Reverse WireGuard architecture: server on Netcup, client at home

Flipped WG topology to avoid WSL2 UDP port forwarding issues: - Netcup is now WG server (has public IP, listens on UDP 51820) - Home WSL2 is WG client (connects outbound, no port forwarding needed) - Home client NAT masquerades worker traffic through residential IP - AllowedIPs=0.0.0.0/0 routes all worker internet through tunnel Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 20:06:04 +00:00 · 2026-02-09 20:06:04 +00:00 · 091ad039af
parent 19468aeac8
commit 091ad039af
2 changed files with 4 additions and 8 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -63,8 +63,11 @@ services:
      - TZ=Europe/Berlin
    volumes:
      - ./wg-client:/config
+    ports:
+      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
    extra_hosts:
      - "host.docker.internal:host-gateway"
    restart: unless-stopped
--- a/wireguard/docker-compose.yml
+++ b/wireguard/docker-compose.yml
@ -1,7 +1,7 @@
 services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
-    container_name: wg-server
+    container_name: wg-home-client
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
@ -9,15 +9,8 @@ services:
      - PUID=1000
      - PGID=1000
      - TZ=America/Toronto
-      - SERVERURL=auto
-      - SERVERPORT=51820
-      - PEERS=netcup
-      - PEERDNS=1.1.1.1
-      - ALLOWEDIPS=0.0.0.0/0
    volumes:
      - ./config:/config
-    ports:
-      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1