How to get information from wireguard container

[a-camacho]

Hi everyone,

I am using Wireguard as a docker container on my server machine.
Is there any way to be able to deploy this container, and still get information from the containerized server ?

Or should I build a server container image, containing wireguard-exporter ?
Do you know if there is an existing image already ?

Thanks a lot.

[tolkonepiu]

Here is an example of wg-easy + wireguard_exporter:

https://github.com/tolkonepiu/wg-easy-extended/

[a-camacho]

Thanks, I ended up mapping wg-exporter binary to linuxserver/wireguard container.

[GeoffreyCoulaud]

Thanks, I ended up mapping wg-exporter binary to linuxserver/wireguard container.

What do you mean? Can you explain the steps you took?
Thanks in advance

---

Edit:

I solved the issue myself, by "mapping" @a-camacho meant attaching to the wireguard container network.
Here is part of my compose.yml for anyone stumbling upon this issue

    wireguard:
        container_name: wireguard
        image: lscr.io/linuxserver/wireguard:latest
        restart: unless-stopped
        sysctls:
            - net.ipv4.conf.all.src_valid_mark=1
        cap_add:
            - NET_ADMIN
            - SYS_MODULE
        env_file:
            - wireguard-peers.env
        environment:
            - PUID=${PUID}
            - PGID=${PGID}
            - TZ=${TZ}
            - SERVERURL=...
            - SERVERPORT=${WIREGUARD_PORT}
            - INTERNAL_SUBNET=...
            - ALLOWEDIPS=...
            - PERSISTENTKEEPALIVE_PEERS=all
            - LOG_CONFS=false
        ports:
            - ${WIREGUARD_PORT}:${WIREGUARD_PORT}/udp
            # Exposes the exporter port here, since it uses the wireguard network stack
            - ${WIREGUARD_EXPORTER_PORT}:${WIREGUARD_EXPORTER_PORT}
        volumes:
            - /lib/modules:/lib/modules
            - wireguard-config:/config

    wireguard-exporter:
        image: mindflavor/prometheus-wireguard-exporter
        restart: unless-stopped
        container_name: wireguard-exporter
        command: -a true
        # This is what makes the exporter see the wireguard interfaces
        network_mode: "service:wireguard"
        cap_add:
            - NET_ADMIN
        volumes:
            - wireguard-config:/config:ro
        environment:
            - PROMETHEUS_WIREGUARD_EXPORTER_PORT=${WIREGUARD_EXPORTER_PORT}
            - PROMETHEUS_WIREGUARD_EXPORTER_CONFIG_FILE_NAMES=/config/wg_confs/wg0.conf

[instantdreams]

Here is an example using docker compose for wg-easy.

To get this to work I had to run the exporter container as root, and disable the sudo prepend. Not ideal but it worked.

compose.yaml file:

services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:latest
    container_name: wg-easy
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1               # forward requests
      - net.ipv4.conf.all.src_valid_mark=1  # Permits rp_filter to function when the fwmark is used for routing traffic in both directions
    ports:
      - "${CONTAINER_PORT1}:${WG_PORT}/udp"                             # wireguard tunnel
      - "${CONTAINER_PORT2}:${PORT}/tcp"                                # web ui
      - "${CONTAINER_PORT3}:${PROMETHEUS_WIREGUARD_EXPORTER_PORT}/tcp"  # metrics
    env_file:
      - .env
    volumes:
      - ${DIRECTORY_CONFIG}:/etc/wireguard
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
  wireguard-exporter:
    image: mindflavor/prometheus-wireguard-exporter:latest
    container_name: wireguard-exporter
    network_mode: service:wg-easy
    user: root:root
    cap_add:
      - NET_ADMIN
    command: -a false
    env_file:
      - .env
    volumes:
      - ${DIRECTORY_CONFIG}:/etc/wireguard:ro
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped

.env.example file:

# Host specifics
CONTAINER_PORT1=51840
CONTAINER_PORT2=51841
CONTAINER_PORT3=9586
# Directory locations
DIRECTORY_CONFIG=/srv/wg-easy/config
# Container details
## wg-easy
PORT=51841
PASSWORD_HASH=[password_hash]
WG_HOST=wireguard.example.com
WG_PORT=51840
WG_CONFIG_PORT=51840
WG_MTU=1420
WG_PERSISTENT_KEEPALIVE=32
WG_DEFAULT_ADDRESS=10.8.0.x
WG_DEFAULT_DNS=[list_of_your_adguard_or_pihole_dns_servers]
WG_ALLOWED_IPS=[list_of_your_internal_ips]
LANG=en
UI_TRAFFIC_STATS=true
UI_CHART_TYPE=1
## wireguard-exporter-prometheus
PROMETHEUS_WIREGUARD_EXPORTER_VERBOSE_ENABLED=false
PROMETHEUS_WIREGUARD_EXPORTER_PREPEND_SUDO_ENABLED=false
PROMETHEUS_WIREGUARD_EXPORTER_ADDRESS=0.0.0.0
PROMETHEUS_WIREGUARD_EXPORTER_PORT=9586
PROMETHEUS_WIREGUARD_EXPORTER_CONFIG_FILE_NAMES=/etc/wireguard/wg0.conf
PROMETHEUS_WIREGUARD_EXPORTER_SEPARATE_ALLOWED_IPS_ENABLED=true
PROMETHEUS_WIREGUARD_EXPORTER_EXPORT_REMOTE_IP_AND_PORT_ENABLED=true
#PROMETHEUS_WIREGUARD_EXPORTER_INTERFACES=
#EXPORT_LATEST_HANDSHAKE_DELAY=

Steps to test:

1. Place the compose.yaml and .env.example file in an appropriate directory, e.g. /srv/wg-easy/
2. Copy the .env.example to .env and add the details specific to your network
3. Run docker compose pull;docker compose down;sleep 4;docker compose up --detach to start the container
4. Review the wg-easy logs with docker logs wg-easy
5. Review the prometheus-wireguard-exporter logs with docker logs wireguard-exporter
6. Access the logs at http://<>/9586/metrics

There we go.