -e VPN_FIREWALL_TYPE="auto" \ #(17)
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)
    -e VPN_NAMESERVERS="" \ #(16)
    -e PRIVOXY_ENABLED="false" \ #(19)
    -e UNBOUND_ENABLED="false" \ #(21)
    -e UNBOUND_NAMESERVERS="" \ #(22)
    --cap-add=NET_ADMIN \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ #(12)
    --sysctl="net.ipv6.conf.all.disable_ipv6=1" \ #(3)
    --device /dev/net/tun:/dev/net/tun \ # OPTIONAL(9)
    ...

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui.
If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have a WEBUI_PORTS environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs.
With net.ipv6.conf.all.disable_ipv6=1 all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple. If you need any sort of ipv6 support, enable it with net.ipv6.conf.all.disable_ipv6=0. A WireGuard ipv6 endpoint is currently not supported.
Possible values are generic, proton and pia.
Affiliate links:
Proton VPN
Proton Mail
Proton Drive
Proton Pass
Private Internet Access
There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside your wg0.conf, called wg0-pre.sh and wg0-post.sh. These will execute right before the check for the existence of a wg0.conf file and almost at the end, right before the internet connectivity test.
Auto retrieve a forwarded port and configure the supported app if set to true or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.
With VPN_CONF you can set the name used for your WireGuard config. This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to use AllowedIPs = 0.0.0.0/1,128.0.0.0/1 for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append -fix, so VPN_CONF=wg0-fix. WSL2 users can also compile their own kernel if they don't wanna use this workaround.
```
[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32 # Yes, /32 in most cases
DNS = x.x.x.x

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820
```
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to wireguard-go. For that you'll need to add the device /dev/net/tun. It's most likely that the device /dev/net/tun does not exist however, have a read here for instructions on checking and adding the device.
DANGEROUS! Don't enable unless you know what you are doing!
When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.
Required in most cases, on some systems that don't have rp_filter set to strict, it's optional.
Fill in your DIP token here, if you've bought the dedicated ip option.
If you'd like to keep using the same forwarded port until it expires, set this to true.
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like 32400/tcp will use the port from VPN_AUTO_PORT_FORWARD to create the redirect or if set to true the forwarded port from pia/proton. Use 3000@3001/tcp,3002@3003/tcp syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
Possible values are wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.
Possible values are auto, legacy or nftables. The default is auto, this will try to use the most modern method available. If this doesn't work, you can try forcing it to legacy or nftables.
If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.
This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp,8118/udp.
This is almost never needed, only in very rare cases (mostly when using PIA).
Enable Unbound by setting to true when VPN is not active.
Possible values are 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

services:
  app:
    hostname: container-name.internal #(18)
    environment:
      - VPN_ENABLED=true #(5)
      - VPN_CONF=wg0 #(8)
      - VPN_PROVIDER=proton #(4)
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)
      - VPN_LAN_LEAK_ENABLED=false #(10)
      - VPN_EXPOSE_PORTS_ON_LAN #(2)
      - VPN_AUTO_PORT_FORWARD=true #(6)
      - VPN_AUTO_PORT_FORWARD_TO_PORTS= #(15)
      - VPN_FIREWALL_TYPE=auto #(17)
      - VPN_HEALTHCHECK_ENABLED=false #(20)
      - VPN_NAMESERVERS= #(16)
      - PRIVOXY_ENABLED=false #(19)
      - UNBOUND_ENABLED=false #(21)
      - UNBOUND_NAMESERVERS #(22)
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1 #(12)
      - net.ipv6.conf.all.disable_ipv6=1 #(3)
    devices:
      - /dev/net/tun:/dev/net/tun # OPTIONAL(9)
    ...

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui.
If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have a WEBUI_PORTS environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs.
With net.ipv6.conf.all.disable_ipv6=1 all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple. If you need any sort of ipv6 support, enable it with net.ipv6.conf.all.disable_ipv6=0. A WireGuard ipv6 endpoint is currently not supported.
Possible values are generic, proton and pia.
Affiliate links:
Proton VPN
Proton Mail
Proton Drive
Proton Pass
Private Internet Access
There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside your wg0.conf, called wg0-pre.sh and wg0-post.sh. These will execute right before the check for the existence of a wg0.conf file and almost at the end, right before the internet connectivity test.
Auto retrieve a forwarded port and configure the supported app if set to true or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.
With VPN_CONF you can set the name used for your WireGuard config. This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to use AllowedIPs = 0.0.0.0/1,128.0.0.0/1 for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append -fix, so VPN_CONF=wg0-fix. WSL2 users can also compile their own kernel if they don't wanna use this workaround.
```
[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32 # Yes, /32 in most cases
DNS = x.x.x.x

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820
```
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to wireguard-go. For that you'll need to add the device /dev/net/tun. It's most likely that the device /dev/net/tun does not exist however, have a read here for instructions on checking and adding the device.
DANGEROUS! Don't enable unless you know what you are doing!
When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.
Required in most cases, on some systems that don't have rp_filter set to strict, it's optional.
Fill in your DIP token here, if you've bought the dedicated ip option.
If you'd like to keep using the same forwarded port until it expires, set this to true.
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like 32400/tcp will use the port from VPN_AUTO_PORT_FORWARD to create the redirect or if set to true the forwarded port from pia/proton. Use 3000@3001/tcp,3002@3003/tcp syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
Possible values are wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.
Possible values are auto, legacy or nftables. The default is auto, this will try to use the most modern method available. If this doesn't work, you can try forcing it to legacy or nftables.
If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.
This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp,8118/udp.
This is almost never needed, only in very rare cases (mostly when using PIA).
Enable Unbound by setting to true when VPN is not active.
Possible values are 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

clicompose

docker run --rm \
    --hostname container-name.internal \ #(18)
    -e VPN_ENABLED="true" \ #(5)
    -e VPN_CONF="wg0" \ #(8)
    -e VPN_PROVIDER="pia" \ #(4)
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)
    -e VPN_AUTO_PORT_FORWARD="true" \ #(6)
    -e VPN_AUTO_PORT_FORWARD_TO_PORTS="" \ #(15)
    -e VPN_FIREWALL_TYPE="auto" \ #(17)
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)
    -e VPN_NAMESERVERS="" \ #(16)
    -e VPN_PIA_USER="" \ #(11)
    -e VPN_PIA_PASS="" \ #(11)
    -e VPN_PIA_PREFERRED_REGION="" \ #(7)
    -e VPN_PIA_DIP_TOKEN="no" \ #(13)
    -e VPN_PIA_PORT_FORWARD_PERSIST="false" \ #(14)
    -e PRIVOXY_ENABLED="false" \ #(19)
    -e UNBOUND_ENABLED="false" \ #(21)
    -e UNBOUND_NAMESERVERS="" \ #(22)
    --cap-add=NET_ADMIN \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ #(12)
    --sysctl="net.ipv6.conf.all.disable_ipv6=1" \ #(3)
    --device /dev/net/tun:/dev/net/tun \ # OPTIONAL(9)
    ...

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui.
If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have a WEBUI_PORTS environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs.
With net.ipv6.conf.all.disable_ipv6=1 all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple. If you need any sort of ipv6 support, enable it with net.ipv6.conf.all.disable_ipv6=0. A WireGuard ipv6 endpoint is currently not supported.
Possible values are generic, proton and pia.
Affiliate links:
Proton VPN
Proton Mail
Proton Drive
Proton Pass
Private Internet Access
There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside your wg0.conf, called wg0-pre.sh and wg0-post.sh. These will execute right before the check for the existence of a wg0.conf file and almost at the end, right before the internet connectivity test.
Auto retrieve a forwarded port and configure the supported app if set to true or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.
With VPN_CONF you can set the name used for your WireGuard config. This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to use AllowedIPs = 0.0.0.0/1,128.0.0.0/1 for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append -fix, so VPN_CONF=wg0-fix. WSL2 users can also compile their own kernel if they don't wanna use this workaround.
```
[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32 # Yes, /32 in most cases
DNS = x.x.x.x

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820
```
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to wireguard-go. For that you'll need to add the device /dev/net/tun. It's most likely that the device /dev/net/tun does not exist however, have a read here for instructions on checking and adding the device.
DANGEROUS! Don't enable unless you know what you are doing!
When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.
Required in most cases, on some systems that don't have rp_filter set to strict, it's optional.
Fill in your DIP token here, if you've bought the dedicated ip option.
If you'd like to keep using the same forwarded port until it expires, set this to true.
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like 32400/tcp will use the port from VPN_AUTO_PORT_FORWARD to create the redirect or if set to true the forwarded port from pia/proton. Use 3000@3001/tcp,3002@3003/tcp syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
Possible values are wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.
Possible values are auto, legacy or nftables. The default is auto, this will try to use the most modern method available. If this doesn't work, you can try forcing it to legacy or nftables.
If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.
This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp,8118/udp.
This is almost never needed, only in very rare cases (mostly when using PIA).
Enable Unbound by setting to true when VPN is not active.
Possible values are 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

services:
  app:
    hostname: container-name.internal #(18)
    environment:
      - VPN_ENABLED=true #(5)
      - VPN_CONF=wg0 #(8)
      - VPN_PROVIDER=pia #(4)
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)
      - VPN_LAN_LEAK_ENABLED=false #(10)
      - VPN_EXPOSE_PORTS_ON_LAN #(2)
      - VPN_AUTO_PORT_FORWARD=true #(6)
      - VPN_AUTO_PORT_FORWARD_TO_PORTS= #(15)
      - VPN_FIREWALL_TYPE=auto #(17)
      - VPN_HEALTHCHECK_ENABLED=false #(20)
      - VPN_NAMESERVERS= #(16)
      - VPN_PIA_USER #(11)
      - VPN_PIA_PASS #(11)
      - VPN_PIA_PREFERRED_REGION #(7)
      - VPN_PIA_DIP_TOKEN=no #(13)
      - VPN_PIA_PORT_FORWARD_PERSIST=false #(14)
      - PRIVOXY_ENABLED=false #(19)
      - UNBOUND_ENABLED=false #(21)
      - UNBOUND_NAMESERVERS #(22)
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1 #(12)
      - net.ipv6.conf.all.disable_ipv6=1 #(3)
    devices:
      - /dev/net/tun:/dev/net/tun # OPTIONAL(9)
    ...

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui.
If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have a WEBUI_PORTS environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs.
With net.ipv6.conf.all.disable_ipv6=1 all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple. If you need any sort of ipv6 support, enable it with net.ipv6.conf.all.disable_ipv6=0. A WireGuard ipv6 endpoint is currently not supported.
Possible values are generic, proton and pia.
Affiliate links:
Proton VPN
Proton Mail
Proton Drive
Proton Pass
Private Internet Access
There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside your wg0.conf, called wg0-pre.sh and wg0-post.sh. These will execute right before the check for the existence of a wg0.conf file and almost at the end, right before the internet connectivity test.
Auto retrieve a forwarded port and configure the supported app if set to true or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.
With VPN_CONF you can set the name used for your WireGuard config. This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to use AllowedIPs = 0.0.0.0/1,128.0.0.0/1 for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append -fix, so VPN_CONF=wg0-fix. WSL2 users can also compile their own kernel if they don't wanna use this workaround.
```
[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32 # Yes, /32 in most cases
DNS = x.x.x.x

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820
```
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to wireguard-go. For that you'll need to add the device /dev/net/tun. It's most likely that the device /dev/net/tun does not exist however, have a read here for instructions on checking and adding the device.
DANGEROUS! Don't enable unless you know what you are doing!
When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.
Required in most cases, on some systems that don't have rp_filter set to strict, it's optional.
Fill in your DIP token here, if you've bought the dedicated ip option.
If you'd like to keep using the same forwarded port until it expires, set this to true.
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like 32400/tcp will use the port from VPN_AUTO_PORT_FORWARD to create the redirect or if set to true the forwarded port from pia/proton. Use 3000@3001/tcp,3002@3003/tcp syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.
Possible values are wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.
Possible values are auto, legacy or nftables. The default is auto, this will try to use the most modern method available. If this doesn't work, you can try forcing it to legacy or nftables.
If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.
This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp,8118/udp.
This is almost never needed, only in very rare cases (mostly when using PIA).
Enable Unbound by setting to true when VPN is not active.
Possible values are 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value 8.8.8.8 is to use a plain old nameserver. The value 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.