diff --git a/.templates/adguardhome/service.yml b/.templates/adguardhome/service.yml
index 7f6f151a..e619db8e 100644
--- a/.templates/adguardhome/service.yml
+++ b/.templates/adguardhome/service.yml
@@ -30,6 +30,4 @@ adguardhome:
volumes:
- ./volumes/adguardhome/workdir:/opt/adguardhome/work
- ./volumes/adguardhome/confdir:/opt/adguardhome/conf
- networks:
- - iotstack_nw
- - vpn_nw
+
diff --git a/.templates/adminer/service.yml b/.templates/adminer/service.yml
index 8c4188c6..95721843 100644
--- a/.templates/adminer/service.yml
+++ b/.templates/adminer/service.yml
@@ -4,5 +4,4 @@ adminer:
restart: unless-stopped
ports:
- "9080:8080"
- networks:
- - iotstack_nw
+
diff --git a/.templates/blynk_server/service.yml b/.templates/blynk_server/service.yml
index 2e04f439..28c3e01b 100644
--- a/.templates/blynk_server/service.yml
+++ b/.templates/blynk_server/service.yml
@@ -16,5 +16,4 @@ blynk_server:
volumes:
- ./volumes/blynk_server/data:/data
- ./volumes/blynk_server/config:/config
- networks:
- - iotstack_nw
+
diff --git a/.templates/chronograf/service.yml b/.templates/chronograf/service.yml
index 9b4539e6..21527da3 100644
--- a/.templates/chronograf/service.yml
+++ b/.templates/chronograf/service.yml
@@ -17,5 +17,4 @@ chronograf:
depends_on:
- influxdb
# - kapacitor
- networks:
- - iotstack_nw
+
diff --git a/.templates/dashmachine/service.yml b/.templates/dashmachine/service.yml
index 61df2ac2..6ae12ee6 100644
--- a/.templates/dashmachine/service.yml
+++ b/.templates/dashmachine/service.yml
@@ -6,3 +6,4 @@ dashmachine:
ports:
- 5000:5000
restart: unless-stopped
+
diff --git a/.templates/deconz/service.yml b/.templates/deconz/service.yml
index 5f9d240e..d03d3151 100644
--- a/.templates/deconz/service.yml
+++ b/.templates/deconz/service.yml
@@ -18,6 +18,5 @@ deconz:
- DEBUG_ZCL=0
- DEBUG_ZDP=0
- DEBUG_OTAU=0
- networks:
- - iotstack_nw
+
diff --git a/.templates/diyhue/service.yml b/.templates/diyhue/service.yml
index f9c1c8b1..3038ae84 100644
--- a/.templates/diyhue/service.yml
+++ b/.templates/diyhue/service.yml
@@ -12,5 +12,4 @@ diyhue:
volumes:
- ./volumes/diyhue:/opt/hue-emulator/export
restart: unless-stopped
- networks:
- - iotstack_nw
+
diff --git a/.templates/domoticz/service.yml b/.templates/domoticz/service.yml
index ceefd776..0d1db21d 100644
--- a/.templates/domoticz/service.yml
+++ b/.templates/domoticz/service.yml
@@ -14,3 +14,4 @@ domoticz:
- PGID=1000
# - TZ=
# - WEBROOT=domoticz
+
diff --git a/.templates/dozzle/service.yml b/.templates/dozzle/service.yml
index 35209827..4ce335e0 100644
--- a/.templates/dozzle/service.yml
+++ b/.templates/dozzle/service.yml
@@ -7,3 +7,4 @@ dozzle:
# - "8888:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
+
diff --git a/.templates/env.yml b/.templates/env.yml
index b34de3f7..944f4cb7 100755
--- a/.templates/env.yml
+++ b/.templates/env.yml
@@ -1,42 +1,13 @@
networks:
- iotstack_nw: # Exposed by your host.
- # external: true
- name: IOTstack_Net
+
+ default:
driver: bridge
ipam:
driver: default
- config:
- - subnet: 10.77.60.0/24
- # - gateway: 10.77.60.1
- iotstack_nw_internal: # For interservice communication. No access to outside
- name: IOTstack_Net_Internal
+ nextcloud:
driver: bridge
internal: true
ipam:
driver: default
- config:
- - subnet: 10.77.76.0/24
- # - gateway: 10.77.76.1
-
- vpn_nw: # Network specifically for VPN
- name: IOTstack_VPN
- driver: bridge
- ipam:
- driver: default
- config:
- - subnet: 10.77.88.0/24
- # - gateway: 192.18.200.1
-
- nextcloud_internal: # Network for NextCloud service
- name: IOTstack_NextCloud
- driver: bridge
- internal: true
-
- # default:
- # external: true
- # name: iotstack_nw
- # hosts_nw:
- # driver: hosts
-
\ No newline at end of file
diff --git a/.templates/espruinohub/service.yml b/.templates/espruinohub/service.yml
index 21a5a138..eb71c601 100644
--- a/.templates/espruinohub/service.yml
+++ b/.templates/espruinohub/service.yml
@@ -4,3 +4,4 @@ espruinohub:
network_mode: host
privileged: true
restart: unless-stopped
+
diff --git a/.templates/example_template/example_service.yml b/.templates/example_template/example_service.yml
index b7b54c1c..209b9e4a 100755
--- a/.templates/example_template/example_service.yml
+++ b/.templates/example_template/example_service.yml
@@ -9,3 +9,4 @@ containerNameGoesHere:
- ./services/example_template.env
volumes:
- ./volumes/example_template/:/opt/example_template/
+
diff --git a/.templates/gitea/service.yml b/.templates/gitea/service.yml
index b9c720eb..6bb8525d 100644
--- a/.templates/gitea/service.yml
+++ b/.templates/gitea/service.yml
@@ -11,5 +11,4 @@ gitea:
volumes:
- ./volumes/gitea/data:/data
- /etc/timezone:/etc/timezone:ro
- networks:
- - iotstack_nw
+
diff --git a/.templates/grafana/service.yml b/.templates/grafana/service.yml
index da5caebc..ecc09b22 100644
--- a/.templates/grafana/service.yml
+++ b/.templates/grafana/service.yml
@@ -6,11 +6,10 @@ grafana:
ports:
- "3000:3000"
environment:
+ - TZ=Etc/UTC
- GF_PATHS_DATA=/var/lib/grafana
- GF_PATHS_LOGS=/var/log/grafana
volumes:
- ./volumes/grafana/data:/var/lib/grafana
- ./volumes/grafana/log:/var/log/grafana
- networks:
- - iotstack_nw
diff --git a/.templates/heimdall/service.yml b/.templates/heimdall/service.yml
index 17cc7972..9d785575 100644
--- a/.templates/heimdall/service.yml
+++ b/.templates/heimdall/service.yml
@@ -11,3 +11,4 @@ heimdall:
- 8880:80
- 8883:443
restart: unless-stopped
+
diff --git a/.templates/home_assistant/service.yml b/.templates/home_assistant/service.yml
index cafb94cc..54692d8b 100644
--- a/.templates/home_assistant/service.yml
+++ b/.templates/home_assistant/service.yml
@@ -8,3 +8,4 @@ home_assistant:
volumes:
- /etc/localtime:/etc/localtime:ro
- ./volumes/home_assistant:/config
+
diff --git a/.templates/homebridge/service.yml b/.templates/homebridge/service.yml
index 89bb23d4..de1c981d 100644
--- a/.templates/homebridge/service.yml
+++ b/.templates/homebridge/service.yml
@@ -13,3 +13,4 @@ homebridge:
#ports:
# - "4040:4040"
network_mode: host
+
diff --git a/.templates/homer/service.yml b/.templates/homer/service.yml
index 20dad142..1e72fb3d 100644
--- a/.templates/homer/service.yml
+++ b/.templates/homer/service.yml
@@ -9,3 +9,4 @@ homer:
ports:
- "8881:8080"
restart: unless-stopped
+
diff --git a/.templates/influxdb/service.yml b/.templates/influxdb/service.yml
index 80142643..a5096bba 100644
--- a/.templates/influxdb/service.yml
+++ b/.templates/influxdb/service.yml
@@ -5,17 +5,17 @@ influxdb:
ports:
- "8086:8086"
environment:
+ - TZ=Etc/UTC
- INFLUXDB_HTTP_FLUX_ENABLED=false
- INFLUXDB_REPORTING_DISABLED=false
- INFLUXDB_HTTP_AUTH_ENABLED=false
- - INFLUX_USERNAME=dba
- - INFLUX_PASSWORD=supremo
- - INFLUXDB_UDP_ENABLED=false
- - INFLUXDB_UDP_BIND_ADDRESS=0.0.0.0:8086
- - INFLUXDB_UDP_DATABASE=udp
+ - INFLUXDB_MONITOR_STORE_ENABLED=FALSE
+ # - INFLUX_USERNAME=dba
+ # - INFLUX_PASSWORD=supremo
+ # - INFLUXDB_UDP_ENABLED=false
+ # - INFLUXDB_UDP_BIND_ADDRESS=0.0.0.0:8086
+ # - INFLUXDB_UDP_DATABASE=udp
volumes:
- ./volumes/influxdb/data:/var/lib/influxdb
- ./backups/influxdb/db:/var/lib/influxdb/backup
- networks:
- - iotstack_nw
diff --git a/.templates/kapacitor/service.yml b/.templates/kapacitor/service.yml
index 59635103..a09013f7 100644
--- a/.templates/kapacitor/service.yml
+++ b/.templates/kapacitor/service.yml
@@ -17,5 +17,4 @@ kapacitor:
- ./volumes/kapacitor:/var/lib/kapacitor
depends_on:
- influxdb
- networks:
- - iotstack_nw
+
diff --git a/.templates/mariadb/service.yml b/.templates/mariadb/service.yml
index ca2cc83c..37b4d95f 100644
--- a/.templates/mariadb/service.yml
+++ b/.templates/mariadb/service.yml
@@ -15,5 +15,4 @@ mariadb:
ports:
- "3306:3306"
restart: unless-stopped
- networks:
- - iotstack_nw
+
diff --git a/.templates/mosquitto/service.yml b/.templates/mosquitto/service.yml
index 1def8740..a09e7278 100644
--- a/.templates/mosquitto/service.yml
+++ b/.templates/mosquitto/service.yml
@@ -11,5 +11,4 @@ mosquitto:
- ./volumes/mosquitto/data:/mosquitto/data
- ./volumes/mosquitto/log:/mosquitto/log
- ./volumes/mosquitto/pwfile:/mosquitto/pwfile
- networks:
- - iotstack_nw
+
diff --git a/.templates/motioneye/service.yml b/.templates/motioneye/service.yml
index 9c80dad7..3291e60c 100644
--- a/.templates/motioneye/service.yml
+++ b/.templates/motioneye/service.yml
@@ -9,6 +9,4 @@ motioneye:
- /etc/localtime:/etc/localtime:ro
- ./volumes/motioneye/etc_motioneye:/etc/motioneye
- ./volumes/motioneye/var_lib_motioneye:/var/lib/motioneye
- networks:
- - iotstack_nw
diff --git a/.templates/n8n/service.yml b/.templates/n8n/service.yml
index f4d6f058..c547a028 100644
--- a/.templates/n8n/service.yml
+++ b/.templates/n8n/service.yml
@@ -7,8 +7,6 @@ n8n:
stdin_open: true
volumes:
- ./volumes/n8n:/home/node/.n8n
- networks:
- - iotstack_nw
# Optional DB and Timezone configs.
# environment:
# - DB_TYPE=mysqldb
@@ -28,3 +26,4 @@ n8n:
# - PUID=1000
# - USBDEVICES=/dev/ttyAMA0
# - PACKAGES=mc
+
diff --git a/.templates/nextcloud/service.yml b/.templates/nextcloud/service.yml
index a99d76cc..73221fa9 100644
--- a/.templates/nextcloud/service.yml
+++ b/.templates/nextcloud/service.yml
@@ -14,8 +14,8 @@ nextcloud:
depends_on:
- nextcloud_db
networks:
- - iotstack_nw
- - nextcloud_internal
+ - default
+ - nextcloud
nextcloud_db:
container_name: nextcloud_db
@@ -35,4 +35,5 @@ nextcloud_db:
- ./volumes/nextcloud/db:/config
- ./volumes/nextcloud/db_backup:/backup
networks:
- - nextcloud_internal
+ - nextcloud
+
diff --git a/.templates/nodered/service.yml b/.templates/nodered/service.yml
index bf0e5213..545aa68e 100644
--- a/.templates/nodered/service.yml
+++ b/.templates/nodered/service.yml
@@ -16,5 +16,4 @@ nodered:
- "/dev/ttyAMA0:/dev/ttyAMA0"
- "/dev/vcio:/dev/vcio"
- "/dev/gpiomem:/dev/gpiomem"
- networks:
- - iotstack_nw
+
diff --git a/.templates/octoprint/service.yml b/.templates/octoprint/service.yml
index 18fd2444..97187408 100644
--- a/.templates/octoprint/service.yml
+++ b/.templates/octoprint/service.yml
@@ -14,6 +14,4 @@ octoprint:
# - /dev/video0:/dev/video0
volumes:
- ./volumes/octoprint:/octoprint
- networks:
- - iotstack_nw
diff --git a/.templates/openhab/service.yml b/.templates/openhab/service.yml
index 8fd2b59f..45d5f3f6 100644
--- a/.templates/openhab/service.yml
+++ b/.templates/openhab/service.yml
@@ -17,3 +17,4 @@ openhab:
# options:
# max-size: "5m"
# max-file: "3"
+
diff --git a/.templates/pihole/service.yml b/.templates/pihole/service.yml
index e8f9cc64..341f3408 100644
--- a/.templates/pihole/service.yml
+++ b/.templates/pihole/service.yml
@@ -7,20 +7,16 @@ pihole:
- "53:53/udp"
- "67:67/udp"
environment:
+ - TZ=Etc/UTC
- WEBPASSWORD=%randomAdminPassword%
- INTERFACE=eth0
volumes:
- - ./volumes/pihole/etc-pihole:/etc/pihole
- - ./volumes/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
+ - ./volumes/pihole/etc-pihole:/etc/pihole
+ - ./volumes/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
dns:
- 127.0.0.1
- 1.1.1.1
cap_add:
- NET_ADMIN
restart: unless-stopped
- networks:
- - iotstack_nw
- - vpn_nw
-# Recommended but not required (DHCP needs NET_ADMIN)
-# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
\ No newline at end of file
diff --git a/.templates/plex/service.yml b/.templates/plex/service.yml
index cc171647..2e642dc6 100644
--- a/.templates/plex/service.yml
+++ b/.templates/plex/service.yml
@@ -10,3 +10,4 @@ plex:
- ./volumes/plex/config:/config
- ./volumes/plex/transcode:/transcode
restart: unless-stopped
+
diff --git a/.templates/portainer-ce/service.yml b/.templates/portainer-ce/service.yml
index f680bacb..6d5e0914 100644
--- a/.templates/portainer-ce/service.yml
+++ b/.templates/portainer-ce/service.yml
@@ -8,3 +8,4 @@ portainer-ce:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./volumes/portainer-ce/data:/data
+
diff --git a/.templates/portainer_agent/service.yml b/.templates/portainer_agent/service.yml
index d0315469..0f069ee4 100644
--- a/.templates/portainer_agent/service.yml
+++ b/.templates/portainer_agent/service.yml
@@ -7,3 +7,4 @@
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
restart: unless-stopped
+
diff --git a/.templates/postgres/service.yml b/.templates/postgres/service.yml
index 76bbe717..283e2115 100644
--- a/.templates/postgres/service.yml
+++ b/.templates/postgres/service.yml
@@ -10,5 +10,4 @@ postgres:
- "5432:5432"
volumes:
- ./volumes/postgres/data:/var/lib/postgresql/data
- networks:
- - iotstack_nw
+
diff --git a/.templates/python/service.yml b/.templates/python/service.yml
index 298c5613..5d4851b4 100644
--- a/.templates/python/service.yml
+++ b/.templates/python/service.yml
@@ -10,5 +10,4 @@ python:
# - "external:internal"
volumes:
- ./volumes/python/app:/usr/src/app
- networks:
- - iotstack_nw
+
diff --git a/.templates/qbittorrent/service.yml b/.templates/qbittorrent/service.yml
index 4fd4cbed..504d29de 100644
--- a/.templates/qbittorrent/service.yml
+++ b/.templates/qbittorrent/service.yml
@@ -14,3 +14,4 @@
- "6881:6881/udp"
- "15080:15080"
- "1080:1080"
+
diff --git a/.templates/rtl_433/service.yml b/.templates/rtl_433/service.yml
index 53653c58..2d191222 100644
--- a/.templates/rtl_433/service.yml
+++ b/.templates/rtl_433/service.yml
@@ -10,6 +10,5 @@ rtl_433:
- MQTT_TOPIC=RTL_433
devices:
- /dev/bus/usb
- networks:
- - iotstack_nw
restart: unless-stopped
+
diff --git a/.templates/tasmoadmin/service.yml b/.templates/tasmoadmin/service.yml
index 4c95564c..b67f29a4 100644
--- a/.templates/tasmoadmin/service.yml
+++ b/.templates/tasmoadmin/service.yml
@@ -6,6 +6,4 @@ tasmoadmin:
- "8088:80"
volumes:
- ./volumes/tasmoadmin/data:/data
- networks:
- - iotstack_nw
diff --git a/.templates/telegraf/service.yml b/.templates/telegraf/service.yml
index 83d90a4b..1b5b97e9 100644
--- a/.templates/telegraf/service.yml
+++ b/.templates/telegraf/service.yml
@@ -14,6 +14,4 @@ telegraf:
depends_on:
- influxdb
- mosquitto
- networks:
- - iotstack_nw
diff --git a/.templates/timescaledb/service.yml b/.templates/timescaledb/service.yml
index ad7f5c3f..23293646 100644
--- a/.templates/timescaledb/service.yml
+++ b/.templates/timescaledb/service.yml
@@ -10,5 +10,4 @@ timescaledb:
- "5432:5432"
volumes:
- ./volumes/timescaledb/data:/var/lib/postgresql/data
- networks:
- - iotstack_nw
+
diff --git a/.templates/transmission/service.yml b/.templates/transmission/service.yml
index be523046..d179123d 100644
--- a/.templates/transmission/service.yml
+++ b/.templates/transmission/service.yml
@@ -14,5 +14,4 @@ transmission:
- "51413:51413"
- "51413:51413/udp"
restart: unless-stopped
- networks:
- - iotstack_nw
+
diff --git a/.templates/wireguard/service.yml b/.templates/wireguard/service.yml
index 159b6f6b..757f4967 100644
--- a/.templates/wireguard/service.yml
+++ b/.templates/wireguard/service.yml
@@ -10,6 +10,7 @@ wireguard:
- SERVERPORT=51820
- PEERS=laptop,phone,tablet
- PEERDNS=auto
+ # - PEERDNS=172.30.0.1
- ALLOWEDIPS=0.0.0.0/0
ports:
- "51820:51820/udp"
@@ -21,3 +22,4 @@ wireguard:
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
+
diff --git a/.templates/wireguard/use-container-dns.sh b/.templates/wireguard/use-container-dns.sh
new file mode 100644
index 00000000..18737322
--- /dev/null
+++ b/.templates/wireguard/use-container-dns.sh
@@ -0,0 +1,16 @@
+# Forward DNS requests from remote WireGuard clients to the default
+# gateway on the internal bridged network that the WireGuard container
+# is attached to. This results in queries being sent to any other
+# container on the same internal bridged network that is listening
+# on port 53 (eg PiHole, AdGuardHome or bind9).
+#
+# Acknowledgement: @ukkopahis
+
+GW=$(ip route list default | head -1 | cut -d " " -f 3)
+echo Creating Corefile to use DNS at $GW
+echo "# Generated by use-container-dns.sh
+. {
+ loop
+ forward . dns://${GW}
+}" > /config/coredns/Corefile
+
diff --git a/.templates/zigbee2mqtt/service.yml b/.templates/zigbee2mqtt/service.yml
index 82931231..0eb848c7 100644
--- a/.templates/zigbee2mqtt/service.yml
+++ b/.templates/zigbee2mqtt/service.yml
@@ -12,5 +12,4 @@ zigbee2mqtt:
#- /dev/ttyACM0:/dev/ttyACM0 # should work if CC2531 connected
#- /dev/ttyUSB0:/dev/ttyACM0 # Electrolama zig-a-zig-ah! (zzh!) maybe other as well
restart: unless-stopped
- networks:
- - iotstack_nw
+
diff --git a/.templates/zigbee2mqtt_assistant/service.yml b/.templates/zigbee2mqtt_assistant/service.yml
index a2b00670..401c5df2 100755
--- a/.templates/zigbee2mqtt_assistant/service.yml
+++ b/.templates/zigbee2mqtt_assistant/service.yml
@@ -8,6 +8,4 @@ zigbee2mqtt_assistant:
- VIRTUAL_HOST=~^zigbee2mqtt_assistant\..*\.xip\.io
- Z2MA_SETTINGS__MQTTSERVER=mosquitto
- VIRTUAL_PORT=8880
- networks:
- - iotstack_nw
diff --git a/README.md b/README.md
index 059fc7c9..00550729 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,71 @@ See [Getting Started](https://sensorsiot.github.io/IOTstack/Getting-Started) in
* Useful Docker commands (start \& stop the stack, manage containers).
* Stack maintenance.
+### significant change to networking
+
+Networking under both *new menu* (master branch) and *old menu* (old-menu branch) has undergone a significant change. This will not affect new users of IOTstack (who will adopt it automatically). Neither will it affect existing users who do not use the menu to maintain their stacks (see [adopting networking changes by hand](#networkHandEdit) below).
+
+Users who *do* use the menu to maintain their stacks will also be unaffected *until the next menu run*, at which point it will be prudent to down your stack entirely and re-select all your containers. Downing the stack causes Docker to remove all associated networks as well as the containers.
+
+These changes mean that networking is **identical** under both *old* and *new* menus. To summarise the changes:
+
+1. Only two internal networks are defined – as follows:
+
+ * "default" which adopts the name `iotstack_default` at runtime.
+ * "nextcloud" which adopts the name `iotstack_nextcloud` at runtime.
+
+ If you are using docker-compose v2.0.0 or later then the `iotstack_nextcloud` network will only be instantiated if you select NextCloud as one of your services. Earlier versions of docker-compose instantiate all networks even if no service uses them (which is why you get those warnings at "up" time).
+
+2. The only service definitions which now have `networks:` directives are:
+
+ * NextCloud: joins the "default" and "nextcloud" networks; and
+ * NextCloud_DB: joins the "nextcloud" network.
+
+ All other containers will join the "default" network, automatically, without needing any `networks:` directives.
+
+#### adopting networking changes by hand
+
+If you maintain your `docker-compose.yml` by hand, you can adopt the networking changes by doing the following:
+
+1. Take your stack down. This causes Docker to remove any existing networks.
+2. Remove **all** `networks:` directives wherever they appear in your `docker-compose.yml`. That includes:
+
+ * the `networks:` directives in all service definitions; and
+ * the `networks:` specifications at the end of the file.
+
+3. Append the contents of the following file to your `docker-compose.yml`:
+
+ ```
+ ~/IOTstack/.templates/env.yml
+ ```
+
+ For example:
+
+ ```
+ $ cat ~/IOTstack/.templates/env.yml >>~/IOTstack/docker-compose.yml
+ ```
+
+ The `env.yml` file is the same for both *old-menu* and *master* branches.
+
+4. If you run the NextCloud service then:
+
+ * Add these lines to the NextCloud service definition:
+
+ ```
+ networks:
+ - default
+ - nextcloud
+ ```
+
+ * Add these lines to the NextCloud_DB service definition:
+
+ ```
+ networks:
+ - nextcloud
+ ```
+
+5. Bring up your stack.
+
### contributions
Please use the [issues](https://github.com/SensorsIot/IOTstack/issues) tab to report issues.
diff --git a/docs/Containers/WireGuard.md b/docs/Containers/WireGuard.md
index 64b3bb64..53d0991a 100644
--- a/docs/Containers/WireGuard.md
+++ b/docs/Containers/WireGuard.md
@@ -11,7 +11,6 @@ Assumptions:
* These instructions assume that you have privileges to configure your network's gateway (router). If you are not able to make changes to your network's firewall settings, then you will not be able to finish this setup.
* In common with most VPN technologies, WireGuard assumes that the WAN side of your network's gateway has a public IP address which is reachable directly. WireGuard may not work if that assumption does not hold. If you strike this problem, you have to take it up with your ISP.
-
## Installing WireGuard under IOTstack
You increase your chances of a trouble-free installation by performing the installation steps in the following order.
@@ -37,29 +36,30 @@ Before you can use WireGuard (or any VPN solution), you need a mechanism for you
This is the service definition *template* that IOTstack uses for WireGuard:
```yml
- wireguard:
- container_name: wireguard
- image: ghcr.io/linuxserver/wireguard
- restart: unless-stopped
- environment:
- - PUID=1000
- - PGID=1000
- - TZ=Etc/UTC
- - SERVERURL=your.dynamic.dns.name
- - SERVERPORT=51820
- - PEERS=laptop,phone,tablet
- - PEERDNS=auto
- - ALLOWEDIPS=0.0.0.0/0
- ports:
- - "51820:51820/udp"
- volumes:
- - ./volumes/wireguard:/config
- - /lib/modules:/lib/modules:ro
- cap_add:
- - NET_ADMIN
- - SYS_MODULE
- sysctls:
- - net.ipv4.conf.all.src_valid_mark=1
+wireguard:
+ container_name: wireguard
+ image: ghcr.io/linuxserver/wireguard
+ restart: unless-stopped
+ environment:
+ - PUID=1000
+ - PGID=1000
+ - TZ=Etc/UTC
+ - SERVERURL=your.dynamic.dns.name
+ - SERVERPORT=51820
+ - PEERS=laptop,phone,tablet
+ - PEERDNS=auto
+ # - PEERDNS=172.30.0.1
+ - ALLOWEDIPS=0.0.0.0/0
+ ports:
+ - "51820:51820/udp"
+ volumes:
+ - ./volumes/wireguard:/config
+ - /lib/modules:/lib/modules:ro
+ cap_add:
+ - NET_ADMIN
+ - SYS_MODULE
+ sysctls:
+ - net.ipv4.conf.all.src_valid_mark=1
```
Unfortunately, that service definition will not work "as is". It needs to be configured.
@@ -103,9 +103,60 @@ With most containers, you can continue to tweak environment variables and settin
#### Optional configuration - DNS resolution for peers
-* `PEERDNS=`. The default value of `auto` instructs the WireGuard container to use the same DNS as other containers when resolving requests from connected peers. In practice, that means the container directs queries to 127.0.0.11, which Docker intercepts and forwards to whichever resolvers are specified in the Raspberry Pi's `/etc/resolv.conf`.
+You have several options for how your remote peers resolve DNS requests:
+
+* `PEERDNS=auto`
+
+ The default value of `auto` instructs the WireGuard *service* running within the WireGuard *container* to use the same DNS as the WireGuard *container* when resolving requests from connected peers. In practice, that means the *service* directs queries to 127.0.0.11, which Docker intercepts and forwards to whichever resolvers are specified in the Raspberry Pi's `/etc/resolv.conf`.
+
+* `PEERDNS=auto` with `custom-cont-init`
+
+ This configuration instructs WireGuard to forward DNS queries from remote peers to any **container** which is listening on port 53. This is the option you will want to choose if you are running an ad-blocking DNS server (eg *PiHole* or *AdGuardHome*) in a container on the same host as WireGuard, and you want your remote clients to obtain DNS resolution via the ad-blocker.
+
+ > Acknowledgement: thanks to @ukkopahis for developing this option.
+
+ To activate this feature:
+
+ 1. Make sure your WireGuard service definition contains `PEERDNS=auto`.
+ 2. Start the WireGuard container by executing:
+
+ ```bash
+ $ cd ~/IOTstack
+ $ docker-compose up -d wireguard
+ ```
+
+ This ensures that the `~/IOTstack/volumes/wireguard` folder structure is created and remote client configurations are (re)generated properly.
+
+ 3. Run the following commands:
- If you have a local upstream DNS server, you can change this setting so that queries are directed to that server. For example:
+ ```bash
+ $ cd ~/IOTstack
+ $ sudo cp ./.templates/wireguard/use-container-dns.sh ./volumes/wireguard/custom-cont-init.d/
+ $ docker-compose restart wireguard
+ ```
+
+ The presence of `use-container-dns.sh` causes WireGuard to redirect incoming DNS queries to the default gateway on the internal bridged network. That, in turn, results in the queries being forwarded to any other container that is listening for DNS traffic on port 53. It does not matter if that other container is PiHole, AdGuardHome, bind9 or any other kind of DNS server.
+
+ Do note, however, that this configuration creates a dependency between WireGuard and the container providing DNS resolution. You may wish to make that explicit in your `docker-compose.yml` by adding these lines to your WireGuard service definition:
+
+ ```yaml
+ depends_on:
+ - pihole
+ ```
+
+ > Substitute `adguardhome` or `bind9` for `pihole`, as appropriate.
+
+ Once activated, this feature will remain active until you decide to deactivate it. If you ever wish to deactivate it, run the following commands:
+
+ ```bash
+ $ cd ~/IOTstack
+ $ sudo rm ./volumes/wireguard/custom-cont-init.d/use-container-dns.sh
+ $ docker-compose restart wireguard
+ ```
+
+* `PEERDNS=«ip address»`
+
+ A third possibility is if you have a local upstream DNS server. You can specify the IP address of that server so that remote peers receive DNS resolution from that host. For example:
```yml
- PEERDNS=192.168.203.65
@@ -535,7 +586,7 @@ $ docker system prune
## Getting a clean slate
-If WireGuard misbehaves, you can start over from a clean slate. You also need to do this if you change any of the following environment variables:
+If WireGuard misbehaves, you can start over from a clean slate. You *may* also need to do this if you change any of the following environment variables:
```yml
- SERVERURL=
@@ -561,7 +612,10 @@ The procedure is:
> Be very careful with that command and double-check your work **before** you hit return.
- Erasing the persistent storage area destroys the old client configurations and invalidates any copies of QR codes. Existing clients will stop working until presented with a new QR code.
+ Erasing the persistent storage area:
+
+ * destroys the old client configurations and invalidates any copies of QR codes. Existing clients will stop working until presented with a new QR code.
+ * deactivates [`PEERDNS=auto` with `custom-cont-init`](#customContInit).
3. Start WireGuard:
@@ -570,3 +624,5 @@ The procedure is:
```
This will generate new client configurations and QR codes for your devices.
+
+ Remember to re-activate [`PEERDNS=auto` with `custom-cont-init`](#customContInit) if you need it.