Wireguard and Docker based server setup

*Added: 26.4.2026* > [!warning] This post is still being worked on > Last update: 6.5.2026 > > [!abstract]- Things to add > > - Improve the structure of the post > > - Add and improve Mermaid diagrams # Server setup One of my hobbies is servers - their management and hosting various things on them. I originally wanted to host game servers for me and my friends to play on and it was more convenient to rely on one server than on one specific person to be online and it is way more interesting to host your own than to rent a server. This also became a hobby for a friend of mine and since then we are trying to one up each other with our setups. In this post I want to go over my current server setup and also show my vision of what I would want - I will also touch on Arx, a project of mine I recently started working on. ## The Setup The current setup involves 3 servers: - Donut - Hetzner AX-41 dedicated server - this is the main machine - Marshmallow - Oracle VM.Standard.A1.Flex (Free-Tier) VPS - an ARM playground server - Mochi - Oracle VM.Standard.A1.Flex (Free-Tier) VPS - the proxy server The 2 oracle servers are running the same setup - 2OCPU, 12GB RAM and 50GB Storage. This allows me to spawn 2 more even smaller servers later if I want. I got these servers because I wanted to use my domain to connect to my game servers, but I did not want to leak Donut's public IP. Originally I tried using playit.gg, but even the paid version was not enough for my purposes. Practically everything except ssh and other super basic things runs in Docker and for the tunneling I use Wireguard. I create a docker network on each server and use PostUp/PostDown rules to hook everything together using IPTables...with some caveats. Below is a simplified graph of the setup: ```mermaid flowchart TB User(["👤 Player"]) subgraph Mochi["🍡Mochi"] direction TB subgraph Docker-Mochi["Docker Network"] WG_A["WireGuard Container 10.10.10.1"] end end subgraph Donut["🍩Donut"] direction TB subgraph Docker-Donut["Docker Network"] WG_B["WireGuard Container 10.10.10.2 172.16.0.2"] GameServer["Game Server 172.16.0.101"] end end User -- "Request" --> WG_A WG_A -- "WireGuard Tunnel" --> WG_B WG_B --> GameServer ``` This allows me to use my domain, point it to Mochi's public IP and use that domain to connect to game servers on Donut without leaking the IP. To do this I have to use iptables rules in the wg config via PostUp/PostDown. Many sources and AI agents suggested just using network_mode:host or network_mode:wireguard_container, but that defeats the whole purpose of what I want to do. Wireguard acts as ducktape between servers - stitching together its own network and I want the wireguard containers themselves to be independent. To achieve this you need wg.conf setup like this: (This is specifically for Abiotic Factor) > [!info] Donut (Hosting Server) wg.conf > ``` > PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 7777 -j DNAT --to-destination 172.16.0.101:7777 > >PostUp = iptables -t nat -A POSTROUTING -p udp -d 172.16.0.101 --dport 7777 -j SNAT --to-source 172.16.0.2 > PostUp = iptables -t nat -A POSTROUTING -s 172.16.0.101/32 -o %i -j MASQUERADE > ``` > 172.16.0.101 is the IP of the Abiotic Factor server in Donut's docker network > 172.16.0.2 is the IP of the wireguard container in Donut's docker network > This is used to properly route the traffic back to the wireguard container > [!info] Mochi (Proxy Server) wg.conf >``` >PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 7777 -j DNAT --to-destination 10.10.10.2:7777 > >PostUp = iptables -t nat -A POSTROUTING -p udp -d 172.16.0.101 --dport 7777 -j SNAT --to-source 172.16.0.2 > >PostUp = iptables -t nat -A POSTROUTING -s 172.16.0.101/32 -o %i -j MASQUERADE >``` >10.10.10.2 is the IP of Donut's wireguard container in the VPN tunnel network >This is to make sure that the request is sent to Donut > [!warning] Make sure you are using the correct protocol - udp or tcp. > Also make sure to add PostDown with the same values I am not an expert so there may be something I am missing or wrong with this config - and there is one *huge* issue with this whole setup, but that deserves a post of its own. > [!info] IP Explanation >- 10.10.10.X is the Wireguard VPN subnet > - Mochi is the "main" server and is 10.10.10.1 > - Donut is the host and gets 10.10.10.2 > - If a game server or a website is on Donut we first forward the traffic to 10.10.10.2 > >- 172.16.0.X is the Docker subnet on Donut > - Wireguard container sits on 172.16.0.2 > - Hosted Services sit on 172.16.0.X > - If a game server is running on Donut we give it a specific ip in docker compose and route the traffic to that IP ## Future vision Coming Soon