Can't access Web UI on port 5000 - Docker Compose

[eakteam]

Hi, don't understand why cannot access Web UI on pot 5000.

Here is my docker-sompose.yaml configuration:

version: "3"

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - ./config:/config
    ports:
      # port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
      - "5000:5000"
      # port of the wireguard server
      - "51820:51820/udp"

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    # use the network of the 'wireguard' service. this enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      #- SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS=info@example.com
      - EMAIL_FROM_NAME=EAK TEAM
      - SMTP_HOSTNAME=172.16.0.3
      - SMTP_PORT=25
      - SMTP_AUTH_TYPE=none
      - SMTP_ENCRYPTION=STARTTLS
      - SMTP_HELO=localhost
      #- SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=wireguard!@#
      - WGUI_DNS=1.1.1.1, 8.8.8.8
      #- WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard

Output of netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      5338/docker-proxy
tcp        0      0 :::5000                 :::*                    LISTEN      5343/docker-proxy
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           5318/docker-proxy
udp        0      0 :::51820                :::*                                5323/docker-proxy

Running it with docker compose up -d but it doesn't works, connection refused!

Tested to run on docker only wireguard-ui with this config and it works OK.

version: "3"

services:
  wg:
    build: .
    #image: ngoduykhanh/wireguard-ui:latest
    container_name: wgui
    cap_add:
      - NET_ADMIN
    network_mode: host
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=alpha
      - WGUI_PASSWORD=this-unusual-password
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=false
      - WGUI_MANAGE_RESTART=false
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - /etc/wireguard:/etc/wireguard

What I am doing wrong or is this a bug with it?

[mpkossen]

See: #523

[willzhang]

This example maybe not work now：

https://raw.githubusercontent.com/ngoduykhanh/wireguard-ui/master/examples/docker-compose/linuxserver.yml

root@ubuntu:~# docker logs -f wireguard
[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    911
User GID:    911
───────────────────────────────────────

Uname info: Linux e7dc3c7dffc9 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Performing migration to new folder structure for confs. Please see the image changelog 2023-10-03 entry for more details. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, but it doesn't seem to be valid, skipping. ****
**** No valid tunnel config found. Please create a valid config and restart the container ****
[ls.io-init] done.

Wireguard give errors

**** Found WG conf /config/wg_confs/wg0.conf, but it doesn't seem to be valid, skipping. ****
**** No valid tunnel config found. Please create a valid config and restart the container ****

It's empty

root@ubuntu:~# cat config/wg_confs/wg0.conf 
root@ubuntu:~# 
root@ubuntu:~# 

Maybe something have been changed in linuxsever wireguard，this work for me:

https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#usage

Example:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Shanghai
      - SERVERURL=192.168.72.50
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
      - PERSISTENTKEEPALIVE_PEERS=25
      - LOG_CONFS=true
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 5000:5000
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard

start

root@ubuntu:~# docker-compose up -d

It's ok

root@ubuntu:~# docker logs -f wireguard
[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

Uname info: Linux 42a364117c8c 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Performing migration to new folder structure for confs. Please see the image changelog 2023-10-03 entry for more details. ****
**** Server mode is selected ****
**** PersistentKeepalive will be set for: 25 ****
**** External server address is set to 192.168.72.50 ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.13.13.0 ****
**** AllowedIPs for peers 0.0.0.0/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
**** Server mode is selected ****
**** Server related environment variables changed, regenerating 1 server and 1 peer/client confs ****
PEER 1 QR code (conf file is saved under /config/peer1):
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▀█▄ ▀█▄ █▀  ▄█ ▀▄▀▄█ ▀▀▀▄ ▄ ▀  ▀  ▄▀██▄▀▄▀█  █ ▄▄▄▄▄ ████
████ █   █ █▄█  ▄█▄▄▀▀█▀▄██ ▀ ▄▄██▄▀█  ▄█▄▄▀▄▄  ▄▀  ██ ▄ █ █   █ ████
████ █▄▄▄█ █  ▀  ▀▀▄█▄██▄ ▀ ▄█▀  ▄▄▄ █▀▀  ▄▀▄█  ▄▄▀▀▄▀ ▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀ ▀ █ █ █▄▀▄█▄▀▄▀ ▀ █▄█ █ ▀ ▀▄▀▄█ █ ▀▄▀ █▄█ █▄▄▄▄▄▄▄████
████  █▄▀█▄ ▀█   ▄██▄▄▄█▀  ▄▄██▀ ▄▄  ▄▄█ ▄█  ▄▄ ▄▄▄█ ▄█▄▄█▄  █▄ █████
█████▄▄█▄█▄  ▀██▀ ▀  ▀ ▄██▀▄█▄  █ ▄ ▀ ▄▀▀███▀██ ▄ █▀  █▀ ▀▀█▄██  ████
████▀█▀▄█ ▄█▄ ▀▀ ▀  ▀▄▄▀▄▄  █▄▄▀▄ ▀  ██▀█ ▄▀ ▀█  ▀ ▄  ▄█▀█▄▄▄▀▀▀█████
██████▄▀  ▄▄▄█▄▀███  ▄▀▀█▄▄  ▀ ▄█ ▄▀██▄ ▄▀██▄██▄ ▄▀▀▀  █ ▄▄███▄█ ████
█████ ▀▀██▄ ▄█▀▀▄▄  █▄▄▀▀▀█▄ █ ▄█ ▀ ▀▄█▄▄▄▀ ▀ ▄   █▀ █ ██ █▀ ▄█  ████
████▀█ █ ▄▄  ▄▄ ▀    ▀▄▄█▀ ▄█  ▄ █▄█ ▄▀  ██▀▀ ▄▀▀█▀█ ▀ ▀█▀▄▄ █ ▀ ████
████▄▄ █▄ ▄▀▀▀▀█▀▀▄▄▄▀▄█▄  ▄█ █▀█ ▀█▄▀█▀█▀██▀▄▀██▀▄▀ █▄█▄▄▄ █▀ ▀▀████
████▀ ▄▄ ▄▄██ ▀▄▄▀ ▀▄▄▀▀ ▄██  ▀ ▄ ██   █▄▀ ▄ ▄▄▄▄▀ ▄█▄▀▀ ▄▄▀▄▄█▄▄████
████▀▄ █ ▄▄▀█▀▄▄█  ▀▀ █▄▄▄▄██▀▄ ▄▄▄█▀  ▄▄ █  █▀█▄▄ ▄ ▀▄█ ▄▄▄ ▀███████
████   ▄ █▄█▄▀▄▄▀██▄▄█  █▀█▀ ▄█ ▄█▄▀▀██▀ ▀▄▀  ▄█▀▄ ▀▀▀▄▀ ▄████▄█▄████
████▀▄▄█ ▄▄▄ ▀█▀▀▀███  █▀▄▀ █▀ ▀ ▄▄▄ ▀█▀▄▄██▀█▄ ▀ █▄▄█▀▀ ▄▄▄ ▀█▄▄████
█████▀▀▄ █▄█ ▄█ ▀██▄▀▄▄▀▄▀ █▀█▄▀ █▄█  ▄  ▄ ▀ ▀▄ ▀▀▀█  ▀  █▄█ ▄▀ ▄████
████▄▄█ ▄▄▄   ▄ ▀ ██ █ ██▀▄▀▄▄▀▀ ▄▄ ▄ ▄█▄▄██ ██▄▀▀▄█  ██▄▄▄▄▄▄▄▀▀████
████ ▄▄█▀█▄ █▀▀▄▄  █ ██  ▀▄█ ▀▀█▀▀█▀▀█▄  █▀██ ▀██ ██ ▄▀ █▄▄ ▄▄█▄▄████
████▄▄▀█  ▄▀▄▀▄▄  ▀▄ █ ▄█▄ ██▄ █████▄ █▀▄▄▀▀▄  ▀▄▀ ▄▄▀▄▀███▀▄█▄▄ ████
████▀     ▄▀█▀ ▄▄ ▀ ▀▄▄ ▀██ ▀▄▀▀▀ █▀█ █   ▀▄█▄█▄█ ▀ █▄▄ ▄█ ▀ ██ ▄████
████▄█ ██▀▄█▄ ▀█▄█ ▄█▀▄▄▄▀▀▀█▄ █▄▄  ▄▀█▄▄▄  ▀█▄█ ▄█▄▄▄ ▀ █▄▀▀   ▄████
████▀ ▄ ▀█▄█▀██▀▄█▄█▀█ ▀▀▀ █ ▄▀▀▄▀▄▀▄▄▀ ▄███▀▀▀█▄▀▀█▄ █▄▀▄▄▀▄█ ▀▄████
████▄▄▀▀█ ▄▄▀ ▀▀▀▀▀ ██▄▄█  ▄▄▄█▀█▀ ▀█▀▄ ▄▀▄  ▄█▄█▀▄▀ ████▄ ▄▄ █ ▄████
████▀▄▄▀▄█▄ ▀██▀▀▄ ▄▄▀▄▄   ▀██ ▄▀▄▄▀█▀█▄▀▄ ▄▄▀▄▀▄█▄ ▀ █ █▄ █ ▄█ ▄████
████▄  █▄█▄▄█ ▄▄███  ▄▄██ ▀ ▄▄  █  ██▀   ▀█   ██  █▄▄▄█▀█▄█ ▄ ▀▄ ████
████▀▀ ▄ ▄▄ ▄ ▀▀▄▄█ ▄▄▄▄▀▀ ██▄▀█▀ ▄▀▄ ▀▄▄█▄▀▄██▄▀▄ ▀  ▄ ▀▄ █▄██▄▄████
████▄▄▄▄██▄▄▀█ ▄██ █▄ ▄▄ ▀▀▀██▄▀ ▄▄▄    ▄█ ▀▀▀▄   █  ▄ █ ▄▄▄ ▄█▀▀████
████ ▄▄▄▄▄ █▄▄ ▀██▄▀▄ ▀ ▀▀ ▄▄██▄ █▄█ ▄██ █▄▀ █▄█▄█▀▄████ █▄█ █ █ ████
████ █   █ █▀▀███▀▀▄▄▀█ ██ ▄████▄ ▄▄▄ ▄█▄▄██▄ ▄▄█▄▄▀▄█▄█  ▄  ▀▀ ▄████
████ █▄▄▄█ █▀ ▀ ▄▄▄▀██ ▀ █▀██▀ ▄█▄▄▀▀▀▄█▄▀▀ ▄▀▄█  ▀█ ▄▀██ ██▄███▄████
████▄▄▄▄▄▄▄█▄███▄▄▄██▄▄██▄▄▄█▄▄▄▄▄▄███▄█▄█▄▄▄█▄██▄▄▄▄▄▄█▄███▄█▄▄▄████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
Warning: `/config/wg_confs/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.13.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.13.13.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
**** All tunnels are now active ****
[ls.io-init] done.

And have config in config/wg_confs/wg0.conf

root@ubuntu:~# cat config/wg_confs/wg0.conf 
[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = mJrmw9DLks3VO5u0YyntSWcXBA0HzTwo79zkh/oV+Hg=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer1
PublicKey = x3Dd2W1DDIrAPiyj8srpgWDxd9vokcOvqk7Lk1FJH3U=
PresharedKey = 85uTgVEw7LgujhacXpcdTpK0H1XkRUx5LGDEBVXPpPQ=
AllowedIPs = 10.13.13.2/32

Login success

[ricardojlrufino]

@willzhang for me this works but only for client generated in terminal, nor working for UI clients

[Mindless999]

Since they have moved the configuration, I have added the following in the environment

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
   ......
    network_mode: service:wireguard
    environment:
      - WGUI_CONFIG_FILE_PATH=/etc/wireguard/wg_confs/wg0.conf
   ......

This will allow me to start the dockers if I (under the user i'm using for the docker) manually do the command:

docker restart wireguard
docker restart wireguard-ui

However if I run this as a command it will not start the dockers properly and for some reason give the following:

wireguard:~$ docker logs -f wireguard
[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1001
User GID:    1001
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls37
Build-date: 2024-05-25T16:14:15+00:00
───────────────────────────────────────

Uname info: Linux 9de431bea628 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Server mode is selected ****
**** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of ***.***.***.*** ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.13.13.0 ****
**** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
**** Server mode is selected ****
**** No changes to parameters. Existing configs are used. ****
[custom-init] No custom files found, skipping...
.:53
CoreDNS-1.11.1
linux/amd64, go1.22.3,
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
wg-quick: `wg0' already exists
**** Tunnel /config/wg_confs/wg0.conf failed, will stop all others! ****
**** All tunnels are now down. Please fix the tunnel config /config/wg_confs/wg0.conf and restart the container ****
[ls.io-init] done.

So anyone an idea on how to make sure that the dockers will stay running properly?

Sort recap: automatically starting: doesn't work; manually restarting: works.