wireguard on any server

setup.sh

#!/bin/bash

sudo modprobe wireguard
echo "wireguard" | sudo tee -a /etc/modules
sudo modprobe iptable_nat
 echo "iptable_nat" | sudo tee -a /etc/modules
sudo modprobe ip6table_nat
 echo "ip6table_nat" | sudo tee -a /etc/modules
sudo modprobe iptable_filter
echo "iptable_filter" | sudo tee -a /etc/modules
sudo modprobe ip6table_filter
 echo "ip6table_filter" | sudo tee -a /etc/modules


cat <<EOF > docker-compose.yml
volumes:
  etc_wireguard:

services:
  wg-easy:
    environment:
      - INSECURE=true

    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    networks:
      wg:
        ipv4_address: 10.42.42.42
        ipv6_address: fdcc:ad94:bacf:61a3::2a
    volumes:
      - etc_wireguard:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
      # - NET_RAW # ⚠️ Uncomment if using Podman
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  wg:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 10.42.42.0/24
        - subnet: fdcc:ad94:bacf:61a3::/64
EOF

docker compose up -d