WireGuard on OpenMediaVault 5 inside Docker with Portainer using RPi 4

In this segment, we are going to show you “How to Install WireGuard on OpenMediaVault 5 inside Docker with Portainer using RPi 4

 

What is WireGuard?

wireguard

WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. It was written by Jason A. Donenfeld and is published under the GNU General Public License (GPL) version 2. The Linux version of the software has reached a stable production release and was incorporated into the Linux 5.6 release in late March 2020.

Source /> Wikipedia

Looking for Best VPN – Grab the Deal

NordVPN

OpenMediaVault Versions :

OpenMediaVault 5 Installation Guide : 

https://pcmac.biz/openmediavault-5-on-raspberry-pi/
Equipment Required Optional
Raspberry Pi Raspberry Pi 4 Case
SD_Card SD Card Raspberry Pi Keyboard
Ethernet Ethernet Cable Mouse
Charger Power Adapter
HDD External HDD
Shop now

WireGuard for Server Mode

Docker

docker create \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -e SERVERURL=wireguard.domain.com `#optional` \
  -e SERVERPORT=51820 `#optional` \
  -e PEERS=1 `#optional` \
  -e PEERDNS=auto `#optional` \
  -e INTERNAL_SUBNET=10.13.13.0 `#optional` \
  -p 51820:51820/udp \
  -v /path/to/appdata/config:/config \
  -v /lib/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
  linuxserver/wireguard
  • -e INTERNAL_SUBNET=10.13.13.0 Internal subnet for the WireGuard and server and peers (only change if it clashes). Used in server mode.

WireGuard for Client Mode

Docker

docker create \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -p 51820:51820/udp \
  -v /path/to/appdata/config:/config \
  -v /lib/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
  linuxserver/wireguard
  • –sysctl= Required for client mode.

How to find PUID & PGID

  • However, to find PUID and PGID we can use the below-given command.
id name of the user
UID : "PUID"
GID : "PGID"

Plex

How to add Server URL

  • To generate the Server URL for WireGuard Server we need to create a Dynamic DNS address.

Setting up Dynamic DNS

Here, we need to visit the DUCKDNS website to create a Free Dynamic DNS for our Public IP. duckdns

  • You can use any of the above methods to login into the DUCKDNS website and create a subdomain for your website. Once you logged in and create a subdomain that can be used as Server URL for WireGuard.
  • In my case, I have created omvpcmac as my subdomain, You can create 5 subdomains account on Duck DNS for free.

duckdns After the Dynamic DNS successfully created we can replace the wireguard.domain.com  with our DUCKDNS address and run the container from the above command.

Setting up Port Forwarding on Router

To forward the port, we need to know the IP Address of our router for that we can use Wireless Network Watcher and it will display the router IP Address as shown below. Nextcloud Now, use this IP Address in your browser and it will open the login page for your router. After that, you need to enter the username & password to login to your router.

  • If you don’t know the username & password of your router you can always ask your ISP.
  • For personal routers, you can always check online for default username & password for the router.
  • In my case, I need to navigate to services and then move to Port Forwarding, your’s might be different.
  • Then you need to forward port 51820, to the Raspberry Pi IP Address.

Wireguard

 

Add Peers/Client to Wireguard Server

  • To add more peers/clients, later on, you can run the below-given command while the container is running mode.
docker exec -it wireguard /app/add-peer
  • Once the command successfully executed you will see a QR Code. That you need to scan from your device to download the peers/clients file.

Result

wireguard

  • To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments:
docker exec -it wireguard /app/show-peer 1 4 5
  • (Keep in mind that the QR codes are also stored as PNGs in the config folder).

The templates used for server and peer confs are saved under /config/templates.

WireGuard Setup on Android

  • To install WireGuard you need to download it from PlayStore and open it once installation finish.

wireguard

  • Now you will see a + sign on the bottom right corner, You need to click on that and you will be able to see these options.

wireguard

  • After that, you can use any of these options to import your file on your phone. But we recommend using a scan from QR code.

In conclusion, you are all set to use Raspberry Pi 4 as WireGuard Server on OpenMediaVault 5 with the help of Docker. If you face any issue regarding this article please share your thoughts. Enjoy using WireGuard on Docker with Openmediavault. Smile (.”_”.)

Please check out my other articles:

Did you find us helpful?

Subscribe our YouTube Channel YouTube
Support us on Patreon Patreon
Like us on Facebook facebook
Share This Article with others

Harish Kumar

As a founder of the PcMac YouTube channel and website, Our goal is to provide Free Technical help to people and spread knowledge to everyone.
0 0 vote
Article Rating
Subscribe
Notify of
guest
21 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Riobob
Riobob
28 days ago

Thanks for a great guide!

Don’t you need to open the firewall on the OMV?

Alio.Canter
Alio.Canter
25 days ago

Hello,
I used the path to the shared folder Docker : “/srv/dev-disk-by-label-PiDisk/Docker” and used it for command line
-v /srv/dev-disk-by-label-PiDisk/Docker/Containers/wireguard/config:/config \

  1. Do I need to create the new folder with the name Containers in the the shared folder Docker?
  2. How the root@raspberrypi can be accessed? Using SSH I can get to pi@raspberrypi:~ $.

Thank you

Alio.canter
Alio.canter
Reply to  Harish Kumar
25 days ago

Thank you very much!

Alio.Canter
Alio.Canter
Reply to  Harish Kumar
24 days ago

Unable to find image ‘linuxserver/wireguard:latest’ locally
latest: Pulling from linuxserver/wireguard
254465ad443f: Pulling fs layer
9a290c8d6c10: Pulling fs layer
ac78affa1f14: Pulling fs layer
dbb2875764e4: Waiting
9c1608458cff: Waiting
f6e510f56558: Waiting
open /srv/dev-disk-by-label-PiDisk/Docker/tmp/GetImageBlob068670249: no such file or directory
root@raspberrypi:~#

Above the message I get from Terminal. I create shared folder Data and inside it “wireguard” with config and lib folders. Data folder has permission that mentioned in your tutorial.

Alio.canter
Alio.canter
Reply to  Harish Kumar
24 days ago

What do you mean? To use it instead of first line instead of
-v /srv/dev-disk-by-label-PiDisk/Data/wireguard/config:/config \ ?

Alio.canter
Alio.canter
Reply to  Harish Kumar
23 days ago

What is your Telegram address?

Alio.canter
Alio.canter
Reply to  Harish Kumar
23 days ago

Please send your Telegram address.

Alio.canter
Alio.canter
Reply to  Harish Kumar
24 days ago

Thank you! I have managed to set up docker with the name wireguard. Then I used the command docker exec -it wireguard /app/show-peer several times. Below the results
root@raspberrypi:~# docker exec -it wireguard /app/show-peer
You need to specify which peers to show
root@raspberrypi:~# docker exec -it wireguard /app/show-peer 1
grep: /config/wg0.conf: No such file or directory
PEER 1 is not active
root@raspberrypi:~# docker exec -it wireguard /app/show-peer
You need to specify which peers to show
root@raspberrypi:~# docker exec -it wireguard /app/show-peer 1
grep: /config/wg0.conf: No such file or directory
PEER 1 is not active

Please advise what I have to try.

John
John
18 days ago

I really like your videos/guides, but I’m having an issue with this one. When I try to add a peer, I get “Wireguard is not set up in server mode” just like you did, but restarting the container doesn’t resolve the issue like it did for you. I have PEERS=3 because I wanted to add 3 clients. I’ve changed PEERS back to 1 but get the same results. Any idea what I’m messing up?
Thanks!

John
John
Reply to  Harish Kumar
16 days ago

Unfortunately, waiting did not resolve the issue. It might be the kernel I’m on? (5.4.51-7I+) Below is the log I get in Portainer. Any advice is appreciated. If I can’t get this going, I’ll probably go with your OpenVPN setup, but I really wanted to get Wireguard working. Thank you!

**** The wireguard module is not active, will attempt kernel header install and module compilation. ****

Error: Unknown device type.

**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****

**** Building the module ****

make: Entering directory '/app/wireguard-linux-compat/src'

  Building modules, stage 2.

  MODPOST 1 modules

make: Leaving directory '/app/wireguard-linux-compat/src'

make: Entering directory '/app/wireguard-linux-compat/src'

  INSTALL /app/wireguard-linux-compat/src/wireguard.ko

  DEPMOD  5.4.51-v7l+

Warning: modules_install: missing 'System.map' file. Skipping depmod.

depmod -b "/" -a 5.4.51-v7l+

depmod: WARNING: could not open //lib/modules/5.4.51-v7l+/modules.order: No such file or directory

depmod: WARNING: could not open //lib/modules/5.4.51-v7l+/modules.builtin: No such file or directory

make: Leaving directory '/app/wireguard-linux-compat/src'

**** Let's test our new module. ****

**** The module is not active, review the logs. Sleeping now. . . ****

Error: Unknown device type.
John
John
Reply to  Harish Kumar
15 days ago

I’ve set the appdata folder to everyone read/write and I’ve tried different user PUID/PGID. All get the same result. Also, it creates other files/directories in the specified path, just not the ones it can’t find.

Joseph
Joseph
5 days ago

There appears to be a bug in your script. The listening port listed in wg0.conf doesn’t match if someone enters in a different port when configuring the docker. The peer.conf files change, but wg0.conf does not. This is a simple fix by installing nano ( apt update then apt install nano) and changing the listening port to the desired port. Don’t forget to reboot the docker once you’ve changed the port.