This guide demonstrates how to set up a WireGuard VPN server using Docker and the popular wg-easy Docker image on a DigitalOcean Droplet. wg-easy provides a simple web interface to manage your WireGuard VPN, making it incredibly easy to add, remove, and configure clients.

Prerequisites

Before you start, ensure you have:

DigitalOcean Firewall: Remember to configure DigitalOcean's Cloud Firewall in addition to any firewall on the Droplet itself (like UFW).

Deployment Steps

Step 1: Connect to Your Droplet & Prepare Docker

Connect to your DigitalOcean Droplet via SSH:

ssh root@YOUR_DROPLET_IP

If you didn't use the Docker marketplace image, you'll need to install Docker and Docker Compose.

# Install Docker
sudo apt update
sudo apt install -y docker.io

# Install Docker Compose
sudo apt install -y docker-compose

Step 2: Create a docker-compose.yml File

Create a directory for your wg-easy configuration and navigate into it:

mkdir ~/wg-easy-vpn
cd ~/wg-easy-vpn

Now, create a docker-compose.yml file using a text editor like nano:

nano docker-compose.yml

Paste the following configuration into the file. You must replace YOUR_DROPLET_IP_ADDRESS and YOUR_CHOSEN_PASSWORD.

version: "3.8"
services:
  wg-easy:
    image: weejewel/wg-easy
    container_name: wg-easy
    environment:
      # Required: Your Droplet's Public IP
      - WG_HOST=YOUR_DROPLET_IP_ADDRESS

      # Optional: Set a password for the web UI
      - PASSWORD=YOUR_CHOSEN_PASSWORD

      # Optional: Port for the web UI (TCP)
      - UI_PORT=51821
    volumes:
      - ./config:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Security: Choose a strong, unique password for `YOUR_CHOSEN_PASSWORD`. For best security, you should not expose the web UI port (51821) to the public internet. We will access it through the VPN tunnel later.

Step 3: Start the WireGuard Docker Container

From within the ~/wg-easy-vpn directory, start the container in detached mode:

sudo docker-compose up -d

You can check the status of your container with sudo docker-compose ps.

Step 4: Configure Firewalls

You only need to allow the WireGuard traffic itself. We will keep the web UI private and access it through the VPN.

On the Droplet (using UFW):

sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw enable

In your DigitalOcean Cloud Firewall: Create an Inbound Rule to allow UDP traffic on port 51820 from all sources.

Step 5: Access wg-easy and Configure Your First Client

This is the tricky part: since the web UI isn't exposed to the internet, we need to connect our first client manually to access it.

  1. Get the client config from the server: Run the following command on your server to print the first client's configuration file.
    sudo docker-compose exec wg-easy cat /etc/wireguard/clients/client.conf
  2. Save the config: Copy the output and save it as client.conf on your local computer.
  3. Connect: Import this file into your WireGuard client application and connect to the VPN.
  4. Access the Web UI: Now that you are connected to the VPN, open your browser and navigate to the server's VPN IP address:
    [http://10.8.0.1:51821](http://10.8.0.1:51821)
  5. Log in with the password you set. From here, you can now easily add, remove, and get QR codes for all your other devices through the secure web interface!

Step 6: Connect Your Other Devices

Use the web UI to create new clients for your other devices. You can download the .conf file or simply scan the QR code with your WireGuard mobile app. Activate the connection, and your device's traffic will now be routed through your DigitalOcean Droplet.

Conclusion

You've successfully deployed a WireGuard VPN server with a user-friendly web UI using Docker! wg-easy simplifies management, and Docker handles the complexities of the WireGuard setup. Enjoy your secure and private internet connection.