Add WireGuard tunnel for YouTube downloads through residential IP

YouTube blocks datacenter IPs. This adds a WireGuard client sidecar to route worker traffic through a home residential IP tunnel. - wireguard/ has the WG server config (runs on WSL2 at home) - Worker uses network_mode: service:wireguard for tunnel routing - wg-client/ and cookies.txt added to .gitignore (contain secrets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 19:58:39 +00:00 · 2026-02-09 19:58:39 +00:00 · 19468aeac8
parent 0e4eec4f12
commit 19468aeac8
3 changed files with 48 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,6 @@ dist/
 data/
 *.egg-info/
 .DS_Store
+cookies.txt
+wg-client/
+wireguard/config/
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -51,12 +51,31 @@ services:
      - default
      - traefik-public

+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: clipforge-wg
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - ./wg-client:/config
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    restart: unless-stopped
+
  worker:
    build:
      context: ./backend
      dockerfile: Dockerfile
    restart: unless-stopped
    command: ["arq", "app.worker.WorkerSettings"]
+    network_mode: "service:wireguard"
    env_file: .env
    environment:
      - DATABASE_URL=${DATABASE_URL:-postgresql+asyncpg://clipforge:changeme_clipforge_2025@postgres:5432/clipforge}
@ -66,12 +85,12 @@ services:
      - media_data:/data
      - ./cookies.txt:/app/cookies.txt
    depends_on:
+      wireguard:
+        condition: service_started
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
-    extra_hosts:
-      - "host.docker.internal:host-gateway"

  frontend:
    build:
--- a/wireguard/docker-compose.yml
+++ b/wireguard/docker-compose.yml
@ -0,0 +1,24 @@
+services:
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wg-server
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Toronto
+      - SERVERURL=auto
+      - SERVERPORT=51820
+      - PEERS=netcup
+      - PEERDNS=1.1.1.1
+      - ALLOWEDIPS=0.0.0.0/0
+    volumes:
+      - ./config:/config
+    ports:
+      - 51820:51820/udp
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    restart: unless-stopped