I tried adding a swarm manager by listening to just my wireguard interface (as the traffic would otherwise touch untrusted networks):

docker swarm init --advertise-addr wg0 --listen-addr wg0 --data-path-addr wg0

This works for ports 2377 and 7946, but not for the data path port 4789:

# netstat -lnptu | grep -E "(2377|7946|4789)"
tcp        0      0 10.10.10.3:2377         0.0.0.0:*               LISTEN      267541/dockerd      
tcp        0      0 10.10.10.3:7946         0.0.0.0:*               LISTEN      267541/dockerd      
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           -                   
udp        0      0 10.10.10.3:7946         0.0.0.0:*                           267541/dockerd

Tried this with Docker version 20.10.24+dfsg1, build 297e128 (Debian bookworm) and version 24.0.5, build 24.0.5-0ubuntu1~22.04.1 (Ubuntu 22.04.3 LTS).

Am I doing something wrong, or Is this perhaps a known bug?

Interesting setup, just trying myself to get ansible to install WireGuard and Docker Swarm on a cluster, might have an answer tomorrow

I just created a Docker Swarm with ansible:

  tasks:
    - name: Init a new Docker Swarm
      community.docker.docker_swarm:
        state: present
        advertise_addr: wg0
        listen_addr: wg0
        data_path_addr: wg0

It shows the same, it seems data-path-addr is ignored:

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 10.1.3.1:7946           0.0.0.0:*               LISTEN      21029/dockerd
tcp        0      0 10.1.3.1:2377           0.0.0.0:*               LISTEN      21029/dockerd
udp        0      0 10.1.3.1:7946           0.0.0.0:*                           21029/dockerd
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           -

It seems strange that only 2 show listen and one is missing PID/name.

Just tried again with your command line: same result again.

You want to create an issue on Github (link)? But be aware this might take days or weeks to get a response - and it might never get fixed.

This is really annoying as I just invested a week to try to get everything up and running with ansible, specifically to use WireGuard mesh with individual pre-shared keys and Docker Swarm on top

Thanks for trying and confirming my issue. Yes, I noticed the missing PID too and am wondering why it is missing.

But I decided to go forward and play with swarm anyway. At least my other interfaces can’t be reached from the internet, so I guess the risk from an open port is negliable.

Created an issue for it. Lets see what happens.