Running wireguard in client only mode in a docker container

What I want to do:

  1. Use a new wg-network for VyOS in my docker environment.
  2. In my VyOS container, run wireguard in client mode to connect to my paid vpn service.
  3. Make VyOS a sort of the default gateway for other containers in the wg-network.
  4. Connect other containers to wg-network and ensure all the traffic goes out throught the VyOS’ wireguard interface.

What I have been able to do so far:

  1. I have been able to create a VyOS docker image and run it in a container from these instructions.
  2. Have put my wireguard config in /etc/wireguard/wg0.conf (The config works fine btw I’ve tested it in other distros)

What’s the blocker:

  1. When I run the command ip link show - it does not display a wireguard interface.
  2. Output fo wg-quic up command:
# wg-quick up /etc/wireguard/wg0.conf
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.00 seconds...
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.20 seconds...
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.44 seconds...
^C[#] ip link delete dev wg0
Unable to access interface: No such device
[#] ip link delete dev wg0
Cannot find device "wg0"

According to the documentation - a new key-pair needs to be generated for the wireguard interface. However, I’m afraid that it will make it run in a server (or peer) mode and won’t help connect to my paid vpn service because they already have provided me with a public and private keypair which I have put in the wg0.conf file.

Can someone help me troubleshoot this further, please? Much appreciated.

You can directly set up wireguard in Vyos configuration as regards what you want to implement it.

I have found this on the documentation page: WireGuard — VyOS 1.2.x (crux) documentation


My vpn service has only provided us with a config file that of this structure in the screenshot.

I’ve tried creating a new wireguard interface but it required another peer, which I don’t have.

I just want to use this config and connect to the vpn service. Any ideas how to do that?

You’re over complicating a simple thing.

edit interface wireguard wg1

tim@example# show
 description "Wireguard Connection to VPN"
 ip {
     adjust-mss 1380
 peer dodgy_vpn_provider {
     persistent-keepalive 25
     port 2224
     public-key The public key under the peer statement I can't copy
 port 2224
 private-key Private Key Under Interface Statement I Can't Copy

This assumes you’re using 1.5 rolling.

Yeah I’ve been using 1.5 rolling and like I said before, a wireguard interface does not exist when i launch the container and any attempts to create one fails.

My apologies, I missed you were running Vyos in a container.

I’m not sure how you’d do this, and I’ll pull my head in (though that config I gave you should work without having to do manual wg0.conf stuff)

Why don’t run wiregurad in vyos with native configuration?

This is my first attempt at using VyOS so I’ll appreciate your patience with me.

So far I’ve used two different images in a docker container.

1 - The 1.5 nightly build - Releases · vyos/vyos-rolling-nightly-builds (
In this one, the wg-quick command with the config specified does not work. I’ve also followed the documentation. I can go into the configure mode and define the wireguard interface IP block and descritpion. But it fails at the point where I define my peer’s endpoint. I don’t think my paid (or dodgy as the word is this forum lol) vpn does not accept that.

  1. The docker hub image - vyos/vyos-build:current (I believe it’s 1.5.x)
    This one I can install wireguard-tools and then use the wg0.conf file provided by my vpn provider and get the wireguard interface up and running just fine. However, it doesn’t sit quite right because the ‘configure’ command it not available. It makes me wonder is it even VyOS router OS or is it just simply debian 12?

I just want to configure a container to act as my default gateway in my custom docker network. I thought since VyOS is a router OS, it could just do the job. I guess it’s not that straightforward.

This will be a hard way to do routing with containers in vyos. I implemented all you wanted by myself with Vyos native wireguard configuration. It will be faster since it is a kernel-based wireguard. If you want to set it in the container, it will be harder. Why don’t you try Debian with Docker? You can control it with iptables.

Yeah I’ve had some success with debian with docker. Basically, my custom docker network is, the default gateway is, and the debian container’s ip is

I have created and connected a wireguard interface in that container and then have modified my iptables to serve as a default gateway. Guide link.

Now here’s the problem. Any container that joins this network will have its default gateway set to 0.1 by default. The default gateway can be set to 0.2 but it will need running the container in a privileged mode, which is a massive security issue.

I’ve also tried setting the 0.1 ip address to my debian container’s eth0 (and removed 0.2) - in that case it loses all connectivity. (I’ve tried different combinations of ip route in both inside the container and out on the host as well.)