Here is a picture of what I have:

When I first setup I only had one network interface (VLAN10)
Network setup is like this:
HomeAssistant, ESPHome, Mosquitto = on host
Cloudflare = main-stack_dockerlocal
All working well

Then I added a second network interface and created a macvlan bind to the second NIC (VLAN20)
Installed Pihole and Unifi Controller both with static IP = both working well.

Now for my last install: Wireguard + Wireguard UI, all looks good from the log (as far as I think) but when trying to connect I have no access to the network nor Internet from the client (My Android phone).

When I connect, I see one packet being forwarded from port 51821 to port 51820 and looking as the “Connected Peers” on the Wireguard UI I can see the client connected but Received=0b / Transmit=0b.

I’ve been going at this for a while but running out of ideas.

This is my stack:

version: "3"
services:
 wireguard:
   image: linuxserver/wireguard:latest
   container_name: wireguard
   cap_add:
     - NET_ADMIN
   volumes:
     - ./config:/config
   ports:
     - "5000:5000"
     - "51820:51820/udp"
   networks:
     home:
       ipv4_address: 172.16.2.3

 wireguard-ui:
   image: ngoduykhanh/wireguard-ui:latest
   container_name: wireguard-ui
   depends_on:
     - wireguard
   cap_add:
     - NET_ADMIN
   network_mode: service:wireguard
   environment:
     #- SENDGRID_API_KEY
     - EMAIL_FROM_ADDRESS
     - EMAIL_FROM_NAME
     - SESSION_SECRET
     - WGUI_USERNAME=[***]
     - WGUI_PASSWORD=[*****]
     - WG_CONF_TEMPLATE
     - WGUI_MANAGE_START=true
     - WGUI_MANAGE_RESTART=true
   logging:
     driver: json-file
     options:
       max-size: 50m
   volumes:
     - ./db:/app/db
     - ./config/wg_confs:/etc/wireguard

networks:
 home:
   external:
     name: home

Looking at the Wireguard log I see this:

───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    911
User GID:    911
───────────────────────────────────────
Uname info: Linux 84a6b2fbcf1d 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
Warning: `/config/wg_confs/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.252.1.0/24 dev wg0
[#] ip link set mtu 1450 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
**** All tunnels are now active ****
[ls.io-init] done.

If I SSH to Debian, I do IP a for the network interface that is linked to macvlan I get this:

3: enxa0cec8d902df: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether a0:ce:c8:**:**:df brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.35/24 brd 172.16.2.255 scope global dynamic enxa0cec8d902df
       valid_lft 54505sec preferred_lft 54505sec
    inet6 fe80::a2ce:c8ff:fed9:2df/64 scope link
       valid_lft forever preferred_lft forever

Anything I can do to look deeper?

For anyone in the same situation or just being curious, I resolved my issue and this is my solution;

First I ditched Wareguard UI because it looks like it is not compatible with the latest version of Wireguard, I found some discrepancies between what I saw on the UI client configuration and the actual .conf file created. for example, on the UI I had allowedIPs set to 0.0.0.0/24 but in the .conf file it showed only the VPN ip assigned to the client (sorry I don’t have it as I ditched everything) so all that and also the fact that I don’t have enough knowledge to dig deeper into this.

So I removed the container, I removed the stack and I created a new stack with just the Wireguard server and this is my stack:

version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Toronto
      - SERVERURL=[my domain.com]
      - SERVERPORT=51821
      - PEERS=myPC,myPhone
      - PEERDNS=1.1.1.1, 1.0.0.1
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
      - PERSISTENTKEEPALIVE_PEERS=all
      - LOG_CONFS=false
    volumes:
      - /home/[user]/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      home:
        ipv4_address: 172.16.2.3

networks:
  home:
    external:
      name: home

Because people coming here to copy my code may not be gurus in this topic, I just need to explain some things about my code.
first I have SERVERPORT=51821 because I am currently migrating from PiVPN on a VM to Docker so the port 51820 is already forwarded to the existing PiVPN still in operation but on a new setup I would use 51820

Second, I forced the IP to 172.16.2.3 because my firewall is forwarding external 51821 to 51820 on this IP. Without setting the IP it still works but when Docker restarts it would pick a different IP and will stop working.

Third I set PERSISTENTKEEPALIVE_PEERS=all because in SERVERURL=[my domain.com], mydomain.com is from a dynamic DNS and the IP may change during a connection, this will prevent from disconnecting if the IP changes.

As for getting the clients setup, I just SCP copy all the files from “/home/[user]/wireguard” to my computer so I am able to display QR codes or import .conf files.

Hope this helps someone.

With wg-easy you get WireGuard and web GUI (link).

@bluepuma77
Thanks for this, I tried it but it didn’t work for me. After going through a few weeks of all sorts of issues, I am out of energy and I have everything working now. I may investigate at a later time.