结论： 不稳定，放弃吧

• docker-compose.yml（服务端）

  version: "2.1"
  services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1002
      - PGID=1002
      - TZ=Etc/UTC
      - SERVERURL=公网ip公网ip公网ip公网ip公网ip #optional
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS= #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./config:/config
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
  

• 直接部署（服务端）

  docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Asia/Shanghai \
  -e SERVERPORT=51820 `#optional` \
  -e SERVERURL=服务端的域名或IP `#optional` \
  -e INTERNAL_SUBNET=10.13.13.0 `#optional` \
  -e PEERS=1 `#optional` \
  -e PEERDNS=auto `#optional` \
  -e ALLOWEDIPS=0.0.0.0/0 `#optional` \
  -e LOG_CONFS=true `#optional` \
  -p 51820:51820/udp \
  -v /root/docker/container/wireguard/config:/config \
  -v /lib/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart always \
  linuxserver/wireguard
  
  #说明:
  #optional //参数可选
  -e SERVERPORT=51820 // 服务器端口
  -e INTERNAL_SUBNET=10.13.13.0 //子网掩码
  -v /lib/modules:/lib/modules  //指定模块地址安装地址系统自带则不会安装
  -e ALLOWEDIPS=0.0.0.0/0  //允许的IPs
  -v /root/docker/container/wireguard/config:/config //配置地址
  

• 服务端wg0.conf

  [Interface]
  Address = 10.13.13.1
  ListenPort = 51820
  PrivateKey = 2Ei8n3nfMpntOciETOdqHlfKykHsTDFx07PUVJrI/k0=
  PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  
  [Peer]
  # peer1
  PublicKey = GgAPFS1k+MLOID/wpI2E5bFyEzLenFSctWFxdmUytls=
  AllowedIPs = 10.13.13.0/24
  [Peer]
  # peer2
  PublicKey = blSarEYGsOzOtiojmrBGZAXLDvDh3vnho3s97/KKuUI=
  AllowedIPs = 10.13.13.3/32
  

• 客户端client1.conf

  [Interface]
  Address = 10.13.13.2/32
  DNS = 10.13.13.1
  ListenPort = 51820
  PrivateKey = KBY6ohxR4cYLgfUNBK6OcjAyGMQF+2xxxgsu5JiDeVI=
  
  [Peer]
  AllowedIPs = 0.0.0.0/0
  Endpoint = 公网ip公网ip公网ip公网ip公网ip:51820
  PublicKey = Grw+tSlhXtJ4jqBdmG++bcarsY/3ewREET/tcsIteEk=
  

• 客户端client2.conf

  [Interface]
  # 客户端分配的IP
  Address = 10.13.13.3/32
  # 客户端的私钥
  PrivateKey = OJP0EFK6pi+f0bUbzZ1PR5sSVHPubHHhkyQXLSvohXg=
  # 监听端口
  ListenPort = 51820
  # 配置DNS
  DNS = 10.13.13.1.8.8.8.8
  #PostUp   = iptables -A FORWARD -i %i -j ACCEPT
  #PostUp   = iptables -A FORWARD -o %i -j ACCEPT
  #PostUp   = iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
  #PostDown = iptables -D FORWARD -i %i -j ACCEPT
  #PostDown = iptables -D FORWARD -o %i -j ACCEPT
  #PostDown = iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
  [Peer]
  # 服务端的公钥
  PublicKey = xkO4PWF9szs40UDy44+r5CSTiLyY5Oxc6eGth5V8HjI=
  # 对端(即为服务端域名或IP)
  Endpoint = 公网ip公网ip公网ip公网ip公网ip:51820
  # 允许的IP地址
  AllowedIPs = 10.13.13.0/24
  

• 客户端安装

apt install wireguard
cd /etc/wireguard  
wg genkey | tee privateKey | wg pubkey > publicKey

cat << EOF > /etc/wireguard/wg0.conf
[Interface]
# 客户端分配的IP
Address = 10.13.13.3/32
# 客户端的私钥
PrivateKey = 客户端的私钥
# 监听端口
ListenPort = 51820
# 配置DNS
DNS = 10.13.13.1

[Peer]
# 服务端的公钥
PublicKey = 填入服务端的公钥
# 对端(即为服务端域名或IP)
Endpoint = 服务端域名或IP:51820
# 允许的IP地址
AllowedIPs = 0.0.0.0/0
EOF


// 启动 wg0 即 wg0.conf 文件
wg-quick up wg0

// 其它命令如下:
// 停止
wg-quick down wg0
// 查看状态
wg
// 设置开机启动
systemctl enable wg-quick@wg0
// 取消开机启动
systemctl disable wg-quick@wg0


ufw allow ssh
ufw allow 51820/udp