Wireguard in Swarm cluster
I still feel like docker Swarm is underrated. Swarm is great for simple workloads, especially if you're building on-premise. If you use Swarm on VPS it is very useful to have possibility to connect to Swarm cluster outside. I personally prefer Wireguard because of its speed, lightweight design, and stability. It offers a streamlined and efficient VPN solution that consistently delivers reliable performance.
Let's create a separate network for Wireguard
docker network create wg_netThen we need a dir for config which will be mounted inside container.
mkdir -p wg/config
chmod 777 -R wg/configThen we can modify stack with some system services I use separate stack for it. The most important properties:
SERVERURL=*.*.*.*you should change it for your ip address or domain namePEERS=1when Swarm starts container Wireguard creates 1 configuration for peer and adds it into server config.
services:
Wireguard:
image: lscr.io/linuxserver/Wireguard:latest
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SERVERURL=*.*.*.*
- SERVERPORT=51820
- PEERS=1
- PEERDNS=auto
- INTERNAL_SUBNET=10.11.11.0
- ALLOWEDIPS=0.0.0.0/0
- LOG_CONFS=true
volumes:
- $PWD/wg/config:/config
- /lib/modules:/lib/modules
networks:
- wg_net
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
deploy:
placement:
constraints: [node.role == manager]
networks:
wg_net:
external: trueThen we can deploy stack via docker stack deploy --with-registry-auth -c system.yaml system
After starting container Wireguard creates peer config at wg/config/peer1
peer1.conf is our Wireguard client config.
For using the Wireguard network inside the cluster we need to add its network explicitly to any desired service, for example, we have montitoring.yaml stack, and we want to connect to Prometheus.
services:
prometheus:
image: prom/prometheus:v2.55.1
networks:
- wg_netFor connecting to prometheus we can use http://monitoring_prometheus:9090