LAB-linuxserver/docker-mods
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-mods.git synced 2026-03-23 00:05:28 +08:00
Code Issues Packages Projects Releases Wiki Activity
49 Commits 106 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Josh Stark b0240f190e Fix example in README
2026-02-22 13:53:04 +00:00
.github/workflows
Fix BuildImage baseimage value
2026-02-22 13:37:06 +00:00
root/etc/s6-overlay/s6-rc.d
Simplified mod structure
2026-02-22 13:27:56 +00:00
.dockerignore
create template branch
2020-02-02 15:55:44 -05:00
.gitattributes
create template branch
2020-02-02 15:55:44 -05:00
.gitignore
create template branch
2020-02-02 15:55:44 -05:00
Dockerfile
Update maintainer label in Dockerfile
2026-02-22 09:34:53 +00:00
LICENSE
LICENSE
2019-05-30 20:35:20 +01:00
README.md
Fix example in README
2026-02-22 13:53:04 +00:00

README.md

Mullvad - Docker mod for Wireguard

This mod adds a script which runs on service startup to communicate with the Mullvad APIs. This obtains the relevant config for a chosen Wireguard node which the container can tunnel through when running in CLIENT mode.

Parameters

-e MULLVAD_ACCOUNT (required)

Your Mullvad account number. This is used to make an API call to obtain your tunnel IP address.

-e MULLVAD_PRIVATE_KEY (required)

The private key of a device on your Mullvad account. You will need to create a device under your account, then use the generated private key for this variable's value. If you have an existing device, you will need to get the private key out of a previously generated config file.

-e MULLVAD_LOCATION (required)

Your spefied location you wish to tunnel through. This variable supports three different formats which effect which node you tunnel through:

Type Example Result
Region gb A node will be randomly picked from all locations within Great Britain
City gb-lon A node will be randomly picked from one of the locations in London
Node(s) gb-lon-wg-001,gb-lon-wg-002 Allows for a specific node to be selected, or from a pool of hand-picked nodes. This option is not region or city locked, so you may pick nodes from any global location

Note: The API this script uses does not distinguish between owned or rented nodes. If that is something you care about, you may need to look at the Mullvad server list and pick some nodes you wish to tunnel through.

-e MULLVAD_DNS (default: 10.64.0.1)

An optional variable which lets you override the default DNS used for tunnelled connections. If not set, this default's to Mullvad's DNS.

-e LAN_NETWORKS

If you run web services through a Wireguard container (via network_mode: service) you will likely lose access to their web UIs due to the container's default routing rules. Use this variable to inform the container to apply a rule which allows inbound traffic from one or more LAN networks.

E.g. -e LAN_NETWORKS=192.168.0.0/24,10.20.0.0/16.

Only use this if you require access to a service's web UI.

-e ALLOW_ATTACHED_NETWORKS (default: false)

If you have a service running within the same stack as Wireguard but not routed through it, you can't be default contact another service routed through the Wireguard container. When this parameter is set to true, the script will apply a rule which allows inbound traffic from services on any networks which have been attached to the Wireguard container.

Example compose.yml

A basic example showing a wireguard container in client mode using this mod, with Sonarr routed through it and Seerr which is on the same shared stack network but not routed through wireguard. The outcome of this is that Sonarr will have its WAN requests routed through Wireguard, but Seerr will not. Seerr is able to communicate with Sonarr via http://wireguard_client:8989 because it is on the same default stack network and ALLOW_ATTACHED_NETWORKS=true. Users on the LAN network 192.168.0.0/24 may also access Sonarr's web UI via the docker host's IP.

services:
  
  wireguard_client:
    image: lscr.io/linuxserver/wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - DOCKER_MODS=linuxserver/mods:wireguard-mullvad
      - MULLVAD_PRIVATE_KEY=$MULLVAD_PRIVATE_KEY
      - MULLVAD_ACCOUNT=$MULLVAD_ACCOUNT
      - MULLVAD_LOCATION=gb-lon
      - LAN_NETWORKS=192.168.0.0/24
      - ALLOW_ATTACHED_NETWORKS=true
    volumes:
      - /opt/appdata/wireguard/config:/config
      - /lib/modules:/lib/modules
    ports:
      - "8989:8989"
    healthcheck:
      test: |
        bash -c 'curl -fs https://am.i.mullvad.net/connected | grep -q "You are connected to Mullvad" || exit 1'
      interval: 1m
      timeout: 10s
      retries: 3
      start_period: 10s
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.default.disable_ipv6=1
    restart: unless-stopped

  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    network_mode: service:wireguard_client
    depends_on:
      - wireguard_client
    restart: unless-stopped
    environment:
      PUID: '1000'
      PGID: '1004'
      TZ: Europe/London
    volumes:
      - /opt/appdata/sonarr:/config

  seerr:
    image: ghcr.io/seerr-team/seerr:latest
    restart: unless-stopped
    user: "1000"
    depends_on:
      - wireguard_client
    environment:
      - TZ=Europe/London
    volumes:
      - /opt/appdata/seerr:/app/config
Description
No description provided
Readme 6.6 MiB
Languages
Text 100%