Homelab: WireGuard VPN (Docker)

Here’s a minimal, proven Docker Compose setup for running WireGuard in a home lab.
This is the configuration I personally use and avoid over-documenting — it works, and it works well.

Make sure Docker Engine and Docker Compose Plugin (v2.0+) are installed.

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL=vpn.mydomain.com
      - SERVERPORT=51820
      - PEERS=8
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
      - PERSISTENTKEEPALIVE_PEERS=all
      - LOG_CONFS=true
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Usage Notes

• Client configs and QR codes are generated automatically
• Works well on laptops, phones, and tablets
• Single UDP port, no web UI, minimal attack surface
• Fast, stable, and low maintenance once running

Routing Behavior

This setup provides full-tunnel VPN access by default:

• All client traffic is routed through the VPN
• Your public IP appears as your home network
• Useful on public Wi-Fi or when you want everything encrypted

This is controlled by ALLOWEDIPS=0.0.0.0/0.

If you only want LAN-only access:

• Only traffic destined for your home network goes through the VPN
• Internet traffic continues to use the local connection
• Ideal for accessing NAS, servers, and internal services remotely

Example: ALLOWEDIPS=192.168.0.0/24

WireGuard handles both models cleanly — just pick what fits your use case.

Why WireGuard

• Modern cryptography
• Extremely fast connection setup
• Very low overhead
• A great fit for Docker-based home labs