fix: revert from host to bridge network mode to bypass external firewalls automatically

README.md

@@ -45,7 +45,12 @@ docker run -d \
   --name npm-wg \
   --cap-add=NET_ADMIN \
   --cap-add=SYS_MODULE \
-  --network host \
+  --sysctl net.ipv4.ip_forward=1 \
+  --sysctl net.ipv4.conf.all.src_valid_mark=1 \
+  -p 80:80 \
+  -p 81:81 \
+  -p 443:443 \
+  -p 51820-51830:51820-51830/udp \
   -v npm-wg-data:/data \
   -v npm-wg-letsencrypt:/etc/letsencrypt \
   -v npm-wg-wireguard:/etc/wireguard \
@@ -65,7 +70,14 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
-    network_mode: "host"
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    ports:
+      - "80:80"       # HTTP
+      - "81:81"       # Admin UI
+      - "443:443"     # HTTPS
+      - "51820-51830:51820-51830/udp"  # WireGuard Multi-Server Range
     volumes:
       - data:/data
       - letsencrypt:/etc/letsencrypt

install.sh

@@ -128,22 +128,6 @@ install_deps() {
     log_ok "All system dependencies are ready."
 }
 
-# -----------------------------------------------------------
-#  x. Apply sysctls to Host (For WireGuard in Host Network Mode)
-# -----------------------------------------------------------
-apply_sysctls_to_host() {
-    log_step "Applying required sysctl network parameters to host..."
-    sysctl -w net.ipv4.ip_forward=1 >/dev/null 2>&1
-    sysctl -w net.ipv4.conf.all.src_valid_mark=1 >/dev/null 2>&1
-
-    # Persist sysctls if they don't already exist
-    if [ -f /etc/sysctl.conf ]; then
-        grep -q 'net.ipv4.ip_forward=1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
-        grep -q 'net.ipv4.conf.all.src_valid_mark=1' /etc/sysctl.conf || echo 'net.ipv4.conf.all.src_valid_mark=1' >> /etc/sysctl.conf
-    fi
-    log_ok "Host network parameters configured."
-}
-
 # -----------------------------------------------------------
 #  x. Generate docker-compose.yml
 # -----------------------------------------------------------
@@ -164,7 +148,14 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
-    network_mode: "host"
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    ports:
+      - "80:80"       # HTTP
+      - "81:81"       # Admin UI
+      - "443:443"     # HTTPS
+      - "51820-51830:51820-51830/udp"  # WireGuard Multi-Server Range
     volumes:
       - ./data:/data
       - ./letsencrypt:/etc/letsencrypt
@@ -221,9 +212,6 @@ do_install() {
     mkdir -p "$INSTALL_DIR"
     log_ok "Directory created."
 
-    # --- Apply Sysctls ---
-    apply_sysctls_to_host
-
     # --- Write docker-compose.yml ---
     generate_docker_compose "$wg_host"
 
@@ -392,7 +380,6 @@ do_update() {
         log_warn "Could not extract WG_HOST. Using ${current_wg_host}."
     fi
 
-    apply_sysctls_to_host
     generate_docker_compose "$current_wg_host"
 
     log_step "Pulling latest image..."