Adguard Home + Wireguard (WG Easy)

[nktnet1]

UPDATE 2025

For wireguard v15+, see my comment further below.

---

Original (Old Answer)

click to view (wireguard 14)

Here's a working template for adguard home + wireguard (using wg-easy image):

services:
  adguardhome:
    image: adguard/adguardhome
    ports:
      # NOTE: it's not strictly necessary to map these
      # ports to the host machine.
      - 53:53/tcp
      - 53:53/udp
      - 784:784/udp
      - 853:853/tcp
      - 20080:80/tcp
      # Only needed for the initial setup. Disable after.
      - 20300:3000
    volumes:
      - /opt/adguardhome/work:/opt/adguardhome/work
      - /opt/adguardhome/conf:/opt/adguardhome/conf
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    networks:
      private_network:
        # Make sure to set this as the DNS ip in wg-easy
        ipv4_address: 10.2.0.100

  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:14
    environment:
      # Your public IP address
      - WG_HOST=${WG_HOST}
      # https://github.com/wg-easy/wg-easy/blob/v14.0.0/How_to_generate_an_bcrypt_hash.md
      # i.e. docker run ghcr.io/wg-easy/wg-easy:14 wgpw YOUR_PASSWORD
      - PASSWORD_HASH=<GENERATE YOUR HASH - READ ABOVE INSTRUCTIONS CAREFULLY>
      - LANG=${LANG:-en}
      - WG_PORT=51820
      - PORT=51821
      - WG_DEFAULT_DNS=10.2.0.100
    volumes:
      - wg_easy_data:/etc/wireguard
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    networks:
      private_network:
        ipv4_address: 10.2.0.3

volumes:
  wg_easy_data:

networks:
  private_network:
    ipam:
      driver: default
      config:
        - subnet: 10.2.0.0/24

Please look up the respective guides on how to set this up. You will need to open port 51820 for UDP on your router ("port forwarding" section in settings).

This was updated from @walmer26's answer in March 21, 2022.

---

If you run into issues with port 53 being taken (most likely from systemd-resolved), see here:

• Port 53 already in use AdguardTeam/AdGuardHome#4283 (comment)

[nktnet1]

For wg-easy version 15 (released just now):

• https://github.com/wg-easy/wg-easy

First, export your existing config, then replace your compose yaml with:

services:
  adguardhome:
    image: adguard/adguardhome
    restart: unless-stopped
    ports:
      # NOTE: it's not strictly necessary to map these
      # ports to the host machine.
      - 53:53/tcp
      - 53:53/udp
      - 784:784/udp
      - 853:853/tcp
      - 20080:80/tcp
      # Only needed for the initial setup. Disable after.
      - 20300:3000
    volumes:
      # NOTE: you can use named volumes if you don't need
      # access to these files on the host machine.
      - /opt/adguardhome/work:/opt/adguardhome/work
      - /opt/adguardhome/conf:/opt/adguardhome/conf
    cap_add:
      - NET_ADMIN
    networks:
      private_network:
        # Make sure to set this as the DNS ip in wg-easy
        ipv4_address: 10.2.0.100

  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:15
    restart: unless-stopped
    environment:
      - HOST=0.0.0.0
      - PORT=51821
      - INIT_ENABLED=true
      - INIT_DNS=10.2.0.100
      # Set to false to disallow login from http
      # (i.e. requires domain + HTTPS)
      - INSECURE=true
    volumes:
      # NOTE: you can use named volumes for /opt/wgeasy
      - /opt/wg_easy/etc/wireguard:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    networks:
      private_network:
        ipv4_address: 10.2.0.3
    healthcheck:
      test: ["CMD", "/usr/bin/timeout", "5s", "/bin/sh", "-c", "/usr/bin/wg show | /bin/grep -q interface || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 5s
      start_interval: 3s

networks:
  private_network:
    ipam:
      driver: default
      config:
        - subnet: 10.2.0.0/24

and finally, import your config back.

---

NOTE: if the client has no internet despite connecting, try running the following command inside your wg-easy docker container:

ip route get 8.8.8.8 | awk '{print $5}'

If it's not eth0, then find the fix in this issue:

• [Bug]: Internet routing fails when multiple docker networks are present wg-easy/wg-easy#1795

Only for my OCI VPS, I had to run a hacky script (from the host machine) to keep restarting until eth0 is the default + add routing between 10.8.0.0/24 (client subnet) and 10.2.0.0/24 (adguard home dns):

click to view

#!/bin/sh

WG_EASY_ID=$(docker ps --format="{{.ID}} {{.Names}}" | grep wg-easy | awk '{print $1}')

while true; do
    IFACE=$(docker exec $WG_EASY_ID sh -c "ip route get 8.8.8.8 | awk '{print \$5}'")
    echo "IFACE: $IFACE"
    if [ "$IFACE" != "eth0" ]; then
        echo "$(date): wg-easy container default route is via $IFACE, restarting..."
        docker restart $WG_EASY_ID
    else

        docker exec "$WG_EASY_ID" sh -c "
        iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -d 10.2.0.0/24 -j MASQUERADE 2>/dev/null || \
        iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 10.2.0.0/24 -j MASQUERADE;
        echo 'Current POSTROUTING rules for 10.8.0.0/24 → 10.2.0.0/24:';
        iptables -t nat -L POSTROUTING -n -v | grep '10.8.0.0/24.*10.2.0.0/24'
        "

        break
    fi
    sleep 5
done

---

For Android client on cellular (mobile data), you may also want to check if setting the MTU on the client to 1376 (instead of the default 1420) fixes it. For more details, see here:

• [Bug]: Auto MTU seems not to work wg-easy/wg-easy#2210 (comment)

---

[hiiamboris]

where does 3478 come from?

[nktnet1]

Oops - good pick-up. I've updated the template to port 51820 as per the wg-easy guide :)

• https://github.com/wg-easy/wg-easy/blob/0792862c0d60b4406694023f4f28142efc8235e4/docker-compose.yml#L22

[nktnet1]

For context, I changed my UDP port to 3478 intentionally:

to pretend to be a STUN server:

• https://en.wikipedia.org/wiki/STUN#:~:text=port%20number%20for%20a%20STUN%20server%20is%203478%20for%20UDP

I also use port 123 for Amnezia VPN for the same reason:

This time pretending to be an NTP service

• https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#:~:text=%5B72%5D-,123,-Assigned

This was an attempt to bypass blocking rules in certain networks that block most UDP connections by default.

Problem could've also been solved without changing the interface port by simply routing the public port (e.g. 123 or 3478) to wireguard's port on the host machine (e.g. 51820).

[hiiamboris]

Thanks bro!
It works like a charm after going through the initial configuration of AdGuard. I however modified it a bit:

services:
  adguard:
    image: adguard/adguardhome
    restart: unless-stopped
    ports:
      # - 53:53/tcp     # disable systemd-resolved if you need to expose DNS freely
      # - 53:53/udp     # disable systemd-resolved if you need to expose DNS freely
      - 853:853/tcp     # DoH, DoQ
      # - 80:80/tcp     # already exposed via the Domains interface
      # - 20300:3000    # needed only for the first time setup
    volumes:
      - ../files/adguard/work:/opt/adguardhome/work
      - ../files/adguard/conf:/opt/adguardhome/conf
    cap_add:
      - NET_ADMIN
    networks:
      private_network:
        ipv4_address: 10.2.0.100

  wgeasy:
    image: ghcr.io/wg-easy/wg-easy:15
    restart: unless-stopped
    environment:
      - HOST=0.0.0.0
      - PORT=51821
    volumes:
      - ../files/wgeasy:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - 51820:51820/udp
      # - 51821:51821/tcp    # already exposed via the Domains interface
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    networks:
      private_network:
        ipv4_address: 10.2.0.99

networks:
  private_network:
    ipam:
      driver: default
      config:
        - subnet: 10.2.0.0/24

Mainly:

• 53 is used by systemd-resolved, and putting Adguard on it seems to break other containers, so I left it accessible only to the WG clients
• 784 port seems to be deprecated
• 80 and 51821 - there's no point to expose on the host if we have a domain, since we can configure them via the Domains interface which routes it through Traefik on https
• 10.2.0.3 just seemed arbitrary, so I arbitrarily replaced it to an address closer to the one used by Adguard
• I'm not sure your /opt/... volumes work. I personally haven't been able to make absolute paths persist with Dokploy. Their recommended way is to use ../files prefix, which works for me

Also some recommended post-setup for others:

• for some reason Dokploy uses eth2 interface while wg-easy expects eth0, so I had to set it to eth2 in wg-easy admin panel (what also works is removing -o {{device}} from the postup/postdown commands); otherwise WG doesn't route incoming traffic!
• don't forget to set the Adguard IP 10.2.0.100 as the primary DNS in WG
• disable or limit logging in Adguard (it eats up 10-20GB in a few days)
• if the server is public and you expose port 53, better to limit access to the WG network (10.0.0.0/8) to avoid DNS amplification attacks